Category Uncategorized

Nov 11 2014

How To Move AutoComplete Email Addresses In Outlook 2010/Outlook 2013

The following made it easy to transfer that autocomplete data to a new profile.

You would create and log in with a new profile, let’s call it “Personal Email”. This would create a blank new NK2 file called “Personal Email.NK2″. Then you could simply delete that NK2 file (I usually renamed it to Personal Email.OLD” – force of habit). Next, rename “Work Email.NK2″ to “Personal Email.NK2″. When you log into your new profile all your auto-complete data was there.

This all changed in Outlook 2013. Outlook 2013 did away with the NK2 file completely and merged all the autocomplete data into the users Exchange Mailbox/PST file. This was great in part as many people often forgot to transfer that NK2 file when they moved to a new computer, or, the autocomplete data was lost in the event of a catastrophic failure, such as a failure of the local hard drive.

What I found is that in some form autocomplete data does still exist in your local profile. On a Windows 7 box if you navigate to the RoamCache folder identified below:

C:\Users\\AppData\Local\Microsoft\Outlook\RoamCache

You may find one or more files called.

Stream_Autocomplete_.dat.

This is basically the new cache file for AutoComplete. The string of numbers is likely a SID of some form but where it is referenced (probably the registry) is beyond me.

All you need to do is identify what is the old autocomplete.dat file, normally by looking at the size of the file, the old one will be considerably bigger than the new one as it contains all of your cached addresses. Rename the old one to .old and copy the name before the .dat and rename your new one.

Aug 26 2014

Step-By-Step: Creating a SQL Server 2012 AlwaysOn Availability Group

I recently found myself in a meeting discussing Clustering and High Availability Server platforms, and someone mentioned about an Always On Availability Group. This was new to me as I have not had experience of implementing a solution with this topology.

As soon as I had some spare time I did a little research and testing for myself, and I found the following article on Technet which I followed when setting up a SQL Server 2012 Always On Availability Group, below is a copy of that article:

One of the most talked about (and now frequently requested) feature in SQL Server 2012 is AlwaysOn Availability Groups. It brings SQL Server high availability and disaster recovery to a whole new level by allowing multiple copies of the database be highly available and potentially using them for read-only workloads and offloading management tasks such as backups. AlwaysOn Availability Groups allow you to fail over a group of databases as a single entity, unlike database mirroring where you can only do so one database at a time. This is very useful for applications that access multiple databases in a single SQL Server instance like SharePoint Server 2013. In fact, very recently, one of my customers had requested to configure SQL Server 2012 AlwaysOn Availability Groups for their SharePoint 2013 farm. I am also seeing more and more SharePoint 2013 farms leveraging on the SQL Server 2012 AlwaysOn Availability Groups for both high availability and disaster recovery.

This step-by-step has been created to help you get started in creating a SQL Server 2012 AlwaysOn Availability Group for your mission-critical databases.

Prerequisites

  • Windows Server Failover Cluster (WSFC). AlwaysOn Availability Groups rely on the Windows Server Failover Cluster for failure detection and management of the Availability Group replicas. This is where a lot of customers get confused because of their previous knowledge of Microsoft Cluster Services (MSCS.) In previous versions of Windows Server, you need shared storage to create a failover cluster for the quorum disk. Windows Server 2008 and higher provided the option to use a file share witness as a quorum configuration. Therefore, you DO NOT need shared storage to create a Windows Server Failover Cluster for AlwaysOn Availability Groups. This, of course, does not change the requirement if you intend to use a SQL Server Failover Clustered Instance (FCI) as a replica in your Availability Group. For this step-by-step, we will only be working with standalone SQL Server 2012 default instances.
  • Download SQL Server 2012 Enterprise Edition. AlwaysOn Availability Group is an Enterprise Edition feature. Before deciding to implement this feature, take stock of your SQL Server licenses to make sure you have enough to get you covered. If you intend to use the other replicas for read-only workloads or offloading your backups, you would need licenses for those SQL Server instances as well. This is also another one of those items that customers get confused with because in previous versions of SQL Server, database mirroring can be configured with Standard Edition.
  • Same SQL Server collation for all replicas. I usually don’t recommend running databases with different collation requirements in the same SQL Server instance due to potential issues caused by applications using temporary tables. This is one of the reasons for keeping the database collation the same for a single instance (SharePoint 2013 also requires a specific collation for the content databases.) If you want to configure AlwaysOn Availability Groups for your databases, they should all be running the same collation on all of the SQL Server instances acting as replicas.
  • Two to Five SQL Server Instances acting as replicas. SQL Server instances that will be used as a standby for high availability and/or disaster recovery are called replicas. Unlike database mirroring where you can only have one extra copy of the database, AlwaysOn Availability Groups allow you to have up to five copies of the database running on five replicas – three of which can be configured for synchronous-commit mode and two in asynchronous-commit mode.

Windows Failover Cluster Feature Installation

Since AlwaysOn Availability Groups require a Windows Server Failover Cluster, we first need to add the Windows Failover Cluster Feature to all the machines running the SQL Server instances that we will configure as replicas. For the operating system, we will be using Windows Server 2012. To add the Failover Clustering feature:

  1. Open the Server Manager console and select Add roles and features. This will launch the Add Roles Features Wizard
  1. Click Next until you reach the Select Features dialog box. Select the Failover Clustering checkbox. When prompted with the Add features that are required for Failover Clustering dialog box, clickAdd Features. Click Next.
  2. Click Install to install the Failover Clustering feature.

Windows Failover Clustering Configuration for SQL Server 2012 AlwaysOn Availability Groups

Prior to configuring the Windows Server Failover Cluster, it is assumed that you have the appropriate rights in Active Directory. For a complete listing of the different Active Directory permissions to create a Windows Server Failover Cluster, see Failover Cluster Step-by-Step Guide: Configuring Accounts in Active Directory. To configure Windows Failover Clustering,

  1. Launch Failover Cluster Manager from within the Server Manager console.
  2. Within Failover Cluster Manager, click the Validate Configuration… link.
  3. In the Validate a Configuration Wizard dialog box, click Next.
  4. In the Select Servers or a Cluster dialog box, add the server hostnames of the SQL Server instances that you want to configure as replicas in your Availability Group. Click Next.
  5. In the Testing Options dialog box, make sure that the option Run all tests (recommended) is selected. Click Next.
  6. In the Confirmation dialog box, click Next.
  7. In the Summary dialog box, click Finish to create the Windows Failover Cluster.
    NOTE: The Failover Cluster Validation Wizard is expected to return several Warning messages, especially if you will not be using shared storage. As we mentioned earlier, there is no need to use shared storage to create the Windows Server Failover Cluster that we will use for our Availability Group. Just be aware of these Warning messages as we will configure a file share witness for our cluster quorum configuration. However, if you see any Error messages, you need to fix those first prior to creating the Windows Server Failover Cluster.
  8. In the Access Point for Administering the Cluster dialog box, enter the virtual server name and virtual IP address of your Windows Server Failover Cluster.
  9. In the Confirmation dialog box, click Next. This will create the Windows Failover Cluster using the servers as nodes of the cluster, add DNS and Active Directory entries for the cluster hostname.
  10. In the Summary dialog box, verify that the configuration is successful.
  11. To configure the cluster quorum configuration to use a file share, right-click on the cluster name, selectMore Actions and click Configure Cluster Quorum Settings… We will be configuring a file share witness for our cluster quorum setting. By default, the wizard will configure the cluster to use Node Majority.
  12. Click Next.
  13. In the Select Quorum Configuration page, select the Add or change the quorum witness option. Click Next.
  14. In the Select Quorum Witness page, select the Configure a file share witness (recommended for special configuration) option. Click Next.
  15. In the Configure File Share Witness page, type path of the file share that you want to use in the File Share Path: text box. Click Next.
  16. In the Confirmation page, click Next.
  17. In the Summary page, click Finish.

Enable SQL Server 2012 AlwaysOn Availability Groups Feature

Once the Windows Server Failover Cluster has been created, we can now proceed with enabling the AlwaysOn Availability Groups feature in SQL Server 2012.  This needs to be done on all of the SQL Server instances that you will configure as replicas in your Availability Group. To enable the SQL Server 2012 AlwaysOn Availability Groups feature,

  1. Open SQL Server Configuration Manager. Double-click the SQLServer (MSSQLSERVER) service to open the Properties dialog box.
  2. In the Properties dialog box, select the AlwaysOn High Availability tab. Check the Enable AlwaysOn Availability Groups check box. This will prompt you to restart the SQL Server service. Click OK.
  3. Restart the SQL Server service.

Create and Configure SQL Server 2012 AlwaysOn Availability Groups

Availability Groups can be created on existing databases or even a temporary one in preparation for application installation. If you intend to create an Availability Group for a new SharePoint 2013 farm, you will need to create a temporary database. This is so that the SharePoint 2013 farm will use the AlwaysOn Availability Group when creating the farm configuration and the admin content databases. After the SharePoint 2013 farm has been created, this database can be removed from the Availability Group configuration and deleted from the instance.

To create and configure a SQL Server 2012 AlwaysOn Availability Group,

  1. Open SQL Server Management Studio. Connect to the SQL Server instance
  2. In Object Exporer, expand the AlwaysOn High Availability folder. Right-click on the Availability Groups folder and select the New Availability Group Wizard… option. This will launch the New Availability Group Wizard.

  3. In the Introduction page, click Next.
  4. In the Specify Availability Group Name page, enter the name of the Availability Group in theAvailability group name: field. Click Next.
  5. In the Select Databases page, select the checkbox beside the database that you want to include in your Availability Group. The databases have to be in Full recovery model prior to joining them in the Availability group. Click Next.
  6. In the Specify Replicas page, under the Replicas tab, click the Add Replicas button and connect to the other SQL Server instances that you joined as nodes in your Windows Server Failover Cluster. Configure the following options
    • Automatic Failover (Up to 2) :          Checked
    • Synchronous Commit (Up to 3) :      Checked
    • Readable Secondary:                      No
  7. In the Endpoints tab, verify that the port number value is 5022.
  8. In the Listener tab, select the Create an availability group listener option. Enter the following details.
    • Listener DNS name: Name that you will use in your application connection string
    • Port: 1433
  9. Click the Add… button to provide an IP address. In the Add IP Address dialog box, enter your preferred virtual IP address in the IPv4 Address field. Click OK. Click Next.
  10. In the Select Initial Data Synchronization page, select the Full option. Provide a shared folder that is accessible the replicas and that the SQL Server service account used by both replicas has Writepermissions to. This is just a temporary file share to store the database backups that will be used to initialize the databases in an Availability group. If you are dealing with large databases, it is recommended that you manually initialize the databases prior to configuring them as your network bandwidth may not be able to accommodate the size of the database backups. Click Next.
  11. In the Validation page, verify that all validation checks return successful results. Click Next.
  12. In the Summary page, verify all configuration settings and click Finish. This will create and configure the AlwaysOn Availability Group and join the databases.
  13. In the Results page, verify that all tasks have been completed successfully.

Congratulations! You have just created a SQL Server 2012 AlwaysOn Availability Groups. You can now use the Availability Groups listener name in your application connection string. Keep in mind that you need to manually add new databases in the Availability Group even though your application has already been using the listener name. So, be sure to monitor the replicas in your Availability Groups to be alerted when new databases are created.

Aug 21 2014

PowerShell Script to List Active Directory Users & Last Logon Time

Occasionally there is a need to quickly query Active Directory for all user accounts or user accounts with only certain values in particular properties. This can be done by installing and loading the Microsoft Active Directory Administration module for PowerShell. This is an add-on module, named ActiveDirectory, that provides cmdlets that let you manage your Active Directory domains.

Below is a script I recently put together to produce a CSV File detailing the following:

Displayname – @{e={$_.properties.cn};n=’Display Name’},`

Username – @{e={$_.properties.samaccountname};n=’Username’}

LastLogonTime – @{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n=’Last Logon’},`

Account Disabled or Not – @{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=’Account Is Disabled’}

The Complete Script is below – Just copy and past the following into notepad, and save the file as filename.ps1

$NumDays = 0
$LogDir = “.\User-Accounts.csv”

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]”
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = “(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=” + $lltIntLimit + “))”

$users = $objstalesearcher.findall() | select `
@{e={$_.properties.cn};n=’Display Name’},`
@{e={$_.properties.samaccountname};n=’Username’},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n=’Last Logon’},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=’Account Is Disabled’}

$users | Export-CSV -NoType $LogDir

Jul 9 2014

Exchange 2010/2007 to 2013 Migration and Co-existence Guide

 

As time goes on, we are being asked more and more to complete Exchange 2007/2010 migrations to Exchange 2013, below is a guide I have found that will work you through doing exactly that.

Before you proceed with the actual migration steps, these articles may be of interest to you:

Exchange 2013 CAS Role Demystified: http://msexchangeguru.com/2013/05/22/exchange-2013-cas/
Exchange 2013 High Availability demystified: http://msexchangeguru.com/2013/05/23/e2013-ha-demystified/
Load Balancing Exchange Server 2013 – Good to know stuff: http://msexchangeguru.com/2013/06/05/load-balancing/
Public Folders Migration from Exchange 2007/2010 to Exchange 2013: http://msexchangeguru.com/2013/04/18/exchange2013-public-folders/
Upgrade from Exchange 2013 CU1 or RTM to CU2: http://msexchangeguru.com/2013/07/10/install-e2013-cu2/
Monitoring and troubleshooting Exchange using powershell: http://msexchangeguru.com/2013/07/23/monitoring-powershell/

Preparing Exchange 2010/2007

  1. Install the hotfix 2550886 for DAG failover improvements on Exchange 2010/2007 DAG servers.

    http://support.microsoft.com/?kbid=2550886

  2. Login to the Exchange 2010/2007 server with Schema Admins, enterprise admins, domain admins and organization management group member id as SP 3 will extend the schema.

  3. Install Exchange 2010/2007 SP3 on all the exchange 2010/2007 servers in CAS then HT then mailbox role order if they are not on the same server

    SP3 can be downloaded from the below link:

    http://www.microsoft.com/en-us/download/details.aspx?id=36768

  4. Check the below link for SP3 installation steps

    http://msexchangeguru.com/2013/04/03/exchange-2010/2007-sp3/

Installing Exchange 2013

  1. I would suggest going for Windows 2012 for Exchange 2013 but you can use windows 2008 R2 SP1 as well.

  2. Install the windows 2012 server or Windows 2008 R2 SP1 on a new server and join the domain. It can be virtual or physical. Now Microsoft support virtualized mailbox role.

  3. Run the windows update and install all the recommended updates.

  4. You might like to configure windows NLB if you don’t have NLB hardware. Check the below blog on it. (optional)  http://msexchangeguru.com/2013/08/14/windowsnlb/

  5. For Active Directory preparation check the “step 3 preparing active directory” at the blog mentioned below:       http://msexchangeguru.com/2013/04/29/install-e2013/
  6. Install the following prerequisites for Exchange 2013

For Windows 2012:

  1. Open Windows PowerShell.

  2. Run the following command to install the required Windows components.

    Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

  3. Restart the server.

  4. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

    http://www.microsoft.com/en-us/download/details.aspx?id=34992

  5. Microsoft Office 2010/2007 Filter Pack 64 bit: Optional

    http://www.microsoft.com/en-us/download/details.aspx?id=17062

  6. Microsoft Office 2010/2007 Filter Pack SP1 64 bit: Optional

    http://www.microsoft.com/en-us/download/details.aspx?id=26604

For Windows 2008:

  1. Open Windows PowerShell.

  2. Run the following command to load the Server Manager module.

    Import-Module ServerManager

  3. Run the following command to install the required Windows components.

        Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI

  4. Restart the server

  5. Microsoft .NET Framework 4.5

    http://msdn.microsoft.com/en-us/library/5a4x27ek(VS.110).aspx

  6. Windows Management Framework 3.0

    http://www.microsoft.com/en-us/download/details.aspx?id=34595

  7. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

    http://www.microsoft.com/en-us/download/details.aspx?id=34992

  8. Microsoft Office 2010/2007 Filter Pack 64 bit: Optional

    http://www.microsoft.com/en-us/download/details.aspx?id=17062

  9. Microsoft Office 2010/2007 Filter Pack SP1 64 bit: Optional

    http://www.microsoft.com/en-us/download/details.aspx?id=26604

  10. Microsoft Knowledge Base article KB974405 (Windows Identity Foundation)

    http://support.microsoft.com/?kbid=974405&wa=wsignin1.0

  11. Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2)

    http://support.microsoft.com/?kbid=2619234

  12. Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution)

    http://support.microsoft.com/?kbid=2533623

   6. Restart the server

   7. Exchange 2013 Installation – Please follow the below link for the Exchange 2013 installation: http://msexchangeguru.com/2013/04/29/install-e2013/or Exchange 2013 SP1installation: http://msexchangeguru.com/2014/03/02/e2013sp1-installationupgrade/

Imp: You can directly install Exchange 2013 CU1 as well. If you directly install CU1 then you can skip step 12 – Testing mailbox move without CU1. If you are installing CU2 make sure you are installing CU2 V2.

If you are doing new installation then you can directly install Exchange 2013 CU1 which itself is a full setup. You can follow same schema update and AD preparation steps.

After Exchange 2013 installation the biggest challenge will be how to login to the EAC, there is no mailbox on Exchange 2013.

If you are trying to access EAC for the first time and your mailbox is on Exchange 2010, you need to use the URL in the format:

https://Exchange2013ServerName/ecp?ExchClientVer=15

This is because in a co-existence scenario, your mailbox is still housed on the Exchange 2010 mailbox server, the browser will default to the Exchange Server 2010 ECP. Now if you want to access the Exchange 2010 ECP and your mailbox resides on an Exchange 2013 mailbox server, use the following URL:

https://Exchange2010ServerName/ecp?ExchClientVer=14.

Take a look at:

Working with EAC or Exchange administration center in Exchange 2013 – Part1: http://msexchangeguru.com/2013/01/16/eac-exchange-2013/

So you need to create a mailbox to administer Exchange 2013. We will follow the below steps:

    1. Create a mailbox in Exchange 2013 mailbox database.
    2. “New-Mailbox –name 2013Admin –userPrincipalName 2013Admin@domain.com –Database “2013 DBName””

    3. Run Get-mailboxdatabase to check the database name

      4. Give the permission to the mailbox to Administrate EAC.

               Add the following group membership:

                 Domain Admins

                 Schema Admins

                 Enterprise Admins

                 Organization Management

Test mailbox migration without CU1 for Exchange 2013

  1. Now, you should be able to login to EAC by going to the url https://localhost/ECP. If you will test the mailbox migration from Exchange 2010/2007 to Exchange 2013 before CU1 for Exchange 2013, it will be working but full co-existence will not work so it is a necessity to install CU1. As an example my Servers are mentioned below:

  2. EAC will show Databases from both the servers

  • Now I am migrating the mailbox being Exchange 2010/2007 on SP3 and Exchange 2013 without CU1.

Created new mailbox in Exchange 2010/2007, you can see 2013 database is not showing here

  • Database before move

  • I have moved the mailbox from Exchange 2013 EAC to Exchange 2013 database. Now click on migration to check the status

  • Now Refresh and you will see completed depends on the size of mailbox.

  • Check the Database name has changed

Continue the Exchange 2013 CU1 installation

       5. If you have not install CU1 version of exchange 2013 then this is the time to install Exchange 2013 Cumulative update 1 so that we avoid any co-existence issue. If you are doing new installation then you can directly install Exchange 2013 CU1 which itself is a full setup. You can follow same schema update and AD preparation steps mentioned in the Exchange 2013 installation article

Update 4/7/2014: Now – We can go for SP1 – http://msexchangeguru.com/2014/03/02/e2013sp1-installationupgrade/

       6. Download the Exchange 2013 from the below link which is an Exchange 2013 setup with Cumulative update

http://www.microsoft.com/en-us/download/details.aspx?id=38176

       7. Install the Exchange 2013 CU 1 with the help of below link:

http://msexchangeguru.com/2013/04/15/e2013-cu1-2/

Configuring Exchange 2013 and network

  1. Transport Configuration

  2. Send connector

         1. Exchange 2013 reads exchange 2010/2007 send connector information. Click on the pencil icon to check and add exchange 2013 in the same send connector.

         2. Click on scoping and + icon to add the server

         3. Select the server and add, then click on and save. Send connector configuration completed.

     3. Receive Connector

        1. Add a receive connector as per the current connector configuration.

        2. Select the 2013 server, oh what we have 5 connectors for what. Let me explain here.

         3. You can see all 5 together here as I have CAS and Mailbox on same server. First 3 are for the CAS connector and remain 2 are for mailbox role.

         4. I would link to explain the transport pipe line here which consists of the following services:

             Front End Transport service – This service runs on all Client Access servers and acts as a stateless proxy for all inbound and outbound external SMTP traffic for the Exchange 2013 organization.  The Front End Transport service doesn’t inspect message content, only communicates with the Transport service on a Mailbox server, and doesn’t queue any messages locally.

             Transport service – This service runs on all Mailbox servers and is virtually identical to the Hub Transport server role in previous versions of Exchange. The Transport service handles all SMTP mail flow for the organization, performs message categorization, and performs message content inspection. Unlike previous versions of Exchange, the Transport service never communicates directly with mailbox databases. That task is now handled by the Mailbox Transport service. The Transport service routes messages between the Mailbox Transport service, the Transport service, and the Front End Transport service.

            Mailbox Transport service – This service runs on all Mailbox servers and consists of two separate services: the Mailbox Transport Submission service and Mailbox Transport Delivery service. The Mailbox Transport Delivery service receives SMTP messages from the Transport service on the local Mailbox server or on other Mailbox servers, and connects to the local mailbox database using an Exchange remote procedure call (RPC) to deliver the message. The Mailbox Transport Submission service connects to the local mailbox database using RPC to retrieve messages, and submits the messages over SMTP to the Transport service on the local Mailbox server, or on other Mailbox servers. The Mailbox Transport Submission service has access to the same routing topology information as the Transport service. Like the Front End Transport service, the Mailbox Transport service also doesn’t queue any messages locally.

(from TechNet)

5. Here are the details about the receive connectors

         When you install a Mailbox server running the Transport service, two Receive connectors are created. No additional Receive connectors are needed for typical operation, and in most cases the default  Receive connectors don’t require a configuration change. These connectors are the following:

          Default    Accepts connections from Mailbox servers running the Transport service and from Edge servers.

          Client Proxy    Accepts connections from front-end servers. Typically, messages are sent to a front-end server over SMTP.

          During installation, three Receive connectors are created on the Front End transport, or Client Access server. The default Front End Receive connector is configured to accept SMTP communications from all IP address ranges. Additionally, there is a Receive connector that can act as an outbound proxy for messages sent to the front-end server from Mailbox servers. Finally, there is a secure Receive connector configured to accept messages encrypted with Transport Layer Security (TLS). These connectors are the following:

          Default FrontEnd    Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization.

          Outbound Proxy Frontend    Accepts messages from a Send Connector on a back-end server, with front-end proxy enabled.

         By default we don’t route the outgoing email to CAS. If we have some mailgaurd or compliance requirement on a separate CAS server then we can use it. If we have CAS and mailbox role on the  same server then we don’t need to configure this connector. We can simply disable it.

      Client Frontend    Accepts secure connections, with Transport Layer Security (TLS) applied.

  6. So we have to configure “Default Frontend Servername” connector which is accepting the emails on port 25. Yes this is very important when you have both role on one server then Frontend will be 25 and backend will be 2525

         7. You might need to check email address policies, this might needs to re-apply. If we have more than 3000 mailboxes then it is suggest applying from EMS.

         To understand the mailflow we can read the below article: http://msexchangeguru.com/2012/08/09/e2013-mailflow/

Exchange 2013 Certificates

Create a new Exchange certificate on Exchange 2013: http://msexchangeguru.com/2013/01/18/e2013-certificate/

Certificates and CAS: Now this is the time when we need to focus on CAS certificate and ensure the CAS 2013 is reachable from internet. We have 2 options:

Use current certificate

For Export and import of the cert Please check here – http://msexchangeguru.com/2013/06/29/import-cert-e2013/

  1. Export the cert from Exchange 2010
  2. Import the cert to Exchange 2013
  3. Configure the external url. This is very simple in exchange 2013. You don’t need to go to every virtual directory property.
  4. Select the wrench mentioned below windows

                          5. Then this wizard will open, select the exchange 2013 server and give the external url and save it.

                        6. CAS Authentication will be “Use form-based authentication” on both Exchange 2013 and Exchange 2010/2007.

                              Now you will see every directory got the same External url.

                       8. Switch namespace to Exchange 2013 CAS or Exchange 2013 CAS pool load balancer. This can be simply done by changing SNAT internal IP from Exchange 2010/2007 to Exchange 2013. Also Point the internal mail and autodiscover IP to Exchange 2013 CAS server/load balancer.

                       9. Time to test OWA connectivity from internet. At this time I am able to access owa for the users in both Exchange 2013 and 2010. I am also able to send and receive then emails.

Database availability Group

We would like to configure a DAG for high availability with multiple databases. So we have 2 options.

1. DAG with IP. Check the below link to create a DAG with IP

http://msexchangeguru.com/2013/01/17/e2013-dag/

2. DAG without IP – This needs Exchange 2013 SP1 on Windows 2012 R2

Check the below link to create IP less DAG

http://msexchangeguru.com/2014/03/21/e2013sp1-ip-less-dag/

Move Arbitration and Discovery Search mailboxes

Follow the below steps to move all arbitration and discovery search mailboxes to final 2013 database.

Open EMS with run as administrator and run the following cmds

Get‐Mailbox –Arbitration | New‐MoveRequest –TargetDatabase TargetDBName

Get-Mailbox “*Discovery*” | New‐MoveRequest  –TargetDatabase TargetDBName

Unified Messaging: Upgrade Exchange 2010 UM to Exchange 2013 UM

This is the optional step only for unified messaging configured organizations.

Please follow the below link to upgrade exchange 2010 UM to Exchange 2013 UM

http://technet.microsoft.com/en-us/library/dn169226(v=exchg.150).aspx

Configure Enabled Outlook Anywhere

For Exchange 2007
Set-OutlookAnywhere -Identity “2010 CasServerNameRpc (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName webmail.law.ua.edu -IISAuthenticationMethods {NTLM,Basic}

For Exchange 2010
Set-OutlookAnywhere -Identity “2010 CasServerNameRpc (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName webmail.domainname -IISAuthenticationMethods NTLM, Basic

Configure OAB

Run the below command to configure OAB for all databases

Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address List (Ex2013)”

Default Offline Address List (Ex2013) can be replaced by your custom named OAB.

Enabling and Configuring Outlook Anywhere

For Exchange 2007
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 8*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic

For Exchange 2010
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic

SCP – Service Connection Point Configuration:

Run the below command to configure SCP on Exchange Management Shell of 2007/2010/2013 separately:

get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://autodiscover.domainname/autodiscover/autodiscover.xml

SCP might be already configured on 2007/2010 server so you can also check it and use the same -AutoDiscoverServiceInternalUri. Run the below cmd to get current SCP on 2013 Shell
get-ClientAccessServer | fl name,AutoDiscoverServiceInternalUri

RemoteDomain:

Run the below cmd in EMS to allow auto forwarding, oof, auto reply and disable the possibility of winmail.dat from domino server.

Set-remoteDomain -AutoReplyEnabled $True -AutoForwardEnabled $True -TNEFEnabled $False -AllowedOOFType External

Pop/IMAP:

If you have pop3/imap4 users then you might like to configure 2013 for some addition configuration.

1. Configure the Basic authentication on EAC for CAS 2013

2. Start the services and change them to automatic.

Email address policy:

You might need this step if you organization was initially created on Exchange 2003.

1. Create a new email address policy if there is only one “Default Policy”.

2. Change the attributes of existing email address policy by running the below cmd
Get-emailaddresspolicy | Set-EmailAddressPolicy -RecipientFilter “Alias -ne $null” -IncludedRecipients AllRecipients

3. If you see the below error for the default policy then Remove “Default Policy” which was created in 2003 and will be in ready only mode in Exchange 2013.

emailaddresspolicy error

Clean up health mailboxes:

When you remove default mailbox database, it does not remove health mailboxes which we can check by running the cmd and below warning will come. Health mailboxes are for the health service and they are specific for every database so we don’t need to move them rather we need to remove them.

                         Get-mailbox –monitoring

Mailboxes/HealthMailbox94863fe5394447619ec45c4e6b2dd971 has been corrupted, and it’s in an inconsistent state.

The following validation errors happened: WARNING: Database is mandatory on UserMailbox.

To fix this we need to delete user account in dsa.msc at yourdomain/Microsoft Exchange System Objects/Monitoring Mailboxes

Important: At the point configure your outlook for Exchange 2007/2010 mailbox and 2013 mailbox. If both are working from Internet then move to the next step.

CutOver

Now it is the time to do cut over means point the connections to Exchange 2013. It can be done in few simple steps.

1. Create or change DNS pointers to Exchange 2013.

autodiscover.domain.com will be pointing to the CAS 2010 or Load balancer of CAS 2010. So change the IP from  Exchange  2010 to 2013. In case of new installation or exchange 2007 environment we need to create new host record in DNS. This will be done on both internal and external

mail.domain.com Change the IP from Exchange 2010/2007 to Exchange 2013 CAS servers or Load balancer.

Legacy.domain.com this host record is only required in case of exchange 2007 co-existence. This will point to Exchange 2007 CAS servers or lad balancer.

2. Point your Spam Guard to forward all the emails to exchange 2013 to receive incoming mail via Exchange 2013.

3. Configure Spam Guard to accept emails from all Exchange 2013 Mailbox servers.

4. Configure all other application to send email to the Exchange 2013 Mailbox Servers

Exchange 2013 Mailbox Migration

So what are we waiting for… Let us begin the mailbox migration.

  1. Now you can run the following cmdlet to move bulk or single mailbox

Get-Mailbox –Database “Exchange 2010/2007/2007 Database” –OrganizationUnit “DN of the OU” | New-Move Request –TargetDatabase “Exchange 2013 Database”

    2. You can monitor the migration by running the following cmdlet or going to the migration tab in EAC:

       Get-MoveRequest

    3. Once completed it will show the below window

For Cross forest mailbox migration check this link: http://msexchangeguru.com/2013/11/02/e2013crossforestmigration/

Public Folder Migration

  1. Once we complete all mailbox migration then we can start the Public Folders migration.

    For Public Folder migration use the below Link:

    http://msexchangeguru.com/2013/04/18/exchange2013-public-folders/

  2. Test everything working and shutdown Exchange 2010/2007 server for 1 production week and observe if no issue reported then go ahead with the Exchange 2010/2007 removal process.

Known Issues:

Active Sync Config without Domain Name: http://msexchangeguru.com/2013/08/06/e2013mobiledomain/

OWA redirection broken page and SSL: http://www.expta.com/2013/05/owa-2013-cu1-redirection-is-broken-for.html

If you have pop/imap user go for CU2: http://msexchangeguru.com/2013/08/04/e2013popimapauth/

Mailflow misconfiguration: http://msexchangeguru.com/2013/08/03/e2013-2010mailflowissue/

Certifacate and cryptographic provider Issue: http://msitpros.com/?p=1770

Legacy Removal

  1. Now we are in a position to remove exchange 2010. We can follow the below link for the exchange 2010/2007 removal.

    http://msexchangeguru.com/2013/09/01/e20102007decomposte2013mig/

Jul 7 2014

Understanding Exchange 2013 Server Roles in the Simplest way

 

Exchange 2013 has two Roles:

  1. Mailbox Server Role
  2. Client Access Server Role

Each organization requires minimum one Mailbox Server Role and Client Access Server Role.

Mailbox Server Role Includes:

  1. Client Access Protocols
  2. Transport Service
  3. Mailbox Databases
  4. Unified Messaging (Except SIP Redirection)
  5. Handles all activities for active Mailboxes on that Server

Client Access Server Role Includes:

  1. Authentication
  2. Redirection (limited)
  3. Proxy Services for HTTP, POP, IMAP and SMTP
  4. Thin and Stateless Server
  5. Does not do any data rendering
  6. Nothing is queued or stored here (except diagnostic logging)
May 30 2014

How to Backup/Restore IIS7 & IIS8 Configuration

Backing up IIS7 configuration is as simple as copying the \windows\system32\inetsrv\config directory (and subdirectories) into a backup directory, so you don’t need anything special to do it.  Just include this directory in whatever your OS/content back-up plan is, or write a custom script to do it.

To help make managing backups easy, Microsoft added a simple cmd-line option to AppCmd.exe that makes management of backup/restore sets easy.  For example, to backup configuration, run the follow command:

> %windir%\system32\inetsrv\appcmd.exe add backup “My Backup Name”

to restore that backup, run this command:

> %windir%\system32\inetsrv\appcmd.exe restore backup “My Backup Name”

to delete a backup, run this command:

> %windir%\system32\inetsrv\appcmd.exe delete backup “My Backup Name”

IIS will automatically make history snapshots of ApplicationHost.config each time a change is detected, enabling you to easily restore to a prior version.  By default, IIS checks for a new version every 2 mins, and will keep 10 prior versions of the file.  IIS stores these snapshots in the %systemdrive%\inetpub\history folder by default.  You can change any of these settings by editing the section in ApplicationHost.config.

Feb 9 2014

How to edit the hosts file in Mac OS X – Mavericks

 

Introduction

The hosts file is a text file that maps hostnames to IP addresses.
Upon typing a url address on the browser, the system is checking if there is a relevant entry on the hosts file and gets the corresponding IP address, else it resolves the IP via the active connection’s DNS servers.

The hosts file can be edited to block certain hostnames (like ad-serving/malicious hosts), or used for web development purposes, i.e. to redirect domains to local addresses.

Editing the hosts file

Editing the hosts file in Mac OS X – Leopard, is a pretty easy task, especially if you are familiar with the terminal.

Step 1 – Open the Terminal.app

Either by start typing Terminal on the Spotlight, or by going into Applications -> Utilities -> Terminal.

Step 2 – Open the hosts file

Open the hosts by typing on the Terminal that you have just opened:

1
$ sudo nano /private/etc/hosts
Type your user password when prompted.

Step 3 – Edit the hosts file

The hosts file contains some comments (lines starting with the # symbol), as well as some default hostname mappings (e.g. 127.0.0.1 – localhost).
Simply append your new mappings underneath the default ones. Or edit one of the default values if you know what you are doing!
You can navigate the file using the arrow keys.

Step 4 – Save the hosts file

When done editing the hosts file, press control-o to save the file.
Press enter on the filename prompt, and control-x to exit the editor.

Step 5 – Flush the DNS cache

On Mavericks you can issue a simple Terminal command to flush the DNS cache, and have your host file changes to take immediate effect:

1
$ dscacheutil -flushcache
You can now test your new mapping on the browser!

Sep 3 2013

Steps to move a DHCP database from a Windows Server 2008 to Windows Server 2012

The DHCP database can be moved or migrated from a Windows Server 2008 server to a Windows 2012 Server.  The information below details the necessary steps.

Export the DHCP database from a server that is running Microsoft Windows Server 2003 or Windows Server 2008

To move a DHCP database and configuration from a server that is running Windows Server 2003 or Windows Server 2008 to another server that is running Windows Server 2008:

1.   Log on to the source DHCP server by using an account that is a member of the local Administrators group.

2.   Click Start, click Run, type cmd in the Open box, and then click OK.

3.   Type netsh dhcp server export C:\dhcp.txt all , and then press ENTER.

Note: You must have local administrator permissions to export the data.

Configure the DHCP server service on the server that is running Windows Server 2008

1.   Click Start, click Administrative Tools, click Server Manager. If needed acknowledge User Account Control.

2.   In Roles Summary click Add Roles, click Next, check DHCP server, and then click Next.

Import the DHCP database

1.   Log on as a user who is an explicit member of the local Administrators group. A user account in a group that is a member of the local Administrators group will not work. If a local Administrators account does not exist for the domain controller, restart the computer in Directory Services Restore Mode, and use the administrator account to import the database as described later in this section.

2.   Copy the exported DHCP database file to the local hard disk of the Windows Server 2008-based computer.

3.   Verify that the DHCP service is started on the Windows Server 2008-based computer.

4.   Click Start, click Run, type cmd in the Open box, and then click OK.

5.   At the command prompt, type netsh dhcp server import c:\dhcpdatabase.txt all , and then press ENTER, wherec:\dhcpdatabase.txt is the full path and file name of the database file that you copied to the server.

Note When you try to export a DHCP database from a Windows 2000/2003 domain controller to a Windows Server 2008member server of the domain, you may receive the following error message:

Error initializing and reading the service configuration – Access Denied

Note You must have local administrator permissions to import the data.

6.   To resolve this issue, add the Windows Server 2008 DHCP server computer to the DHCP Admins group at the Enterprise level and redo steps 4 & 5.

7.   If the “access is denied” error message occurs after you add the Windows Server 2008 DCHP server computer to the DHCP Admins group at the Enterprise level that is mentioned in step 6, verify that the user account that is currently used to import belongs to the local Administrators group. If the account does not belong to this group, add the account to that group, or log on as a local administrator to complete the import and redo steps 4 & 5.

Authorise the DHCP server

1.   Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

Note You must be logged on to the server by using an account that is a member of the Administrators group. In an Active Directory domain, you must be logged on to the server by using an account that is a member of the Enterprise Administrators group.

2.   In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow in the lower-right corner of the server object, the server has not yet been authorized.

3.   Right-click the server object, and then click Authorize.

4.   After several moments, right-click the server again, and then click Refresh. A green arrow indicates that the DHCP server is authorized.

Sep 2 2013

Scripting Tools and Utilities

 

If you want something done right, why not let someone else do it for you? All the tools you need to create great scripts are right here. If it’s not here, it doesn’t exist. Or it’s somewhere else, but you’re on your own there.

Scriptomatic 2.0

This world-famous tool writes WMI scripts so you don’t have to. Produces scripts in VBScript, Perl, Python, and JScript. Also provides numerous output formats for running scripts, from plain text to Web page to XML. Try it now!

WMI Code Creator

The WMI Code Creator tool allows you to generate VBScript, C#, and VB .NET code that uses WMI to complete a management task such as querying for management data, executing a method from a WMI class, or receiving event notifications using WMI.

ADSI Scriptomatic

Need scripts that will help you manage Active Directory? Let this tool create your ADSI scripts for you.

Tweakomatic

This nifty utility writes WMI scripts that enable you to retrieve and configure Windows and Internet Explorer settings.

Log Parser 2.2

A powerful tool that provides universal query access to all sorts of things, such as text-based data files, the Windows Event Log, and the Windows registry, just to name a few.

HTA Helpomatic

Utility that helps you write HTML Applications (HTAs). It doesn’t actually write HTAs for you, but it does provide you with sample HTML code and some sample VBScript code that you can copy and paste into an HTA of your own.

Aug 19 2013

Group Policy Software Deployment Extraction to Installation

Courtesy of www.simple-talk.com – Joseph Moody

When you have a large number of PCs in the domain on which to deploy software, based on the role of the user within the organization, and you haven’t a large budget, then Group Policy Software Installation is a good and simple way to do it.

Being able to deploy and manage software is a critical skill for any administrator. After all, who wants to install software manually! This article will walk through each step of this process, from extraction through installation, by using Group Policy.

To Use or Not to Use?

The pace of technology has always amazed me. No matter the tool or technology, we are still solving the same core problems. One main issue has always been connecting people to the software they need. Methods of accomplishing this vary from basic batch files with limited functionality to complex software management systems with mountains of features. Sitting right in the middle of this range is Group Policy Software Installation (GPSI).

GPSI is made simple by being natively available in any Active Directory Domain Services environment, which means no additional server components are required. A Domain Controller paired (or combDeplined) with a File Server constitute the only requirement. Because the Group Policy service handles the client side, your users and computers do not require anything extra.

Simple in nature, GPSI does lack certain features found in dedicated software management systems (such as System Center Configuration Manager). First, GPSI does not have a central reporting component. The logs, though detailed, are stored on clients. Also, GPSI can only deploy two file types (MSI and ZAP). Finally, installation requires either a logoff or restart; it is a foreground only installation system.

If your organization needs a solid (but free) way to manage software, GPSI is the way to go. If you want to ensure certain software are available immediately on new domain machines, GPSI accomplishes that perfectly as Group Policy processes on first boot. Because it is built on top of Active Directory, you can use it to manage some or all of your software needs. Likely, you can take advantage of GPSI in some way.

Extraction

A majority of enterprise software comes in a MSI format that is wrapped inside of an executable. Most of the time, the trick is getting that MSI out. The first step is to determine if the application actually contains an MSI. This is easily accomplished by launching task manager and running the executable. If the application contains an MSI, task manager will show the Windows installer process (MSIEXEC).

Task Manager showing the Windows Installers

From the picture above, we know that our software contains an MSI. Let’s get it out now. Method 1 of doing this is opening the EXE as an archive. Using a file compression program, we can attempt to open the EXE like a compressed folder. My favorite program for this is 7Zip. In the example below, I was able to open the iTunes setup executable by righting clicking on it and selecting Open Archive. As you can see, MSI galore!

Using 7Zip get a list of the MSIs in an executable

Every MSI registers itself with your computer. Knowing this, you can use this information as your second method of retrieving the file. Open up REGEDIT and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products. Search for the name of the application and expand the source list key. Copy the contents of the LastUsedSource entry and open that folder on a local machine. With any luck, your MSI should reside there.

The results when searching for PackageName

If your MSI is not there, you can also search a local computer for the PackageName value. Be sure to enable hidden and protected files before searching.

If your MSI is still missing, head on over to ITNinja.com (formally appdeploy.com). Likely, someone has found it and posted tips on getting it. Just search for your application (without a version number) to find helpful hints.

Repackaging

But what if your software isn’t an MSI? Check with the manufacturer first – it is not uncommon for one to be provided at request. If you are still stuck with an executable, it is time to repackage it to a GPSI friendly format!

Repackaging is the art of taking the entire executable (or the installed components of the software) and embedding it into an MSI. There are two schools of thought on doing this:

  1. Wrapping the EXE into an empty MSI. The MSI essentially calls the EXE and runs the application silently.
  2. Capturing all new files/registry keys that a particular software installs. Once captured, these settings are stored within an MSI for installation.

If given the choice, I prefer method 2 for repackaging. When using method 1, you are limited to software that can be installed with silent commands (/q, /silent, etc). Normally, software without an MSI lack other standard features such as these commands. Method 1 also prevents you from easily editing the MSI. By capturing an installation into an MSI, you can simply remove files (like a desktop shortcut) that you do not want in the final package.

Capturing an installation is fairly simple. With a clean machine, use a repackaging tool to look at the difference between a before snapshot and after (the installation) snapshot. My favorite tool for doing this is WinInstall LE (free edition). While you can certainly purchase heavy duty repacking programs, I have yet to find a software that couldn’t be repackaged with the free edition.

Editing the MSI

In all likelihood, your extracted MSI will need to be customized for your organization or edited for deployment. By editing an MSI, you can:

  • Remove unnecessary files/registry entries
  • Disable automatic updating
  • Alter Launch Conditions (such as minimum Hardware, Software, or Operating System requirements)

To edit an MSI, download Orca from Microsoft Support. After installation, you can right click on any MSI and view it as a simple database.

Editing an MSI through the Orca interface

From here, specific attributes of the MSI can be modified or removed. In the picture above, we are looking at the Shortcut table. By deleting any entry in this table, we can remove a shortcut. Two other common tables are the LaunchCondition and Property tables. The LaunchCondition table contains restrictions on the MSI execution. As an example, this table would limit execution of the MSI to Windows 7 and below. The Property table contains options for the MSI installation. If a software requires a serial number to install, you can probably paste that value into the serial number entry under the Property table.

As a best practice, avoid editing MSIs directly. By using Orca, you can select Transform and then Generate Transform. This will create an MST file that will apply your changes (without directly making edits).

Saving to Share

Once edited, the next step is to save your MSI to a network share. When we create our Group Policy Object (GPO) for deployment, this share will be our distribution point. Because you will likely store all of your deployed software in a central location, it is best to configure you Share/Folder permissions in a way that supports multiple deployment types.

Generally, your share name should be something simple and short (ex: \\SERVER\MSI or \\SERVER\APPS). If you prefer a little more obsecurity (i.e. Security through Obscurity), it is perfectly fine to hide the Share with a $ value.

For your share permissions, it is acceptable to give Everyone Full Control or to give Authenticated Users Read permission and Administrators Full Control. For the folder permissions, give Authenticated Users Read/Execute and Administrators Full Control. Remember that Authenticated Users includes both Domain Computers and Domain Users. Finally, create specific folders for each manufacturer or piece of software. In the picture below, you can see a sample hierarchy organization.

A simple folder hierarchy

Creating the GPO

Now that the MSI is on the network, let’s link it to a GPO. Create a new unlinked GPO. As a best practice, give the GPO a specific name (usually with a related starting prefix). In our environment, all deployment GPOs start with “APP_”. This allows for easy filtering, sorting, and scripting.

Now decide whether to install the software to the computer or link it to a user. Generally, if the software is static (used consistently at one or many locations), large, or requires regular updates – deploy it on the computer side. If the software is small and used by specific users, deploy it on the user side.

In this example, we are going to create a GPO named APP_7Zip and we will create a corresponding security group named after the GPO. We will then edit the Scope options on the GPO to remove Authenticated Users and to add in our new security group. If you plan on deploying a lot of software, it is best to store these groups in a central location such as a top level OU or physical site level/department OU.

As a general recommendation, avoid extremely detailed GPO and Security Group names (ex: APP-7Zip_v9.00.1.2). Version information, language, and OS type can all be found (or commented) within the GPO itself. Using a general name will keep you from constantly renaming policies.

Edit the GPO. We are going to deploy this MSI to the computer side so we will navigate to Computer Configuration\Policies\Software Settings\Software Installation within the Group Policy Management Console.

Right-click on Software installation in the explorer window

Right click on Software installation and select New Package. Browse to the UNC where you stored the MSI.

Open the file and choose Advanced option, and the Deployment Tab

After selecting Open, choose the Advanced Option and press Ok. Select the Deployment Tab and then Advanced. Check “Ignore language when deploying this package”. This will ensure that if an MSI doesn’t have a language set, deployment will still continue. If you created an MST with ORCA, select the Modifications tab and add the MST. Press OK, make any other changes needed to your GPO, and link it to an OU. Be sure to add any computers to the software security group. Finally, restart the computer twice. After two restarts, your software will install!

The installing message

But What if it Doesn’t?

Like anything made by man, GPSI can break. Most of the time, it is a pretty easy fix though. Below are the troubleshooting steps I take when faced with an installation problem.

  • Does the MSI install normally if I run it on a computer? If it won’t install this way, I know Group Policy isn’t at fault.
  • Can you run the MSI silently? EX: msiexec /I MSI-FILE.msi /qb. If the file can’t install silently, I know Group Policy isn’t at fault.
  • Am I deploying the MSI to the correct object (user or computer)? Some MSIs can’t install to a user and some only want to be installed to a user.
  • Do I see any errors in the event log under application?
  • Is the policy being applied correctly? Running GPRESULT /h Report.htm /f will generate a detailed Group Policy Result.