Category Archives: Microsoft Exchange Server

Managing DNS In Windows Server 2012

June 12, 2013 – 6:00 am

Previously, I covered installing the DNS role in Windows Server 2012. Once installed, managing the role is very similar to how management was done in Windows Server 2003 through 2008 R2. With the exception of how you access the tools. DNS is one of the most important services in Windows Servers, as with most other platforms. So it’s important to configure DNS.

To get into the DNS Manager in 2012 Server, first open Server Manager (you might get sick of using this tool in Server 2012, similar to how my Mac Server brethren have gotten tired of it in Lion and Mountain Lion Servers. Then from Server Manager click on DNS from the Tools menu.

Once the DNS Manager mmc is open, notice that you will have Forward and Reverse zones listed. The forward zones point names at IP addresses or other types of records and the reverse zones contain information about what the name is for a given IP address.

By default there are no zones, so click on New Zone from the Action menu to bring up the New Zone Wizard. From here, click on Next. If the zone is a new zone, click on New Zone. Otherwise, choose Secondary Zone if the server will be acting as a secondary name server for a given zone (make sure the primary allows zone transfers from the IP of the system you’re configuring) or select Stub Zone if the server will host a partial list of records. Click Next when you’ve selected the type of zone to create.

At the New Zone screen, enter a name for the zone. For example, krypted.com. Once entering the new Zone name, click Next.

At the Zone file screen, enter a name for the file that information about the new zone will be stored in and click on the Next button.

At the Dynamic Update screen, choose whether the zone will allow dynamic updates. Here, you can choose whether clients can update DNS information in zones and if so, who can do so. I usually just leave this at the default (unless I’m preparing to install AD into the zone) and click on the Next button.

At the Completing the New Zone Wizard screen, click on the Finish button (provided of course that the settings match your desired configuration for the zone).

Once you see the domain name in DNS Manager, double-click on it. You’ll see the NS and SOA records. Usually you won’t ever end up touching these. Next, create records for your domain. Using the Action menu, select to create a new A Record, CNAME, etc. In this example, we’ll create a basic A Record, selecting the checkbox to automatically create a PTR with the record. Click

Continue creating your records until they’re all built and go ahead and take this time to test them as well, as they’re being created. I usually like to run a flushdns between each creation/change:

ipfconfig /flushdns

Once you’re done with all of the records, I usually like to restart DNS with net stop:

net stop dns

And of course, start it back up.

net start dns

At the DNS Manager screen, right-click (control-click if you’re using a Mac) on the name of the server and then click on Properties. From the Properties screen, you’ll initially see the interface screen. Here, uncheck the box for any of the interfaces you don’t wish to have a listener for the DNS service (port 43).

Click on the Forwarders tab. Here, define servers that your server uses to resolve DNS. DNS is kinda’ like a pyramid scheme like that. You shouldn’t need to use these too often, but there are some great options here for conditional forwards, where your server looks to a specific server for a given DNS domain.

Click on the Advanced tab. Here, you can configure a variety of server options. A common security task would be to disable recursion. If this server is an Active Directory integrated DNS server doing so would not disable additional Active Directory DNS servers from communicating with one another as they receive their DNS information from Active Directory, as can be seen in the Load zone data on startup field of this screen. The Enable BIND secondaries allows a Mac to act as a secondary DNS server for the records stored on this server. This doesn’t work too well with Active Directory service records, in my experience, but works pretty well with anything else provided you define each zone to cache.

Click on Root Hints. If you need to edit these then you might be doing something wrong. Root hints are the root DNS servers that sit atop the DNS pyramid scheme. I’ve only ever needed to edit these once, at the instruction of Microsoft during a support call for an environment that was in a walled garden. If the server connects to the Internet then chances are it should use the Forwarders to resolve names as opposed to Root Hints.

Click on the Monitoring tab. Here, you can configure a small monitor that will run queries against the DNS server (or with recursion as indicated with the second option) and you can automate the test to run every so often and show the results.

Click on the Event Logging tab. By default, all events are logged. Here, you can decrease logging so that the server only logs errors, warnings or even nothing at all.

Click on the debug logging. This is like a special rockin’ tcpdump for DNS logs. You can log packets of various types with regards to name resolution, filter the output by IP address(es) and dump information out to a file. This is extremely detailed logging so you also have the option to indicate a maximum size of your log files.

You also have more more granular controls for each domain. In the DNS Manager, right-click on your new domain and then click on Properties. Here, you’ll see the information you provided when configuring the zone in the first place (btw, zone is pretty much the same thing as domain, except each subnet of IP addresses for PTR records is also considered a zone). At the General tab you can pause a domains DNS, change the zone from a primary to a secondary if needed, etc. You can also define a different name for your zone file and enable dynamic updates. If the zone is a primary zone, click on the Aging button if you’d like to configure stale record scavenging. There, you can define when records that become stale are automatically deleted.

Click on the SOA tab. Here, you can define the serial number for the domain. Those are automatically provided but you can override them if needed. You can define primary servers if the zone is a secondary and then provide an email address/username of the user who manages the domain. Here, you also configure TTL for the domain, domain record expiry, retry intervals for the domain, etc.

At the Name Servers tab, you can add servers that this zone can be hosted on.

Click on the WINS tab. If you are integrating WINS with DNS then chances are you missed flannel going out of style. But that’s ok, since provided you’re wearing your flannel with super tight jeans that require a can opener to get off, it’s just fine to wear a flannel. Anyway, if you use WINS with DNS, you’ll need to install WINS with Server Manager. When you go to add WINS it’s a feature, not a role.

Click on Zone Transfers. This is where you define what IP addresses are able to perform a zone transfer for the domain you’re configuring. By default, all hosts from the Name Servers tab can be accessed. To open it up for everyone (not the best security option) click “To any server”, or to use a separate list than the Name Servers use the “Only to the following servers” button and then use the Edit button to populate the list.

Once you’ve configured the properties for your zone as granularly as you’d like, click Apply and then finish populating the zone with any other required records and testing all the settings. I also like to restart my DNS again after all that fun stuff.

Tags DNS, Exchange 2013, Install DNS Services, Install the DNS role, Microsoft, Name Servers, primary, secondary, SOA, windows server 2012, WINS, Zone files | Permalink | Comment (0)

Mass Deployment Microsoft Exchange Server Windows Server

Install Exchange From the Command Line

June 11, 2013 – 6:00 am

Exchange is becoming more and more command line oriented. This includes the powershell options for managing Exchange once installed, but can also include the initial installation. To install Exchange from the command line, one must first install Exchange prerequisites, which are broken down per role that is being installed on Exchange. This can be done using the Add-WindowsFeature commandlet. To install the Windows requirements for Exchange for the Client Access, Hub Transport and Mailbox roles, use the following command:

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For the Edge Transport role, use:

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart

For the Unified Messaging role, use:

Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

After the server restarts, also configure NetTcpPortSharing:

Set-Service NetTcpPortSharing -StartupType Automatic

Once the required features are installed, you can then run the installer and extend the Active Directory schema to prepare for the new attributes required for the version of Exchange you’re installing (2010 for this article btw). To do so, use the setup.exe command. In this example command we’ll use the setup.exe located in c:\ExchangeInstallers:

c:\ExchangeInstallers\setup.exe /prepareschema

Once the Schema is ready, then prepare AD:

c:\ExchangeInstallers\setup.exe /preparead

Then, prep the domain:

c:\ExchangeInstallers\setup.exe /PrepareDomain

Note: For a full listing of what happens at the above stages of the installation, see TechNet 125224: http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspx

Once that’s done, I like to do a quick sync of AD from the control with my schema FSMO role:

repadmin /syncall

Then, for the easy part: install Exchange (in this case we’re installing Hub, CAS & Mailbox roles):

c:\ExchangeInstallers\setup.exe /m:install /r:h,c,m

And voila, you’ve now got an Exchange Server. Since this is a Mailbox server, an empty information store is created and store.exe should be running. Use Get-Mailboxdatabase to verify:

Get-Mailboxdatabase -status

You can then move a database (e.g. to your SAN), since the default will be nested in the mdb folders in the Exchsrvr directory by using the move-DatabasePath cmdlet. Or use the move-storagegrouppath cmdlet to move the transaction logs.

Once the information store is back online and any logs have been moved, check the connectors in Exchange. Use get-sendconnector to see any outgoing connectors and get-receiveconnector to see any incoming connector information. You can also use get-exchangecertificate to check any certs on the host and get-routinggroupconnector to see any information about routing group connectivity.

Tags 2007, 2010, add-windowsfeature, Command line, exchange server, get-mailboxdatabase, hub transport, information store, install exchange, mailbox, Migration, move database, move-databasepath, move-storagegrouppath, power shell, repadmin, set-service, setup.exe | Permalink | Comments Off

Microsoft Exchange Server

Put an ESX Virtual Machine Into Safe Mode

June 8, 2013 – 6:00 am

Sometimes you need to boot a system into Safe Mode. But with a virtual machine you don’t have enough time to put a Windows system into Safe Mode. To put a normal system into safe mode, you can just hit the F8 key when Windows is booting. But with a virtual machine the BIOS screen is by default set to go away in 0 settings. Therefore, you need to add a boot delay to mimic a physical host. To get a virtual machine in ESX to have such a boot delay, view all the virtual machines and then right click on the virtual machine you need to configure a delay for.

Next, click on Edit Settings and then click on Option. In the options screen, click on Options and then Boot Options. At the Boot Options screen, set the Power-on Boot Delay to 5000ms, which will give you a 5 second delay. Given that 5 second delay you will be able to click on a booting virtual machine and then press the F8 key. From here, open the console window for the virtual machine and start the boot process.

Tags ESX, esxi, safe mode, Virtual Machines, vsphere, windows, Windows Server | Permalink | Comments Off

Mac OS X Microsoft Exchange Server

New Office For Mac Accreditation

February 24, 2013 – 9:42 pm

Last week, MacTech released the news of a Microsoft Office accreditation currently in pilot for Apple techs with the following press release, announcing a half day course for the certification:

NEW ACCREDITATION FOR APPLE TECHS: “MICROSOFT OFFICE FOR MAC ACCREDITED SUPPORT PROFESSIONAL”

- Working together, MacTech and Microsoft are making available a new accreditation program for Apple consultants and techsFebruary 21, 2013 — Westlake Village, CA — Today MacTech, who publishes MacTech Magazine as well as produces live events, announced the event and city schedule to obtain Microsoft’s new “Microsoft Office for Mac Accredited Support Professional” accreditation. This pilot program is a half day long, and will take place the day prior to each MacTech BootCamp II in 2013. This new Microsoft accreditation program is training and evaluation focused on the issues every consultant and tech should know when advising on or supporting Microsoft Office for Mac, and Microsoft Office 365 suites, with a focus on Apple users. All registered attendees to MacTech’s 2013 BootCamps, are welcome to attend the course, and become accredited, at no charge. Space is limited.

The pilot accreditation program will cover topics such as installation; Office Web Apps; best practices in configuration, preferences, settings and use; licensing options; cross platform features; sharing documents with SkyDrive, SharePoint, and more; troubleshooting and common questions; available support resources; and more. The accreditation is specifically designed for Apple consultants and techs supporting others using Microsoft Office for Mac, and Office 365 suites. At the end of the course, attendees will be evaluated on the content presented, and those who demonstrate sufficient knowledge will become a “Microsoft Office for Mac Accredited Support Professional.” Once obtained, attendees will receive an accreditation certificate from Microsoft, and be able to display the new accreditation graphic on their web sites and other promotional materials, as well as in their credentials.

“Microsoft Office for Mac has always been at the heart of most professional Apple installations. With Office 365, Web Apps, an array of collaboration options, and more, consultants need to have the right knowledge to support their clients not only in making the best solution decisions, but also in helping them to understand the features available to them,” said Neil Ticktin, Editor-in-Chief/Publisher, MacTech Magazine and MacTech BootCamp Event Organizer. ”We’ve been working with those in the community and with Microsoft for some time to create the right kind of accreditation that will help consultants and techs perform their duties, as well as help grow their support offerings and consulting business.”

MacTech BootCamp II is the next incarnation of MacTech’s successful BootCamp events. The event benefits both return attendees as well as those that have never attended a MacTech BootCamp. Held around the country, MacTech BootCamp II is specifically designed for those that support small-to-medium sized business and small office/home office, organization support staff, and even consumer support. MacTech BootCamp II is a single-track, hotel based seminar that is specifically geared to serve the needs of consultants and techs wanting to serve their base better. Sessions include topics such as: Key Building Blocks for Today’s Apple Consultant; Mobility and Profiles; Local Storage, Network Storage, Backups; Network and Routing; Command Line; DNS; Deployment; Apple IDs; and more…

There are seven MacTech BootCamps in 2013 in cities around the United States. The Microsoft accreditation course and evaluation is a half day program that takes place the day BEFORE each MacTech BootCamp II as follows:

Seattle, WA : MacTech BootCamp II on Mar 6, 2013; Microsoft accreditation course on Mar 5

Dallas, TX : MacTech BootCamp II on Apr 17, 2013; Microsoft accreditation course on Apr 16

Boston, MA : MacTech BootCamp II on May 15, 2013; Microsoft accreditation course on May 14

Washington, DC : MacTech BootCamp II on Jun 26, 2013; Microsoft accreditation course on Jun 25

Chicago, IL : MacTech BootCamp II on Jul 17, 2013; Microsoft accreditation course on Jul 16

San Francisco, CA : MacTech BootCamp II on Aug 13, 2013; Microsoft accreditation course on Aug 12

Atlanta, GA : MacTech BootCamp II on Sep 18, 2013; Microsoft accreditation course on Sep 17

MacTech BootCamp is economically priced and includes lunch, sessions, and sponsor interaction. Each event has early bird registration pricing available in limited quantity, saving registered attendees up to $200 (Normal price: $499, Early Bird Price: $299). Take note of when the early bird period ends for each location.

For more information about MacTech BootCamp, see http://www.mactech.com/bootcamp

For more information about the accreditation, see http://www.mactech.com/bootcamp/microsoft-office-accreditation

About MacTech MagazineEstablished in 1984, MacTech Magazine is the only monthly magazine focused on Apple at the technical level. Each month, MacTech and MacTech.com is read by 150,000 technical Macintosh users in over 175 countries, from network administrators to programmers, from solution providers to Enterprise, and in general anyone that’s interested in the Macintosh beyond the user level. If you’re interested in getting under the hood of your Mac, or if you want to know how to make things happen inside the box, you should be reading MacTech Magazine. Contact the magazine. Toll free: 877-MACTECH, International: 805-494-9797, custservice@mactech.com, http://www.mactech.com

I tried to scour the Microsoft domain for more information about this new certification but was unable to find any information about it on Mactopia, the Office:Mac twitter feed, etc. As the Office client is something I specifically hired someone to supplement our skills for last year, I see this is another notch in a good engineer’s belt. Clearly much of the Mac community is moving to a focus on the client, and many a large environment leverages Office as a key element of the client. So overall this sounds like a very nice step in continuing to further legitimize the Apple platform and the place that Office plays there! Having recently cert’d up with Office 365 I might even nerd out to this one as well!

Tags Certification, Office for Mac, office:mac | Permalink | Comments Off

Managing Office 365 Users Using PowerShell

November 9, 2012 – 6:00 am

Programmatically controlling the cloud is an important part of trying to reign in the chaos of disparate tools that the beancounters make us use these days. Of all the companies out there, Microsoft seems to understand this about as well as anyone and their fine programmers have provided us with a nice set of tools to manage Office 365 accounts, both in a browser (as with most cloud services) and in a shell (which is what we’ll talk about in this article).

This article isn’t really about scripting PowerShell. Instead we’re just looking at a workflow that could be used to script a Student Information System, HRIS solution or another tool that has thousands of users in it to communicate with Microsoft’s 365 cloud offering, providing access to Exchange, Lync, Access, Unified Messaging and of course, minesweeper. Wait, before you get carried away, I still haven’t found a way to access minesweeper through PowerShell… Sorry…

In order to manage Office 365 objects, you will first need to import the MSOnline module (e.g. of cmdlets) and then connect to an account with administrative access to an Office365 environment. To import the cmdlets, use the Import-Module cmdlet, indicating the module to import is MSOnline:

Import-Module MSOnline

The Get-Credential cmdlet informs you what account you are currently signed in as. Once you have imported the appropriate cmdlets, connect to MS Online using the Connect-MsolService cmdlet with no operators, as follows:

Connect-MsolService

You will then be prompted for a valid Live username and password. The Connect-MsolService cmdlet also supports a -Credential operator (Connect-MsolService –Credential) which allows for injecting authentication information into the command in a script. Next, setup a domain using New-MsolDomain along with the -Name operator followed by the name of the domain to use with Office 365:

New-MsolDomain -Name krypted.com

The output would appear as follows, indicating that the domain is not yet verified:

Name Status Authentication
krypted.com Unverified Managed

Once created, in order to complete that you are authoritative for the domain, build a text record in the DNS for the authoritative name server for the domain. To see what the text record should include, run Get-MsolDomainVerificationDns:

Get-MsolDomainVerificationDns -DomainName krypted.com -Mode dnstxtrecord

The output would appear as follows:

Label : deploymsonline.com
Text : MS=ms123456789
Ttl : 3600

Once the domain name shows as verified, you need to confirm it, done using Confirm-MsolDomain:

Confirm-MSolDomain -DomainName krypted.com

you can create a user within the domain. To see account information, use the Get-MsolUser cmdlet with no operators:

Get-MsolUser

To create an account, use the New-MsolUser cmdlet. This requires four attributes for the account being created: UserPrincipalName, DisplayName, FirstName and LastName. These are operators for the command as follows, creating an account called Charles Edge with a display name of Charles Edge and an email address of cedge@krypted.com:

New-MsolUser -UserPrincipalName "cedge@krypted.com" -DisplayName "Charles Edge" -FirstName "Charles" -LastName "Edge"

Other attributes can be included as well, or you can use a csv file to import accounts. Once created, you can use the Set-MSolUserPassword cmdlet to configure a password, identifying the principal with -userPrincipalName and the new password quoted with -NewPassword. I also elected to not make the user change their password at next login (through the web portal users have to reset their password and they’re randomly generated, so this is much more traditionally equivalent to what we’ve done in Active Directory Users and Computers):

Set-MsolUserPassword -userPrincipalName cedge@krypted.com -NewPassword "reamde" -ForceChangePassword False

We can also use Set-MsolPasswordPolicy to change the password policy, although here we’ll use Set-MsolUser for the account so that the password never expires:

Set-MsolUser -UserPrincipalName cedge@krypted.com -PasswordNeverExpires True

Also, you could use Set-MailboxPermission to configure permissions on mailboxes. I’ve also found that Get-MsolAccountSku is helpful to get information about the actual account I’m logged in as and while I’m waiting for a domain to verify that I can use Get-MsolDomain to see the status. Once the domain is accepted, Get-AcceptedDomain shows information about the domain. Set-MsolUserLicense can be used to manage who gets what license.

Finally, all of this could be strung together into a subsystem by any organization to centrally bulk import and manage delegated domains in an Office365 environment. There are going to be certain areas where human intervention is required but overall, most of the process can be automated, and once automated, monitoring the status (e.g. number of accounts, etc) can also be automated, providing a clear and easy strategy for 3rd party toolsets to be integrated with the Office 365 service that Microsoft is providing. It is a new world, this cloud thing, but it sure seems a lot like the old world where we built middleware to do the repetitive parts of our jobs… Just so happens we’re tapping into their infrastructure rather than our own…

Tags cloud, Confirm-MSOLDomain -DomainName krypted.com, Connect-MsolService, create accounts, create domains, Get-MsolDomainVerificationDns -DomainName krypted.com -Mode dnstxtrecord, Get-MsolUser, Import-Module MSOnline, Label : deploymsonline.com Text : MS=ms123456789 Ttl : 3600, New-MsolDomain -Name krypted.com, New-MsolUser -UserPrincipalName "cedge@krypted.com" -DisplayName "Charles Edge" -FirstName "Charles" -LastName "Edge", office 365, office365, powershell, script | Permalink | Comments Off

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Microsoft Exchange Server Network Infrastructure

Configuring & Using Profile Manager 2 in OS X Mountain Lion Server

August 12, 2012 – 6:00 am

Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. In OS X Mountain Lion, Apple has added a number of new features to Profile Manager, most notably the ability to push certain types of apps to mobile devices.

In this article, we’re going to look at setting up Profile Manager from scratch. If you’re upgrading to OS X Mountain Lion Server (10.8 Server) from OS X Lion Server (10.7 Server) then review this link for upgrade instructions.

Preparing For Profile Manager

Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.135 and the hostname will be mlserver3.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.

sudo scutil --set HostName mlserver3.pretendco.com

Then the ComputerName:

sudo scutil --set ComputerName mlserver3.pretendco.com

And finally, the LocalHostName:

sudo scutil --set LocalHostName mdm

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.135 Current HostName = mlserver3.pretendco.com DNS HostName = mlserver3.pretendco.com The names match. There is nothing to change. dirserv:success = "success"

f you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown in the DNS article I did previously:

Provided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.

Now let’s open the Server app from the Applications directory. Here, use the Next Steps drawer at the bottom and verify that the Configure Network section reads that “Your network is configured properly” as can be seen here:

Profile Manager is built atop the web service, APNS and Open Directory. Therefore, let’s close the Next Steps drawer, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

Once the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to Lion Server page loads.

Setting Up Profile Manager

Provided the Welcome to Lion Server page loads, click on the Profile Manager service. Here, click on the Configure button.

At the first screen of the Configure Device Management assistant, click on Next.

Assuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen. Then click on Next.

At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.

At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

The Open Directory master is then created. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.

This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.

If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next.

Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

The Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.

If you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.

Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting.

Once started, click on the Open Profile Manager link and the login page will open. Adminsitrators can login to Profile Manager to setup profiles and manage devices.

The URL for this (for mlserver3.pretendco.com) is https://mlserver3.pretendco.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.

Enrolling Into Profile Manager

To enroll devices for management, use the URL https://mdm.pretendco.com/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.

From Profiles, you’ll need to install a Trust profile in order for the client to enroll. Tap or click on the Install button for the Trust Profile and complete the installation process.

Click back on the Devices tab. From here, click or tap on the Enroll button and complete the enrollment process on the client (following the defaults will suffice).

On the devices, you’ll then be prompted to install the profile. On iOS tap Install then Install then Done. On OS X, click Continue, then Install.

Once enrolled, you can wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article.

If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Automating Enrollment & Random Management Tips

The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.

When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.

Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.

Device Management

Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. In this case, it’s an iPad. We’re going to click on the device in Profile Manager’s admin portal, located at https://<SERVERNAME>/profilemanager (in this case https://mdm.pretendco.com/profilemanager).

From the device (or user, group, user group or device group objects), click on the Profile tab and then click on the Edit button.

Here, you can configure a number of settings on devices. There are sections for iOS specific devices, OS X specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad. Click on Passcode, then click on Configure.

At the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. Click OK to commit the changes. Once configured, click Save.

At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later.

The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can copy the app from your library or browse to it at the location it is in later.

Then, from the https://<SERVERNAME>/profilemanager portal, click on an object to manage (in this case it’s a group called Demo) and click on the Apps tab.

From the Apps tab, click on the cog wheel icon and then click on Edit Apps.

At the Add Apps screen, click on upload and then browse to the app we found earlier.

The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.

At the App Installation screen on the iPad, click on the Install button and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.

This brings up an interesting limitation of how Profile Manager interacts with the App Store. It kinda’ doesn’t. If I were pushing apps to elementary school iPads in a 1:1 I could either use Apple Configurator (if I wanted to burn up a VPP code per student per year) or I could use iTunes (if I wanted a labor intensive process of restoring an iPad per computer rather than a parallel process). But either way, I’m gonna’ stay away from Profile Manager for apps.

So if you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.

Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.

At the Wipe screen, click on the device and then click on the Wipe button again. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.

Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.

Conclusion

So where are all these new features that justify a new version number? To quote Apple’s Profile Manager 2 page:

Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.

Wait, it did that before… Which isn’t to say that for the money, Profile Manager isn’t an awesome tool. Apps such as Casper MDM, AirWatch, Zenprise, etc all have far more options, but aren’t as easy to install and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools you’ll ultimately end up using. One thing I can say for it is that Profile Manager is a little faster and seems much more stable (in fact, Apple has now published scalability numbers, which they have rarely done in the past). You can also implement newer features with it, including Gatekeeper and Messages.

Tags 1:1, add apps, Airwatch, app installation, App Store, Apple Configurator, AppleID, automate enrollment, Casper MDM, certificate, check task status, configure Mobile Device Management, Enrollment, ios, iPads, iPhone, Mac OS X Server, mdm, mountain lion, mountain lion server, MyDevices, one to one, os x 10.8 server, passcode, passcode requirement, profile manager 2, push apps, set pin code, trust certificate, what changed in Mountain Lion Server, wipedb.sh, Zenprise | Permalink | Comments (18)

Mac OS X Mac OS X Server Microsoft Exchange Server

Configuring Calendar Server in Mountain Lion Server

July 30, 2012 – 6:00 am

Configuring Calendar Server in Mountain Lion Server is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Mountain Lion Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.

Enabling the Calendar Server in Mountain Lion Server

Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.

Mountain Lion Server :: Configuring Email Notifications in Calendar Server

At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.

Mountain Lion Calendar Server :: Configuring IMAP

At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.

Mountain Lion Calendar Server :: Verify Settings

At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.

Creating Locations in the Calendar Service of Mountain Lion Server

There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:

sudo serveradmin settings calendar

One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:

sudo serveradmin settings calendar:HTTPPort = 8008

For HTTPS:

sudo serveradmin settings calendar:SSLPort = 8443

You can then start the service using the start option:

sudo serveradmin start calendar

Or to stop it:

sudo serveradmin stop calendar

Or to get the status:

sudo serveradmin fullstatus calendar

Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.

Adding An Account In Mountain Lion’s Calendar App

At the “Add an Account” screen, select CalDAV from the Account Type menu and then enter the User Name and password configured on the server, as well as the address of the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.

Account Settings In Mountain Lion’s Calendar App

Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…

Sharing a CalDAV Calendar

At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.

Mountain Lion Calendar Settings

Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.

Mountain Lion Calendar Address Screen

Click on the Delegation tab to view any accounts you’ve been given access to.

Account Delegation In Mountain Lion’s Calendar Server

Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.

Overall, the Calendar service in Mountain Lion Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

Tags caldav, calendar, custom ports, delegation, http, https, MAC, Mac OS X, managing calendars, mountain lion, OS X Server, SSL | Permalink | Comments (6)

Active Directory Articles and Books iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Microsoft Exchange Server

Holy White Papers, Apple?!?!?

May 21, 2012 – 5:00 am

For those of you who say Apple doesn’t care about the enterprise, Apple has released a number of assets (technical white papers) on integrating Macs (Lion) into enterprise environments at http://training.apple.com/lion. This is also the page that you’ll find links to all of the official training and certification courses for Lion. The assets up on this page are about as close to a publicly accessible book on integrating OS X into the enterprise as you’ll to see for Lion…

The first covers the basics of integrating Macs into enterprise environments:

The second covers self support:

The third is on evaluating Macs in Enterprise environments:

The fourth is on deployment:

The fifth is on integrating with Active Directory:

The sixth is on managing Macs with Configuration Profiles:

The seventh is on OS X Security:

The last of the papers is on 802.1x authentication:

Tags Active Directory, Apple, Lion, Mac OS X, Mac Security, mountain lion, technical, white papers | Permalink | Comments Off

Mac OS X Mass Deployment Microsoft Exchange Server Windows Server

How Exchange’s Autodiscover Works With Mail.app

January 6, 2012 – 8:00 am

Autodiscover automatically configures profile settings for Exchange clients. These clients include Microsoft Outlook 2007 or Outlook 2010, Outlook for Mac, Mail.app in Mac OS X, iPhone, iPad and ActiveSync enabled phones. Autodiscover is often made out to be complicated. There’s an Autodiscover service that gets installed when a Client Access Server (CAS) role is setup for Exchange 2010 in the form of a default virtual directory named Autodiscover for the default Web site in Internet Information Services (IIS). You then forward an autodiscover service locater record in DNS in the form of _autodiscover._tcp.

The virtual directory handles Autodiscover requests. But what about other vendors, and even for Exchange, how do you verify that it’s working correctly? If clients automatically configure then it’s working, obviously. But when it isn’t, what do you need to do? The most obvious step is to check that the DNS record responds appropriately. To do so, we can use nslookup. To use nslookup, run it from the command line, followed by the DNS name. For me.com, this might be:

nslookup _autodiscover._tcp.me.com

But note that there’s not a response. This is because me.com doesn’t use _autodiscover (why would it, it’s not EWS/ActiveSync after all. But other domains that are configured for autodiscover would respond. For example, look at the output for 318.com:

nslookup _autodiscover._tcp.318.com

Which looks like this:

Non-authoritative answer: Name: _autodiscover._tcp.318.com Address: 66.209.67.173

Provided that the answer section is the address of the CAS Exchange server that sits in front of your organization (the one that runs the Autodiscover virtual directory in IIS) then you are more than likely off to a great start using autodiscover. If not, then that’s the first thing that likely needs to get fixed if you actually want clients to use autodiscvoer. Also keep in mind that you’ll want to check internally and externally, as you will likely have different domain names setup for these. I often find that people will configure the _autodiscover records in their public DNS but not in their private views. Also keep this in mind when acquiring SSL certificates for Exchange’s CAS instance.

Note: Autodiscover, as its implemented in Office Exchange clients, also has the ability to change configurations in Office on the fly as network settings change on internal networks (e.g. users get moved to different information stores, IPs of servers change, etc). This does not seem to work with Apple’s Mail. One could write a script to check for a change in the records nightly (or more frequently of course) if this is needed.

Sometimes the mail clients can interpret things differently than we do manually from the command line, including autodiscover. When the Apple Mail client is attempting to connect to Exchange, you can also get more information about the EWS autodiscovery process by capturing logs about it, not done by default, but invoked by firing up mail using the –LogEWSAutodiscoveryActivity option followed by a YES, as follows:

/Applications/Mail.app/Contents/MacOS/Mail  --LogEWSAutodiscoveryActivity YES

By reading these logs, you can learn way more than you ever wanted to know (or thought was possible) about Autodiscover. Given that Autodiscover is similar in iOS, most of this rings true in the Mail app there as well. However, given that you can’t view the activity in as granular a detail by invoking Mail through the command line, you can watch it in the logs in iPhone Configuration Utility while you’re setting up Mail, Contacts & Calendars in the Settings app, which should provide information about any connection failures.

While Autodiscover is awesome, you should still be able to connect without it. The only time I really both to troubleshoot Autodiscover itself is when I can install an account but I cannot get Autodiscover to eliminate the need for the second setup screen in Mail on iOS and OS X (possibly with the exception of Lion). If you can setup mail, but it requires two screens then the problem is basically always Autodiscover. If you can’t setup mail at all then the problem is basically never Autodiscover. Good luck, and hope someone finds this useful!

Tags autodiscover, CAS, certificates, debug, DNS, ews logging, exchange 2010, Lion, logs, Mac OS X, nslookup, service records, SSL, _autodiscover | Permalink | Comments (8)

Kerio Mac OS X Mac OS X Server Microsoft Exchange Server MobileMe Ubuntu Unix

Converting pst Files to mbox

April 27, 2011 – 1:19 pm

Large scale mail migrations can be tricky. There is a shareware app that can be used to migrate pst files from the pst format into mbox, which can then be used with Mac OS X http://www.littlemachines.com.

If the migration process needs to be automated (they all seem to at scale) then a script could be written to crawl users, finds the pst files and then convert them. Or it could be done on the client side using a self-destructing launchd item. Conversion syntax for libpst would be something like the following:

readpst -o /output/folder /server/path/user.pst

Before you can use readpst, it needs to be built via libpst on the system that will run any scripts. Download libpst from http://alioth.debian.org/frs/?group_id=30390. This can be done with curl:

curl http://alioth.debian.org/frs/download.php/2492/libpst-0.5.3.tar.gz --O libpst-0.5.3.tar.gz
Next, extract the tar:

tar -zxvf libpst-0.5.3.tar.gz
Then cd into the new directory:

cd libpst-0.5.3
Then make libpst:

make

And now readpst should be available to convert mailboxes. This could be run from a centralized server or distributed to clients.

Tags libpst, make, readpst, script, tar | Permalink | Comments Off

Krypted.com

Category Archives: Microsoft Exchange Server

Managing DNS In Windows Server 2012

Install Exchange From the Command Line

Put an ESX Virtual Machine Into Safe Mode

New Office For Mac Accreditation

Configuring & Using Profile Manager 2 in OS X Mountain Lion Server

Configuring Calendar Server in Mountain Lion Server

Holy White Papers, Apple?!?!?

How Exchange’s Autodiscover Works With Mail.app

Converting pst Files to mbox

Like Using Mac OS X Lion Server

Category Archives: Microsoft Exchange Server

Share:

Share:

Share:

Share:

Share:

Share:

Share:

Share:

Share:

Share: