I’ve been remiss in posting anything here the past six months as my weekends have been consumed with an update to my book, Active Directory, 4th Edition. The writing and technical reviews  of the fifth edition are complete, thanks to Joe Richards, Mark Parris, and Mark Morowczynski. We’ve now moved in to the production cycle and a copy editor is busy fixing up my writing to make the book a polished all-around easy-to-read product. Meanwhile,  the illustrators will soon be busy with the artwork – figures, diagrams, etc. We’re currently planning to have the final product available sometime in March 2013.

If you are a fan of eBooks rather than the traditional printed book, you can get an early look at nearly all the content in draft form by purchasing the Early Release eBook. What you’ll get is immediate access to nearly all of the chapters as I submitted them – essentially a PDF form of the Word documents, complete with typos rough artwork, and pre-production comments. Once the final book is out, you’ll automatically receive the final eBook in O’Reilly’s usual formats. If you have access to Safari Books Online, the Early Release edition is also available there.

So, to summarize, Active Directory, 5th Edition should be available sometime in March:

• Available Now! The Early Release eBook is available at http://shop.oreilly.com/product/0636920023913.do.
• Available Now! The Early Release eBook is available via Safari Books Online at http://my.safaribooksonline.com/9781449361211?portal=oreilly&cid=orm-cat-readnow-9781449361211.
• The printed book is available for pre-order from Amazon.com at http://www.amazon.com/gp/product/1449320023/ref=as_li_ss_tl?ie=UTF8&tag=briandesmonsb-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1449320023.
• The printed book is available for pre-order from O’Reilly at http://shop.oreilly.com/product/0636920023913.do.

Cisco’s ACE appliances and modules are something that I see constantly at customers. Unfortunately, Cisco’s application specific documentation is rather lacking. There’s a rather simplistic sample config at http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/Exchange_VSphere_UCS_NetApp.html#wp345264, but, that doesn’t really have everything you need. The folks at F5 on the other hand have extremely well documented application guides for their hardware and that’s one of the reasons I usually send customers to F5 first. The contents of this post are essentially the same for ACE appliances and ACE modules.

In any case, the rest of this post is a working sample configuration for the topology below. A thread on a discussion alias prompted me to clean this up and post it.

In our sample configuration, we’ll configure the load balancer in a one-armed configuration with Source NAT (SNAT). Clients will access services via the mail.contoso.com and autodiscover.contoso.com URLs.  In addition, clients who go to a non SSL URL or go to the root instead of /owa will be redirected.

Before we get started, a few pre-requisites:

• You should have a working context on your ACE appliance/module with resources allocated.
• Your CAS servers should have static ports configured as described here.
• Your SSL certificate and the necessary intermediate and root certificates should be installed on the load balancer.
• A VIP will need to be allocated. We’ll use 192.168.100.200 in this sample
• If you’re expecting more than ~65K client connections, you’ll need to use more than one IP in the SNAT pool. This example assumes one is enough. We’ll use 192.168.100.199 in this sample.

The entire config is posted below, but, first, I wanted to speak to a few specific elements and why they’re here:

crypto chaingroup DigiCert
  cert DigiCertRootCA
  cert DigiCertIntermediateCA
  cert mail_contoso_com

serverfarm host Exchange-CAS-RPC
  predictor leastconns
  probe TCP135
  probe TCP60000
  probe TCP60001
  fail-on-all
  rserver CAS01
    inservice
  rserver CAS02
    inservice

parameter-map type http Exchange-OWA
  case-insensitive
  persistence-rebalance
  set header-maxparse-length 16384
  set content-maxparse-length 8192

sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-RPC

sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
  cookie insert browser-expire
  replicate sticky
  serverfarm Exchange-CAS-HTTPS

action-list type modify http Exchange-CAS-HTTP
  header insert request X-Forwarded-For header-value "%is"

policy-map type loadbalance first-match Exchange-CAS-HTTPS
  match OWA http url /owa.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match ECP http url /ecp.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match EWS http url /ews.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match ActiveSync http url /Microsoft-Server-ActiveSync.*
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match OutlookAnywhere http header User-Agent header-value "MSRPC"
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  class Exchange-CAS-HTTPS-RootRequest
    serverfarm Exchange-OWA-REDIRECT
  class class-default
    sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS

crypto chaingroup DigiCert
  cert DigiCertRootCA
  cert DigiCertIntermediateCA
  cert mail_contoso_com

access-list all line 10 extended permit ip any any 
access-list all line 20 extended permit icmp any any 

probe https Exchange-OWA
  interval 30
  ssl version all
  request method get url GET /owa/auth/logon.aspx
  expect status 400 404
probe tcp TCP135
  description RPC Endpoint Mapper
  port 135
  interval 30
  connection term forced
probe tcp TCP60000
  description RPC Client Access
  port 60000
  interval 30
  connection term forced
probe tcp TCP60001
  description Address Book Service
  port 60001
  interval 30
  connection term forced

rserver host CAS01
  ip address 192.168.100.101
  inservice
rserver host CAS02
  ip address 192.168.100.102
  inservice
rserver redirect OWA-SSL-REDIRECT
  webhost-redirection https://mail.contoso.com/owa 302
  inservice

serverfarm host Exchange-CAS-HTTPS
  predictor leastconns
  probe Exchange-OWA
  rserver CAS01 443
    inservice
  rserver CAS02 443
    inservice
serverfarm host Exchange-CAS-RPC
  predictor leastconns
  probe TCP135
  probe TCP60000
  probe TCP60001
  fail-on-all
  rserver CAS01
    inservice
  rserver CAS02
    inservice
serverfarm redirect Exchange-OWA-REDIRECT
  rserver OWA-SSL-REDIRECT
    inservice

parameter-map type http Exchange-OWA
  case-insensitive
  persistence-rebalance
  set header-maxparse-length 16384
  set content-maxparse-length 8192
parameter-map type ssl SSL_PARAMS
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_3DES_EDE_CBC_SHA

sticky ip-netmask 255.255.255.255 address source Exchange-CAS-RPC
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-RPC
sticky http-cookie Exchange-Sticky Exchange-CAS-HTTPS-Cookie
  cookie insert browser-expire
  replicate sticky
  serverfarm Exchange-CAS-HTTPS
sticky http-header Authorization Exchange-CAS-HTTPS-AuthZHeader
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-HTTPS
sticky ip-netmask 255.255.255.255 address source Exchange-CAS-HTTPS-SourceIP
  timeout 7200
  replicate sticky
  serverfarm Exchange-CAS-HTTPS

action-list type modify http Exchange-CAS-HTTP
  header insert request X-Forwarded-For header-value "%is"

ssl-proxy service Exchange-CAS
  key mail_contoso_com
  cert mail_contoso_com
  chaingroup DigiCert
  ssl advanced-options SSL_PARAMS

class-map match-any Exchange-CAS-HTTPS
  2 match virtual-address 192.168.100.200 tcp eq https
class-map type http loadbalance match-any Exchange-CAS-HTTPS-RootRequest
  2 match http url /
class-map match-any Exchange-CAS-RPC
  2 match virtual-address 192.168.100.200 tcp eq 60001
  3 match virtual-address 192.168.100.200 tcp eq 60000
  4 match virtual-address 192.168.100.200 tcp eq 135
class-map match-any Exchange-OWA-REDIRECT
  2 match virtual-address 192.168.100.200 tcp eq www
class-map type management match-any mgmt-cm
  2 match protocol https any
  3 match protocol snmp any
  4 match protocol ssh any
  5 match protocol icmp any

policy-map type management first-match mgmt-pm
  class mgmt-cm
    permit

policy-map type loadbalance first-match Exchange-CAS-HTTPS
  match OWA http url /owa.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match ECP http url /ecp.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match EWS http url /ews.*
    sticky-serverfarm Exchange-CAS-HTTPS-Cookie
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match ActiveSync http url /Microsoft-Server-ActiveSync.*
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  match OutlookAnywhere http header User-Agent header-value "MSRPC"
    sticky-serverfarm Exchange-CAS-HTTPS-AuthZHeader
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
  class Exchange-CAS-HTTPS-RootRequest
    serverfarm Exchange-OWA-REDIRECT
  class class-default
    sticky-serverfarm Exchange-CAS-HTTPS-SourceIP
    action Exchange-CAS-HTTP
    ssl-proxy client Exchange-CAS
policy-map type loadbalance first-match Exchange-CAS-RPC
  class class-default
    sticky-serverfarm Exchange-CAS-RPC
policy-map type loadbalance http first-match Exchange-OWA-REDIRECT
  class class-default
    serverfarm Exchange-OWA-REDIRECT

policy-map multi-match vlan100
  class Exchange-OWA-REDIRECT
    loadbalance vip inservice
    loadbalance policy Exchange-OWA-REDIRECT
  class Exchange-CAS-RPC
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-RPC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 1000
  class Exchange-CAS-HTTPS
    loadbalance vip inservice
    loadbalance policy Exchange-CAS-HTTPS
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 1000
    appl-parameter http advanced-options Exchange-OWA
    ssl-proxy server Exchange-CAS

interface vlan 100
  ip address 192.168.100.10 255.255.252.0
  access-group input all
  nat-pool 1 192.168.100.199 192.168.100.199 netmask 255.255.255.255 pat
  service-policy input mgmt-pm
  service-policy input vlan100
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.100.1

If you are deploying Exchange in an environment with load balancers or firewalls which aren’t able to handle dynamic RPC port ranges, chances are you’ll be defining static ports for the RPC Client Access Service and the Address Book Service on each CAS server. If you’re using Public Folders, you’ll want a third static port on the Mailbox servers hosting Public Folders. I typically use these ports for this:

• RPC Client Access Service – TCP 60,000
• Address Book Service – TCP 60,001
• RPC Client Access (Public Folders) – TCP 60,002

For the first two, I’ve included a script below which makes quick work of setting the ports. Just run it on the CAS server to make the required changes.

param([int32]$MAPIPort = 60000, [int32]$AddressBookPort = 60001, [bool]$RestartServices = $true)
# ==============================================================================================
# NAME: Configure Exchange Static Ports
# 
# AUTHOR: Brian Desmond, brian@briandesmond.com
# DATE  : 4/9/2012
# 
# COMMENT: 
# 
# ==============================================================================================

Set-PSDebug -Strict:$true

function CheckProcessElevation()
{
    $identity  = [System.Security.Principal.WindowsIdentity]::GetCurrent()
    $principal = New-Object System.Security.Principal.WindowsPrincipal($identity)

    return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}

function CreateRegistryKeyIfNecessary([string]$path)
{
    if (Test-Path -Path $path)
    {
        return
    }
    else
    {
        [void](New-Item -Path $path)
    }
}

Function Test-RegistryValue($regkey, $name) 
{
    Get-ItemProperty $regkey $name -ErrorAction SilentlyContinue | Out-Null  
    $?
}

function CreateOrUpdateRegistryValue([string]$path, [string]$valueName, [Microsoft.Win32.RegistryValueKind]$valueType, $value)
{
    if ((Test-Path -Path $path) -ne $true)
    {
        CreateRegistryKeyIfNecessary $path
    }
    
    if ((Test-RegistryValue $path $valueName) -eq $false)
    {
        [void](New-ItemProperty -Path $path -Name $valueName -PropertyType $valueType -Value $value)
    }
    else
    {
        [void](Set-ItemProperty -Path $path -Name $valueName -Value $value)
    }
}

if ((CheckProcessElevation) -eq $false)
{
    Write-Warning "Script must be run from an elevated prompt. Exiting..."
    exit 1
}

$domtParamsPath = "HKLM:\System\CurrentControlSet\Services\MSExchangeAB\Parameters"
$momtParamsPath = "HKLM:\System\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem"

Write-Host "Setting Address Book Service Port to $($AddressBookPort)"
CreateOrUpdateRegistryValue $domtParamsPath "RpcTcpPort" "String" $AddressBookPort.ToString()
Write-Host "Setting RPC Client Access Port to $($MAPIPort)"
CreateOrUpdateRegistryValue $momtParamsPath "TCP/IP Port" "DWord" $MAPIPort

if ($RestartServices)
{
    Write-Host "Restarting Services..."
    Restart-Service -Name "MSExchangeAB" -Confirm:$false
    Restart-Service -Name "MSExchangeRPC" -Confirm:$false
}
Write-Host "Complete." -ForegroundColor Green

If you’re looking to restrict the port used for Public Folder access, you’ll need to do this in addition to the script above. The registry setting you want is below:

Key: “HKLM\System\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem”

Value Name: "TCP/IP Port”

Value Type: REG_DWORD

Value Data: “60002” (decimal)

If you’ve got servers running the Server Core version of Windows Server, you’ll probably find yourself needing to look at what devices and drivers are installed at some point. You can do this with various command line tools, but, that’s a non-trivial exercise on a good day. Instead, with a bit of configuration work, you can just use Device Manager remotely.

To do this, you’ll need to configure a Group Policy setting for the affected servers:

Computer Configuration \ Policies \ Administrative Templates \ System \ Device Installation \ "Allow remote access to the Plug and Play interface”

Set the value to enabled:

If you don’t do this, you’ll get an error similar to the following:

---------------------------
Device Manager
---------------------------
Unable to access the computer SERVER01
Make sure that this computer is on the network, has remote administration enabled, and is running the "Plug and Play" and "Remote registry" services.

The error was: Access is denied.

---------------------------
OK  
---------------------------

Once you’ve got things in place and the policy is effective, you can use Computer Management to target a remote machine and use the Device Manager snap-in:

---------------------------
Device Manager
---------------------------
Device Manager is running in read-only mode because you are running it on a remote computer. To uninstall devices or to change device properties or drivers, you must run Device Manager on the computer where you wish to make changes.
---------------------------
OK  
---------------------------

You won’t be able to make changes, but, you’ll certainly be able to view all of the relevant details.

My calendar is starting to shape up for 2012. If you’re going to be at any IT shows in the first half of the year, here’s where you’ll find me presenting:

• Next week – Oslo, Norway for the Nordic Information Conference
• March 18 – 20 – Ontario, CA for CISOA SecureIT
• March 26 – 29 – Las Vegas for Windows Connections
• April 29 – May 2 – San Diego for The Experts Conference

TechEd is on the radar for a visit at least, but, not confirmed.

If you’re at any of these shows, stop by and say hello!

Happy New Years! I’ve put something up here the past couple years as I wrap up and kick off the new year, so I thought I’d do that again. I had the pleasure of visiting customers, presenting at conferences, and taking a couple quick vacations all over the place last year. I managed to stay mostly in the US this year:

…save for a couple overseas trips:

All told, ~116,406 miles and 90 plane rides.

I sent a mail out to quite a few people who had asked about pictures from all these trips, and I thought I’d share that here – something I’ve not done before.

On the road to San Francisco from Eureka, CA in late March. The road signs called for snow chains which our rented Toyota Camry was sorely lacking. Fortunately the snow was light.

The Grapevine, driving down the 5 to Los Angeles from Bakersfield, CA.

Seals on the beach – driving up Pacific Coast Highway from San Luis Obispo, CA.

On the road from San Luis Obispo, CA to Monterey, CA – driving through Big Sur

On the road to Monterey

The Lone Cypress at Pebble Beach – I had a couple hours to do 17 mile drive before my flight out of Monterey. CA. The airport at Monterey, by the way, has a great little outdoor bar on top of the ramp area.

The Concha y Toro vineyard in Santiago, Chile is conveniently accessible from downtown by Subway.

Viña del Mar about 1:30 drive outside of Santiago, Chile

A somewhat questionable Ascensor I rode down the hill in the port of Valparaiso, Chile

Death Valley – the lowest point in the North America.

Salt Flats in Death Valley – the land of $5.33/gallon for regular gasoline

Another conference week…

The Grand Canyon from a Helicopter. Pat Richard and I did this in October – highly recommended.

The Hoover Dam, by Helicopter

Happy Trails and Best Wishes for a great 2012!

I needed to quickly get the IP addresses of about 100 servers from their names. PowerShell doesn’t appear to have a native Ping cmdlet, but, .Net certainly does. I pasted all the servers into a text file, one per line, and rand the following little loop:

$servers = Get-Content .\serverList.txt
$ping = New-Object System.Net.NetworkInformation.Ping

foreach($s in $servers)
{
    $("$s,$($ping.Send($s).Address)")
}

This loop outputs a comma delimited list of ServerName,IP to the window like this:

TEST-SF6,10.12.3.96
W2003TEST,10.1.34.80
W2003TEST2,10.8.51.27

I pasted the list into a new email in Outlook, highlighted it, and then used the Convert Text to Table feature in Word (and Outlook):

Word turned my pasted CSV list into a nice table and I sent it off.

Repeatable, consistent, and predictable are three things that add an incredible amount of value in IT, and building servers from a base image is one way to deliver on this. I was just replying to a thread on a discussion alias where the person who started the thread had reviewed a blog post (http://www.jasonsamuel.com/2010/05/07/how-to-build-a-vmware-vsphere-vm-template-for-windows-server-2008-r2/) on how to build such an image for VMWare. I and a number of people disputed the recommendations made in the referenced blog post in addition to the various other things the individual who started the thread was planning to install in his image/template.

At a high level, the most important thing from my reply, I think, is that you should not be customizing a server for it to be convenient to your work style. The server is there for a purpose driven task. You shouldn’t even be connected to it via Remote Desktop (or sitting at the console) unless you’re troubleshooting a problem which can only be investigated from the desktop. What this means is that all the little utilities and tweaks you have on your desktop should stay on your desktop. Things like PDF readers, Internet Explorer customizations, screensavers and colors, and taskbar preferences, etc. First and foremost, many of these tweaks are profile specific so when you login with a domain account later, after running sysprep, the tweaks will be gone unless you push them into the default profile and in turn push them on to all users. Secondly, when you move on to the next big opportunity, your successor shouldn’t be expected to inherit and adapt (or spend weeks undoing) your personal preferences.

As far as system settings (e.g. page files, network settings, etc.), tweaking or disabling things just because some random guy on the Internet (including me) told you to is not a great idea. When you install an application from a vendor, be it Microsoft or any third party ISV, chances are they made assumptions in their testing that the OS is in a state relatively close to the default install. When you start disabling services (e.g. Indexing, Print Spooler, etc.) by default in an image, you provide a baseline that doesn’t meet this assumption. Rather than customizing by default, customize for specific applications. The settings in an image should be the ones required to operate at a minimum level of functionality on your network (e.g. maybe you need some custom DNS search suffixes to join the domain or settings to meet security standards). This extends to most any system level default. When you’re looking at changing a default setting, I’d first stop and ask yourself “why?”. What’s the reason this is being changed? Next, consider whether or not it should be or needs to be hardcoded in the image or if you can simply apply that configuration change via Group Policy. Anything hardcoded will require you to come back and update and re-test, and re-release the image when the value needs to be changed, whereas a Group Policy setting is easily tweaked centrally.

Inevitably there are various tools, gadgets, trinkets, etc., which make troubleshooting easier. My experience is that a great many of these tools don’t require installation and will simply run from a network share. Rather than caching tools locally on each server, or installing individual copies, put them out on a share that you can access from any machine. This way you only need to refresh one location when a tool gets updated and you also aren’t installing essentially random software on servers on an as-necessary basis. As soon as those installs aren’t consistent across all servers, you start permuting your test matrix. Personally the only thing I consistently install on a server build is Netmon or Wireshark and occasionally BgInfo (Sysinternals).

Over the past couple years, readers have identified a number of mistakes that unfortunately made it through the edit cycles for Active Directory, 4th Ed. O’Reilly recently launched a process by which authors can make updates to the source files that they use to produce eBooks and print conventional paper books on demand. I took advantage of this a few weeks ago and I resolved all of the errata which were reported as well as a couple I found myself. Here’s the quick summary on where the updated text can be found:

Print Copies - If you’ve bought a print copy, you’ll need to look at the notes I made on the errata page. However, as O’Reilly is now doing print on demand for this title, the updates will trickle out into the supply chain over time and newly purchased books will be updated. Obviously this timeline is highly dependent on how much inventory is sitting in warehouses.

eBooks - If you bought any of the various eBook formats O’Reilly offers in their web store – PDF, mobi, and ePub – then you’ll be able to login to your account and pull an updated copy down. I’m told you will also be getting an email sometime soon (if it hasn’t gone out already) notifying you of this as well. If you purchased the book for Kindle from Amazon, Amazon doesn’t have a mechanism to push updated content to your Kindle, so you won’t get an update. This also applies if you bought the book for iPhone/iPad from the Apple bookstore. The iPhone/iPad “app” version of the book is also not going to get updated due to the shift to the native Apple Bookstore.

There was an unfortunate layout error in Active Directory, 4th Edition which caused the tables in Chapter 2 which explain group nesting to have the column headings over the wrong columns. This of course changes the meaning and makes the tables less than helpful. I’ve gone ahead and pasted the tables and captions below with the correct column headings.

Table 2-7. Restrictions on group membership based on group scope

Table 2-8. Restrictions on group membership based on domain