Confused Amused

For the most part, installing certificates on Windows is no easy task for an end-user. A combination of mmc and trying to put the cert in the right store is a much, much longer process than is needed. This post should show you how to export a certificate from the Trusted Root Certification Authorities store as a .reg file that you can distribute to end-users. You could also use it as part of a batch file or VBScript to silently import the certificate.

Click Start | Run and enter mmc. Press OK.

Click File | Add/Remove Snap-In and press the Add button.

Choose Certificates and press Add.

Choose Computer Account and press Next.

Leave Local Computer selected and press Finish.

Press Close and OK.

Expand the Certificates\Trusted Root Certification Authorities folder and look for the [CA Name] certificate. It may be listed twice. Double-click to open the properties.

Click the Details tab. Scroll to the bottom and examine the Thumbprint. Take note of the first few characters.

Click Start | Run and enter regedit. Press OK.

Expand HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates. Look for a key name starting with the same characters as the thumbprint. The certificate data is stored in the blob value.

Right-click the key name and choose Export.

Save the .reg file some place safe.

You can also use this method for some of the other certificate stores. The other useful store I use frequently is the Personal store. Just replace the ROOT in that registry path with MY to find the certificates there.

This evening I downloaded the Microsoft Stirling Threat Management Gateway (TMG) product, the newest iteration of ISA to try out. I fired up a spare VM I had lying around and ran the installer. Strangely enough, the "installer" dumped setup files in a folder for me. I had to go dig for them and launch another setup. Good start! After clicking the install link it chugs along for a few seconds and comes back with Installation Failed. No reason, no explanation, nothing. How handy! I poked around in the log files generated by setup but nothing stuck out. I updated the machine completely thinking it was a .NET 3.5 SP1 deal or something along those lines. No luck.

I guess when all else fails, look at the system requirements, right?

I was trying to install on an x86 Server 2003 VM. Oops.

A few weeks ago Michael Wagner posted an entry on the Communicator Team Blog about the 3 different stages enhanced presence can actually be in. Prior to that I had assumed that it was either an on or off deal, but there’s a nice little limbo state in the middle to confuse you further. I had the opportunity to play with these different states recently so I figured I’d share what I experienced because it differed slightly from Michael’s post.

The same rules apply:

• Stage 1 - The user account Enhanced Presence setting is unchecked. This is accomplished by enabling a user for OCS 2007 or migrating a user from LCS 2005.
• Stage 2 - The user account Enhanced Presence setting is checked, but they have not signed in with Office Communicator 2007. This is accomplished by manually checking the box "Enhanced presence" on the user account.
• Stage 3 - The user account Enhanced Presence settings is checked and the user has signed in with Office Communicator 2007.

Here’s what I found a client was able to log in to, depending on their stage.

Stage 1

• Communicator 2005
• Mac Messenger 6.0.3
• 3rd-party clients (Trillian, Miranda)

Stage 2

• Communicator 2005
• Communicator 2007
• Communicator Web Access 2007
• Mac Messenger 6.0.3
• 3rd-party clients (Trillian, Miranda)

Stage 3

• Communicator 2007
• Communicator Web Access 2007

Takeaways

• Moral of the story is that once a user signs in to Office Communicator 2007 there’s no going back. The only fix is to delete their account from OCS and re-enable it, but they will lose their contact list and access level preferences.
• If you migrate users from LCS 2005 they will not be able to sign-in to a 2007 client unless you enable their account for enhanced presence. I know it’s counter-intuitive because most of the documentation states that you can’t use OC 2005 if you’re enabled for enhanced presence. Not true, you can continue using OC 2005 until you sign in once to OC 2007. The big gotcha here is why users couldn’t log in to OC 2007 after being migrated successfully - it’s because you have to manually set the enhanced presence.
• Oddly enough, that only seems to be required for migrated users. For a new user who had never been on LCS, simply creating their OCS account allows them to log in to OC 2007 without enhanced presence being checked. This behavior really confused me, but it must be a difference in how the user creation process is handled for an OCS pool as opposed to an LCS pool.
• Michael’s post states that you can’t log in to CWA 2007 unless you’re at Stage 3. I found this to be false. You can’t login to CWA 2007 until you reach Stage 2.

Granted, this has probably been going on for awhile now, but since I tend to use my Apple products on the Mac at home it’s the first time I’m seeing it. The software update I was offered this morning includes Safari being checked by default even though I have never had Safari on my PC. I’m usually a fan of Apple stuff, but this just sucks. If I want the freakin’ browser I’ll download it myself, thanks. I expect an update to be for the products I currently have, not some other product I’ve never installed. I know it’s the Microsoft way, but does Apple have to fall into this crap too?! Very disappointing.

On the Microsoft Download Center a new tool popped up today, the Planning Tool for Office Communications Server 2007. It crashes on my x64 Vista installation after a few screens so I’m starting up an XP VM to try it on. You can download it here: http://www.microsoft.com/downloads/thankyou.aspx?familyId=06793661-cd69-4490-bb4b-e97dd271209d&displayLang=en#

Other parts in this series:

• OCS Installation - Part 1
• OCS Installation - Part 2

This should be a short post, we’ll just be finishing up the installation so you can start some OCS 2007 testing internally. I purposely chose a different internal and external domain like many companies will do so that you can see how you have to use a "split-brain" DNS model. The split part simply means that you need to have a zone defined internally that matches your external SIP domain, which is also likely to be your e-mail domain.

Configure Internal DNS

Open the DNS management tool and expand the Forward Lookup Zones folder.

In the file menu choose Action and then New Zone.

The New Zone Wizard should open. Press Next to continue.

Choose Primary zone and check the box Store the zone in Active Directory. Press Next.

Choose To all DNS servers in the Active Directory forest ptown.com and press Next.

Enter the external domain name, confusedamused.com and press Next.

Choose Allow only secure dynamic updates and press Next.

Press Finish to complete the wizard.

Now click once on the new zone, confusedamused.com, then in the file menu choose Action and then New Host (A).

Enter sip as the hostname, verify that sip.confusedamused.com is the fully qualified domain name (FQDN), enter the IP address of the OCS box, 192.168.0.20, and check the box Create associated (PTR) record. Press Add Host.

Press OK and then Done to exit.

In the file menu click the Action item and choose Other New Records.

Choose Service Location (SRV) and press Create Record.

Enter the service as _sipinternaltls, change the port number to 5061 and enter sip.confusedamused.com as the host offering the service. Leave the defaults for everything else and press OK.

A record for _sipinternaltls should now exist, pointing to sip.confusedamused.com. Close the DNS management console.

The only thing left to do at this point is enable some users to actually sign-in to OCS.

Enable User Accounts

Open the Active Directory Users & Computers snap-in and locate an OU with users.

Select the user accounts and right-click, then choose Enable users for Communications Server.

Note: These options won’t actually be present in ADUC unless you’re using a server that has the OCS 2007 console installed. You might want to install the admin console on any machine you’re planning on managing OCS users from.

The Enable Office Communications Server Users Wizard opens. Press Next.

Select to assign users to the tap-ocs-2k7.ptown.com pool.

Select a format for the user SIP URIs. The firstname.lastname@confusedamused.com format is a good choice. If Exchange is installed in your organization you would probably choose the Use user’s e-mail address option for consistency.

The wizard should succeed and generate the SIP URIs. Press Finish.

Now just install Office Communicator on a client PC and try to sign-in.

Note: If you’re on a domain machine logged in with the account you’re trying to access in OCS all you should need to enter is your SIP URI.  If you’re accessing a different account you’ll be prompted for your domain credentials. You can enter them in either format, but remember it’s your internal domain URI in this case. So for example, if you’re logged on to a PC as Roger Daltrey, but you enter mick.jagger@confusedamused.com as your SIP URI you’ll be prompted for your username and password. You could enter the username as either PTOWN\mick.jagger or mick.jagger@ptown.com. I’d recommend the former because giving users two different URIs is likely to be confusing unless your internal and external domain names are the same.

Other parts in this series:

OCS Installation - Part 1

Last time we left off about halfway through the OCS 2007 installer. This part should run through the end of the initial installation process. I’ll cover some of the initial configuration on the next part.

Configure Internal Certificate

The Configure Server section should now have a green checkmark next to it. Click the Run button under Configure Certificate to continue.

The Configure Certificate Wizard should start. Press Next to continue.

Choose Create a new certificate and press Next.

Choose Send the request immediately to an online certification authority and press Next.

Give the certificate a meaningful friendly name, uncheck Mark cert as exportable and press Next. We shouldn’t ever need to export the certificate from the front-end server.

Fill in organization and organization unit names and press Next.

Leave the subject name as the fully qualified name of the internal OCS machine, tap-ocs-2k7.ptown.com. In the subject alternate name (SAN) box enter tap-ocs-2k7.ptown.com,sip.confusedamused.com. Press Next.

Note: The reason the first SAN listed must be the same as the subject name is because of how ISA 2006 handles the reverse proxy. If we only left sip.confusedamused.com as the sole SAN entry everything would work fine internally, but we’d run into problems with the reverse proxy later. Since we’ll later tell ISA the internal site name is tap-ocs-2k7.ptown.com, but when it connects it tries to match the subject name to the first SAN listed. When it doesn’t line up ISA throws an Error 500 - Service Principal Name Incorrect. Doing the certificate this way now removes some unnecessary work later. You can read some more about this ISA issue here.

Enter a state and province and press Next.

The certificate authority, tap-dc-2k3.ptown.com\P-Town Certificate Authority, should already be detected. Press Next.

Review the certificate information and press Next to generate the certificate.

The success message should appear. Press the Assign button to use the certificate just created for OCS services.

A message indicating the certificate was applied should appear. Press OK.

Click Finish to close the certificate wizard.

Assign Web Components Certificate

Open IIS Manager, expand the Web Sites folder, right-click on the Default Web Site and choose Properties.

Click on the Directory Security tab.

Click the Server Certificate button to start the Web Server Certificate Wizard.

Press Next to start the process.

Choose Assign an existing certificate and press Next.

Select the certificate that was issued to tap-ocs-2k7.ptown.com and press Next.

Leave the default SSL port of 443 and press Next.

Review the certificate summary and press Next.

A success message appears. Click Finish to close the wizard.

Warning: The service accounts RTCService and RTCComponentService do not have have the Password Never Expires option selected by default. Unless you want those account passwords to be changed with the default domain policy I would recommend going into Active Directory Users & Computers and making sure those passwords don’t expire. If they do expire your OCS services won’t start.

Start Services

At this point the OCS services can started. Flip back to the OCS installer and click the Run button under Start Services.

The Start Services Wizard should open. Press Next to continue.

Press Next again to start the list of services found.

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

At this point, OCS is up and running, but will not pass many of the validation tests. Exit the installer completely. I’ll cover the DNS configuration in the next part of this series.

Assumed Pre-Existing Environment

 

This will be the first part of many in showing the steps necessary for standing up an OCS 2007 server. In the examples that follow the internal domain name is ptown.com and the SIP domain, or my external facing address will be confusedamused.com

tap-dc-2k3.ptown.com

• Domain Controller for ptown.com
• DNS Server for ptown.com
• Certificate Authority named P-Town Certificate Authority
• Domain in 2003 Native Mode
• IP Configuration: 192.168.0.10 / 24
• Gateway: 192.168.0.1
• DNS: 127.0.0.1

tap-ocs-2k7.ptown.com

• Blank Windows 2003 Server joined to the ptown.com domain
• IIS Installed with ASP.net enabled
• Adminpak.exe installed
• IP Configuration: 192.168.0.20 / 24
• Gateway: 192.168.0.1
• DNS: 192.168.0.10

Schema Preparation

On tap-ocs-2k7.ptown.com run the setup.exe application to start the installation. You’ll see a message that the Visual C++ 2005 redistributable must be installed. Click Yes.

On the main setup screen click Deploy Standard Edition Server.

Now click Prepare Active Directory.

Press the Run button under Prep Schema.

The Schema Preparation Wizard starts. Click Next.

Assuming the installation media has not been modified, the schema files should be in the same directory as setup so press Next.

Press Next again to start the schema preparation.

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

At this point you should wait and then verify the schema has replicated to all domain controllers in the forest before continuing.

Forest Preparation

Press the Run button under Prep Forest.

The Forest Preparation Wizard starts. Press Next.

Leave the default selection of System container in the root domain and press Next.

Select forest root domain, ptown.com in the drop down and press Next.

Select the external SIP domain, confusedamused.com, for default routing and press Next.

Confirm the forest preparation settings and press Next.

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

Again, wait for the changes to be replicated to the entire forest before continuing.

Domain Preparation

Press the Run button under Prep Domain.

The Domain Preparation Wizard starts. Press Next.

Press Next to acknowledge the warning about group creation.

Confirm the domain preparation settings and press Next.

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

This time wait for the changes to be replicated to the entire domain OCS is being deployed within. Run the domain preparation wizard for any other domains hosting OCS.

At this point OCS admin rights can be delegated to users and groups. This can also be accomplished later by running the wizard again. Press the Deploy Standard Edition link at the top to go back and deploy the Standard Edition Server.

Deploy Server

Click the Run button under Deploy Server to start the installation process.

The Deploy Server Wizard starts. Press Next.

Accept the license terms and press Next.

Choose an installation location and press Next.

Enter a password for the RTCService account and press Next.

Enter a password for the RTCComponent account and press Next.

Accept the default blank external web farm FQDN’s for now. The external address will adjusted later. Press Next.

Select a location for the database and transaction logs. Ideally, these should be on separate disk controllers. Press Next.

Review the configuration settings and press Next to start the installation.

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

Configure Server

The Deploy Server section should now have a green checkmark next to it. Click the Run button under Configure Server to continue.

The Configure Pool/Server Wizard should start. Press Next to continue.

Press Next to accept the only server installed so far, tap-ocs-2k7.ptown.com.

The SIP domain was already entered earlier, but additional SIP domains can be added here. Press Next to continue.

Choose the option Some or all clients will use DNS SRV records for automatic logon and check the box Use this server or pool to authenticate and redirect automatic client logon requests. Press Next.

Choose the SIP domain for automatic logon, confusedamused.com and press Next.

Select Do not configure for external access now and press Next.

Review the configuration settings and press Next to begin the configuration.

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

That concludes Part 1 of this series. Not very interesting yet, or hard to screw up either. The other parts should be much more interesting.

If you’re trying to install a Server 2008 RODC and you’re getting this error:

A read-only domain controller cannot be installed at this time because default domain groups could not be created. The error was: Unable to contact PDC in domain .

… don’t forget that your PDC role must be held by a machine running Server 2008. Open up ADUC on a 2008 box and transfer the PDC role to the server and you should have better luck.

One of the more useful items from the OCS 2007 Resource Kit book was the extras disc that contained a few Excel worksheets on setting up backups for different types of servers. Using those worksheets I created a script that automates some of the backup process for a standard edition server. I tried to make the script fairly configurable as far as file locations and naming conventions, but feel free to change it to suit your needs. What happens is this:

• A SQL backup job script is created with options for a full backup that overwrites the previous one.
• A scheduled task is created that backs up the global and pool-level settings for OCS.
• A scheduled task is created that backs up the machine-level settings for OCS.
• A scheduled task is created that runs the SQL backup job script.

All of the files from these tasks are dumped into a single folder of your choosing on a nightly basis. At that point you can do what you like with the contents. You could schedule your backup program to simply pick up this folder on a regular schedule or you could create another scheduled task that copies the folder to a file share on another machine. Just make sure you’re saving that folder collection somewhere else and you should be fine.

There is one manual change you must make before the SQL backup job can run successfully. You need to enable TCP/IP connections to the SQL Express instance and change the port back to the default. To do that, perform these steps:

1. Install SQL Server Management Studio Express.
2. Open Start | Programs | MS SQL Server 2005 | Configuration Tools | SQL Server Configuration Manager.
3. Expand SQL Server 2005 Network Configuration | Protocols for RTC.
4. Right-click TCP/IP and choose Enable.
   
5. Right-click TCP/IP | Properties and change the TCP Dynamic Ports value to 1433.
    
6. Restart the SQl Server (RTC) service and you should be all set.

To use the script just rename the link to a .vbs and execute it. A few things to keep in mind:

• Run the script as a user who is both a member of RTCUniversalAdmins and in the local administrators group on the machine.
• You’ll be prompted for your password 3 times, once for each scheduled task.
• Make sure you manually run the tasks a few times make sure they work properly.
• Read the comments in the script - I tried to be detailed and make it easy to follow if you need to change something.

OCS Standard Edition Backup Script 

‘———————————————-
‘ Edit these values
‘———————————————-

‘ Backup folder - this is directory the files are saved to. Do
‘ NOT use a trailing backslash. You MUST create the folder
‘ before running the script.
strBackupFolder = "C:\OCS 2007 Configuration"

‘ Global & Pool Level File Name - this is the file name of the
‘ XML used for storing global and pool level settings
strGlobalPoolLevelFileName = "ocs-2007-global-pool-settings.xml"

‘ Global & Pool Level File Name - this is the file name of the
‘ XML used for storing machine level settings. By default it
‘ includes the machine name.
strMachineLevelFileName = "ocs-2007-machine-settings.xml"

‘ Global & Pool Level Task Name
strGlobalPoolTaskName = "OCS 2007 - Global and Pool Level Settings Backup"

‘ Global & Pool Level Task Start Time
strGlobalPoolTaskStart = "04:00"

‘ Machine Level Task Name
strMachineTaskName = "OCS 2007 - Machine Level Settings Backup"

‘ Machine Level Task Start Time
strMachineTaskStart = "04:05"

‘ SQL Backup Task Name
strSQLBackupTaskName = "OCS 2007 - Database Backup"

‘ SQL Backup Start Time
strSQLBackupTaskStart = "04:10"

‘ SQL Backup Script Name
strSQLBackupScriptName = "ocs-backup-job.sql"

‘ SQL Backup File Name
strSQLBackupFileName = "rtc-full.bak"

‘———————————————-
‘ You can probably leave this section alone
‘———————————————-

set objFSO = CreateObject ("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("" & strBackupFolder & "\" & strSQLBackupScriptName & "",True)
objFile.WriteLine("BACKUP DATABASE [rtc] TO  DISK = N’" & strBackupFolder & "\" & strSQLBackupFileName & "’ WITH NOFORMAT, INIT,  NAME = N’rtc-Full Database Backup’, SKIP, NOREWIND, NOUNLOAD,  STATS = 10")
objFile.WriteLine("Go")
objFile.Close

‘Create an array of OCS Pools
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "\root\cimv2")
Set colOCSPools = objWMIService.ExecQuery("Select * from MSFT_SIPPoolSetting")

‘Get name of OCS pool
For Each objOCSPool in colOCSPools
  strOCSPool = objOCSPool.pooldisplayname
Next

‘Create task for global and pool settings backup
Set objShell = WScript.CreateObject("WScript.Shell")
taskParameters = "/create /sc daily /st " & strGlobalPoolTaskStart & " /tr ""\""%programfiles%\Common Files\Microsoft Office Communications Server 2007\LCSCmd.exe\""/config /action:export /level:global,pool /configfile:\""" & strBackupFolder & "\" & strGlobalPoolLevelFileName & "\"" /poolname:" & strOCSPool & """ /TN """ & strGlobalPoolTaskName &""""
objShell.Run "schtasks.exe " & taskParameters

‘Create task for machine settings backup
taskParameters = "/create /sc daily /st " & strMachineTaskStart & " /tr ""\""%programfiles%\Common Files\Microsoft Office Communications Server 2007\LCSCmd.exe\""/config /action:export /level:machine /configfile:\""" & strBackupFolder & "\" & strMachineLevelFileName & "\"" /poolname:" & strOCSPool & """ /TN """ & strMachineTaskName &""""
objShell.Run "schtasks.exe " & taskParameters

‘Create task for SQL backup
taskParameters = "/create /sc daily /st " & strSQLBackupTaskStart & " /tr ""sqlcmd.exe -e -s .\RTC -i \""" & strBackupFolder & "\" & strSQLBackupScriptName & "\"""" /TN """ & strSQLBackupTaskName &""""
objShell.Run "schtasks.exe " & taskParameters