My sessions on upcoming events and conferences

April is always the month filled with IT conferences. As spring arises, IT people are coming out of their houses and workplaces and heading out to conferences to meet with their peers, have some fun and learn new stuff. My April will be very busy this year, so for all people interested in my sessions on conferences and events in EE region, here’s the list (in date order):

MSNETWORK – Bosnian Microsoft conference

  • Dynamic Access Control in Windows Server 2012 – 3.4.2013 16:45 -17:45
  • Enabling private cloud in your company with Windows Server & System Center – 4.4.2013 9:00 – 10:00
  • Exchange Server 2013 – what’s new – 4.4.2013 11:30 – 12:30

Private Cloud Community IT Camp – Microsoft Serbia event

  • Managing your core infrastructure with Windows Server 2012 and Hyper-V – 08.04.2013 09:00 – 17:00

WINDAYS – Croatian Microsoft conference

  • Lync Server and Exchange Server 2013 – 23.4.2013 15:05 – 15:50 (together with Igor Pavlekovic)
  • Dynamic Access Control in Windows Server 2012  – 24.4.2013 10:35 – 11:20

NT KONFERENCA – Slovenian Microsoft conference

  • Hyper-V replica – When and how we use it – 25.4.2013 10:30 – 11:45

I’m looking forward to see my dear friends on these events and conferences as well as people who will come to my sessions.

Lepide Event Log Manager–All in one place

Log management in general, is the essential topics for every system administrator. For any environment that has more than a couple of servers, centralized control and management of log files is a very important and significantly reduces the time that is spent on the administration of the systems in general. Searching through event logs on multiple servers is generally very time consuming job, and besides, it is quite often that some of the important information slips.
Solutions like System Center Operations Manager, for some organizations, are too complicated and too expensive, and quite often, in such cases the true tackle some third-party solutions that can surprise at their quality and functionality.

Lepide company, relatively unknown in our local market, is offering a very solid solution for centralized event log management. Their Event Log Manager is focused on the Windows event logs and W3C event logs (access logs of web servers), and present a very good solution for smaller to medium companies, who need an affordable, simple and functional solution for log management.

Lepide Event Log Manager is relatively little tedious and quite easy to use. You can install it on any Windows Server (supported by all newer than Windows 2000) or on a workstation that runs Windows XP or newer OS. In addition to the log management component, it requires the presence of SQL Server on the local or any other computer on the network. Fortunately, it supports SQL Server Express Edition, which means you do not have to buy a license, but you can use this free version. Hardware requirements are minimal, and you can install log management application on any computer that has at least 2 GB of RAM, and has installed. NET Framework. The installation process is very simple, and consists of starting the setup procedure and answers to some very simple questions. Upon first launching the application it will be necessary to configure a connection to SQL Server, which is a mandatory step before using the software. If SQL Server is installed on another computer, make sure that the SQL connections ports open and that you use account that has privileges to create a database.

Once the database connection is configured, you can continue to work in the console. It is advisable to first create groups of servers that are being monitored, and choose the method of collecting logs. The system can operate on agent and agent-less mode. Work in agent mode requires the deployment of agent software to the target computers, but it provides some more information from a computer that is monitored. While carrying out the primary configuration software, which consists of setting parameters for the SQL Server and the mail server (optional, if you want alerts and reports sent by e-mail), you must also add the computers and servers that are being monitored, possibly to form groups, and after that the system is ready for operation. After the first collection of logs, administrator can start to use the console Event Log Manager, which is organized by functional tabs.
The first tab, called Dashboard, is a graphical overview of events that have collected in the last 15 days, for some well-known services, such as Logon reporting, SQL Server reporting, Exchange Server Report and the Report for the Service Control Manager. This tab can be seen as the rapid examination of whether some of these critical services have had problems in recent time. Useful, it would be nice if can be customized, but in this version of the dashboard layout is fixed.
Dashboard
The next tab is used to manage groups. You can create groups of computers whose logs monitor, and besides, you can also add servers and computers. To view the logs in the rest of the console, it is necessary to add the resources here.
Groups
Event Browser tab is a "giant" event viewer. Here, it is possible to examine individual event logs on any PC that we follow through Event Log Manager. Logs are sorted into groups, and each group can select the log source server that we are interested in, and get a list of logs from that source. This approach is somewhat clearer than the traditional event viewer as logs within the group are further classified by type (eg, within the group we have the System Log Events log types such as Print Events, Hard Disk events, TCP / IP events, etc).

EventBrowser
Reports Tab is perhaps the most important in the whole story, because it allows a very detailed overview of the state, filtered by the type of events that we have been interested. Most of time, administrators search logs for a specific event, so the report that groups logs by event is quite useful. For example, it is possible to get a report on the events lock user accounts in the last 7 days. Or report that will show all the events of a successful or unsuccessful logins. In the application, there are already a few dozen pre-designed reports that can be easily run, but it is also possible to create your own custom logs. Each report can be exported in HTML or PDF format, which is a very useful feature, especially in cases where these reports are forwarded for further review beyond the IT department. Reports can be generated manually and automatically. If you want to run reports automatically, then you should create an appropriate schedule object. Reports generated by the schedule, are sent via email, which is also a very suitable option.

Reports
As you would expect from software of this kind, options are also available to create alerts. If you have an event in one of the systems you track is particularly important, software can generate alert that will notify you via email when the log records the occurrence of a certain event type on some of the servers that are being monitored. The only method of notification is by email.
In the end, Event Log Manager allows and logging activities on himself. All that you are doing within this software will be logged to its own log and available for review through the Activity log tabs in the application itself.

Activity Log
Event Log Manager is definitely the software that needs to be taken into consideration if you need this type of service in your organization. Somewhat archaic console and some functionality that should be added, definitely leave room for improvement, but this version is quite usable. I tested it with both Windows Server 2008 and Windows Server 2012 servers and it worked fine, although Windows Server 2012 is still not officially supported.

Event Log Manager can be purchased through subscription or through licensing by the number of monitored servers, on which more details can be obtained on the Lepide web site.

MSNetwork conference is getting closer–free passes for community members!

It’s less then one month left until we start another Microsoft Network conference. This one will be held in region of Teslic, small town in Bosnia. Preliminary agenda has been published already on www.msnetwork.ba, as well as other important details.

As before, this year we will also provide some free passes for MSNetwork for our community members. All user group leaders will get some free conference passes for community members. For MSCommunity user group, we plan to organize our regular meeting in a third week of March, and we will use that occasion to provide these free passes to some meeting attendees.

For those of you who don’t plan to come to our community meeting, you can still leverage early bird price – I’m sure that MSNetwork conference is “best buy” conference in region. For a very small price, you will get extraordinary sessions and great speakers. Don’t miss it!

Exchange Server 2013 course–for MSCommunity members

As usual, when we deliver new Microsoft courses, we always save some seats for community members. We will make no exception this time, so I’m glad that I can announce that we will provide 2 free seats on 20342A course (Exchange Server 2013 Advanced Solutions) for MSCommunity members. This course is scheduled to start on Feb 25th and it ends on Feb 28th (4 days). Course will be delivered by Stanley Reimer and myself. We were both authoring this course. More details about course content can be found here.

As before, active MSCommunity members will be preferred. If you are interested, email me directly.

See you!

ITPro Private Cloud Camp (or Belgrade, here I come again)

After very successful Windows Server 2012 ITCamp that I delivered in December 2012 in Microsoft Serbia, we scheduled another event, this time with Private Cloud as main topic. This whole day event will be held in Microsoft Serbia on Feb 11. Beside myself, my colleagues Ljubomir Ivanis and Predrag Jelesijevic will also participate in delivering content.
We plan to talk about following topics:

  • Windows Server 2012 as a private cloud platform
  • Hyper-V 3.0
  • VMM 2012 SP1 – private cloud virtualization management
  • System Center 2012 family – enabling private cloud

I’m sure we’ll deliver great content and have a great feedback from participants, like we did last time!

See you in Belgrade!

Configuring Domain Security on Exchange Server 2013

A need to protect SMTP traffic is not uncommon. In general, you can’t always protect it. Inside your organization, it’s pretty easy – you can easily implement digital signatures or encryption for emails, but if you want to go outside, things are becoming more complicated. You can still use digital signing (S/MIME) on emails, but if your certificate is issued by your internal PKI, it probably won’t be trusted on recipient side. That will not prevent functionality of digital signature, but will affect trust.

If you want to send encrypted emails outside your organization, things are even more complicated. If you want to use just built-in Outlook features for message encryption, you will need to have public key of any recipient that you want to send encrypted message to. Inside your organization, this is not an issue as you can publish certificates in AD DS. However, outside, on the Internet this is not an easy job. Sure, there are some third party tools for this, but let’s see what we can do without them.

Domain Security is a feature of Exchange Server (both 2010 and 2013) that can secure SMTP traffic between two Exchange organizations. It is implemented on server level, and it works without configuring any options on user (sender or recipient) side. Domain Security uses mutual TLS authentication to provide session-based authentication and encryption. Mutual TLS authentication is different from TLS as it’s usually implemented. Usually, when you implement TLS, client will verify the server certificate, and authenticate the server, before establishing a connection.

With mutual TLS authentication, each server verifies the connection with the other server by validating a certificate that’s provided by that other server, so clients are not included at all. We establish secure SMTP channel between two Exchange Servers, usually over the Internet.
Clients, Outlook and Outlook Web App, will be aware that Domain Security is established. Green icon with check mark will be shown on each messages exchanged between servers on which Domain Security is implemented.

Capture1

As you can see, Domain Security can be applied between two (or more) known Exchange organizations. Still, it can’t protect whole SMTP traffic that comes and goes from your Exchange organization, but it can efficiently protect SMTP traffic between partner organizations.

Let’s see how to configure it. I’ll show the procedure for Exchange Server 2013, but most of it can be applied to Exchange Server 2010 also. Let’s assume that we want to establish Domain Security between two Exchange organizations named adatum.com and treyresearch.net (Yes, I’m using domain names from Microsoft Learning courses, but since I write these courses, I just get used to that Smile)

1. Establish certificate trust between organizations

As said before, Domain Security relies on certificates. Because of this, you should first establish certificate trust between two organizations where you want to implement Domain Security. You can do it on several ways. If both organizations are using publicly trusted certificate on Exchange servers, you are good to go. If that’s not the case you will have to cross-import Root CA certificates on both sides. Alternatively, you can also issue certificates for SMTP for both Exchange organization from a single trusted RootCA. Anyway, the point is that each Exchange server must trust the certificate installed (and assigned to SMTP service) on another Exchange server. Achieve this in any way you like. Besides establishing trust, make sure that certificate common name is same as the name that Exchange server provides in HELO/EHLO conversation.

However, it’s important to notice one thing here. In Exchange Server 2010, you would be doing this on Edge Transport server or if you didn’t deploy one, on Hub Transport server. Since these two roles are no more in Exchange 2013, these certificates should be installed on CAS servers which, in Exchange Server 2013, host FrontEnd Transport Service. Also, it is important that certificate you want to use for Domain Security is assigned to SMTP (it can be assigned to other services as well)

Capture2

2. Configure Domain Security

As both sides/companies will be sending and receiving emails, following procedure should be done on both sides, but domain names should be used vice-versa.

First, open Exchange Management Shell and execute this cmdlet :

Get-TransportConfig | FL

You will get whole list of transport settings but we want two of them : TLSReceiveDomainSecureList and TLSSendDomainSecureList. If you were not configuring Domain Security so far, you will have these two values empty. To use Domain Security we must populate these parameters with appropriate values.
TLSReceiveDomainSecureList – specifies the domains from which you want to receive domain secured email by using mutual Transport Layer Security (TLS) authentication
TLSSendDomainSecureList – specifies the domains from which you want to send domain secured email by using mutual TLS authentication

If we are on adatum.com side, we will execute following:

Set-TransportConfig -TLSSendDomainSecureList adatum.com and
Set-TransportConfig –TLSReceiveDomainSecureList treyresereach.net

After this, when you run the Get cmdlet again you should have these values:

Capture3

Logically, on treyresearch side we will issue same commands but domains will be inverted. If you have more than one company with requirement for Domain Security, you can provide their domain names too. This cmdlet accepts multivalued parameters.

3. Configure connectors

Now, we will create dedicated connectors for Domain Security. Let’s first create the send connector. You can use Exchange Admin center for this. Navigate to mail flow, click Send connectors and add new one. In a wizard, type the name of the connector and select Partner type. Don’t use the smart host, but leave MX record as a method to send mail. For connector address space, type the domain name from other Exchange organization. If you are on Adatum.com side, you will type treyresearch.net. On the source server page of wizard, select Mailbox server that you want to use as a source. It doesn’t matter which one you will choose since we will configure connector to proxy through CAS. When you create the connector, double click it and then enable options “Proxy through client access server”. You can also configure maximum message size for this connector if you want, and enable protocol logging.

Capture4

Now back to Exchange Management Shell,and execute :

Get-SendConnector –identity ConnectorName | FL

Look for the value of parameter DomainSecureEnabled. It should be True. If it’s not you can easily set it with Set-SendConnector –identity ConnectorName –DomainSecureEnabled:$true

Let’s now configure Receive connector. Back to EAC, click mail flow and then click receive connectors. In Select server drop-down list choose your Client Access server.

Select Partner for connector type, configure receiving IP address if you want (or just leave all available) but on remote network settings page, you should configure only the IP address assigned to another organization Exchange server. This should be (public) IP from which partner’s Exchange server sends email. After you create the connector double click it, and click on security tab. Make sure that authentication options are set like on following screenshot.

Capture5

4. Test the Domain Security

Easiest way to test this is to just send email from one organization to another from Outlook. If you get the message with green check mark, you are all set. If not, then you’ll need some troubleshooting. You can enable protocol logging by executing :

Set-ReceiveConnector Internet -ProtocolLoggingLevel Verbose, and

Set-SendConnector Internet -ProtocolLoggingLevel Verbose

to verify TLS channel. If message doesn’t arrive to recipient but doesn’t come back as NDR, you should check queue.

Or you can just wait for my next blog post, where I will discuss some troubleshooting Smile.

Microsoft Learning is considering exams reports changes

If you ever took a Microsoft exam of any kind then you’re probably familiar with score report that you get at the end of exam. It hasn’t been changed for years, and now MSL is thinking about changing it. If you want to influence that, Born to Learn blog site has published an article about that with a link to the survey. You can participate, survey is open to everyone. Here.

Mobile devices, certificates and Exchange Server

Few days ago I tried to import my personal certificate (by Verisign) to Windows Phone 8 device. I exported it as .pfx, sent to my self in a email and then opened it on device. It worked. Sort of. I mean, WP did import the certificate but didn’t provide any clue what I can do with it. I tried to find option to digitally sign or encrypt email, but with no luck. Next thing that came up on my mind was certificate based authentication to Exchange Server. Then I’ve found this article. It seems like WP8 now fully supports certificate based authentication against Exchange Client Access Server. However, my personal certificate issued by Verisign, will not be of any use here as it is not issued by my internal PKI. Will have to get new one and put it on device, and then I will try this.

This seems to be very useful option for authentication to CAS. I think that besides WP8, Android and iOS also support cert based authentication. I will try all three platforms and will post results here. And, it will be nice if WP8 has some certificate management implemented – now when you import the certificate, it’s like in a black hole, no way you can find or manage it (or I didn’t find a way to do it).

(off topic)–New page for students and math lovers

As said in title, this is off topic post, but since I’m also mathematician (although not working with math for quite a long time), I want to give some visibility to the project that my wife Manuela (who’s a professional mathematician) started recently.

She decided to start a web page primarily to help students prepare for exams in math subjects that she teaches on Faculty of Science (Math department) in Sarajevo. She already published quite a few practices and exam examples, as well as some of her work.

I sincerely hope that more teachers from faculties and schools will take this path also.

If you want to take a look at the page, or just give some more visibility to this project, here is the link to Manuela’s angle.

Why Brain Dumps Are Bad–from Born to Learn

I think it’s a valuable reading. As I  run CPLS (and Prometric testing center), from time to time I see people who obviously pass exams with brain dumps used before that. To all of them, and to others that think that way, I recommend this article on Born to Learn site. I ‘ll extract just one sentence from there: “I won’t tell you how we know when someone has used a brain dump to pass an exam, but we know.” Smile