Sole's Blog

So You went ahead and used virtualized Domain Controllers for Your Active Directory domain, congratulations! I am sure You will be happy with the decission, as long as You have a decent virtualizing environment, this will give You both peace of mind, faster recovery and cheaper redundancy.

There is however some special considerations You must do, when You are using virtual Domain Controllers, not to mention, please with sugar on top, do NOT P2V/Convert Your physical Domain Controllers to virtual, without at least reading this article!

What areas do we need to consider on a virtual DC?

• Time synchronization
• Disk cache
• Suspend/pausing virtual machine
• Snapshots and System State backups
• Performance

Personally I much prefer virtual Domain Controllers, from having a lot of physical ones, but there are some considerations to be made, about perhaps leaving some physical and what features to use on the virtual and what settings to use as well. This article attempts to uncover some of the points to consider, specifically for virtal DC’s. The list is in no way meant to be the only considerations, but is mostly the things that I personally have noticed forgotten in environments I have encountered. Add Your own preferences and research to this and You should be well on Your way to live happily forever with Your virtual DC’s.

Read the rest of this entry »

I might be realy slow in discovering this, after all it has been some months since I last touched an OCS installation. I seriusly wished I had this tool when I was last time thou.

This tool just like the Exchange testing tool, will show all the steps involved in connecting to an OCS system and produce any errors and confirmations that everything is working, excellent for debugging or even just validating that everything is working as it should. I found the link to the tool on a new danish UM experience sharing group (all danish) http://www.colabora.dk/.

The actual tool can be found here: https://www.testocsconnectivity.com/

Thought I would also add some extra info and show what the tool can produce of results (FQDN’s and IP’s changed)

Read the rest of this entry »

The following script was used for automatically joining alot of computers to an Active Directory domain, it was required to place the computer in a specific Organizational Unit and also to run with a specified user with only permissions to add machines in this OU and the default new computers OU (giving it unlimited join domain permissions).

So here is a cleaned up short script to join a machine to a domain, using a script specified user (could be changed easily to current user) and place the machine in a specific OU, great for running for specific departments, so You avoid having to manually sort the machines in the end. Read the rest of this entry »

So You want to install ZenWorks 10.x.x.x silently on a machine, sounds easy enough right?

Well ZenWorks is making it slightly harder, if You just run the installer with a stay quiet parameter, when it finishes and You or the installer reboots, it was not actually finished. After the installation ZenWorks sits and runs msi packets that needs to install as well, so even thou the installer exited and says all done, another thread from ZenWorks is still working.

I used the following script to install ZenWorks 10 without showing it to the user, and then monitor the little thread doing the other installs, when that was finished I continue to do whatever it is I want to do, in my case tell the user I am rebooting their machine and reboot, but thats entirely up to You.

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Popup "Installing ZenWorks, please wait", 60, "Please Wait..", 64
WshShell.Run "X:\myfolder\Novell\Zenworks\10.2.2\PreAgentPkg_AgentComplete.exe -x -q", 0, True
WScript.Sleep 120000 ' 120 seconds
While CheckProcess("ZENPreAgent.exe") = True
'  Wscript.Echo "Installation still running, waiting x seconds"
  WScript.Sleep 5000
 Wend
 WshShell.Popup "Installation completed - machine should be restarted.", 60, "Please restart computer", 64

Large companies sometimes have problems with a virus that realy loves administrative shares on other workstations (i.e. c$ and admin$), it will try and break into theese to spread it self directly. The easy option ofcourse being kill the virus or even better harden administrative users and not use administrator rights for normal users! But untill that is an easy, non-political and not so time consuming task, why not disable the administrative shares on the workstations alltogether?

Seems like a perfect thing to do with Group Policy, unfortunately the setting is non-existing default in Group Policies, so by finding the registry key we need to change, a small custom administrative template will do the trick. This could also be used for other registry changes needed with group policy.

We might also want the option to easily enable the administrative shares later, might be used by applications, services, automated installations, etc. Heres is how to do it quick and easy. Read the rest of this entry »

Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped spinning yet? So you’ve decided on what FQDN’s to use, next step order some SSL certificates, should be easy enough right, You allready figured out You need SLL certificates that are Unified Communications Certificates (UCC) enabled. In my example I will use GlobalSign Domain Validated SAN’s, if I needed multiple domains for example for @sole.dk and @soleit.dk, I would choose GlobalSign Organisation Validated SAN’s instead.

For a GlobalSign SSL certificate to be UCC enabled, it must use SAN domains, no other way of enabling it. So no point in spending lots of budget on seperate SSL certificates for each service. SAN Subdomains are also quite alot cheaper than buying seperate SSL certificates.

One of the tricky parts of Office Communications Server 2007 R2 and SSL certificates, is that You can not use one single SAN SSL for all services, if You intend to use port 443 for all services!

Why would we only use port 443 ? Read the rest of this entry »