Monthly Archives: May 2012

New certifications from Microsoft

Microsoft has updated their certification site with a WHOLE load of new certifications for the release of windows server 2012.
If you now go to the MCSE site on Microsoft’s site you can now see new exams for Windows Server 2012 & Windows 8

New exams that I can see so far is.

70-410  Installing and Configuring Windows Server 2012 (September 04, 2012(In development)

70-411  Administering Windows Server 2012 (September 04, 2012(In development)

70-412 Configuring Advanced Windows Server 2012 Services September 04, 2012(In development)

If you take these 3 exams you will then get the MCSA Windows Server 2012.
Of course if you have the MSCA Server 2008 you can upgrade your title with the upgrade exam

70-417 Upgrade your skills to MSCA Windows Server 2012
(No info available yet)

When you have the MCSA Windows Server 2012, you can then upgrade this title with the MCSE Server Infrastructure.
Which consists of

70-413 Designing and Implementing a Server infrastructure
(No info available yet)

70-414 Implementing an advanced Server infrastructure
(No info available yet)

So in total to get the MCSE Server Infrastructure (If you don’t have any other certs from before)
You need to take 5 exams.

Of course there is also an MCSE Desktop Infrastructure track.

Which consists of the

70-415 Implementing a desktop infrastructure
(No info available yet)

70-416 Implementing desktop application environments
(No info available yet)

+ If you have the MSCA Windows Server 2012 You will get the title “MCSE Desktop Infrastructure”
Of course you can upgrade this as well if you have the Enterprise Desktop Administrator title.

With the release of Windows server 2012 and with System center 2012 just released, Microsoft again comes with a load of new certifications.
For those that are eager to take new certifications, well Microsoft just announced 8 certifications for Windows server 2012 and Windows 8. Like I didn’t have enough on my schedule to take more certs Winking smile

SCCM 2012 Security

For large systems like ConfigMgr 2012 there are a lot settings needed in order to get it running. Sometimes you miss a setting or two, or you forget to properly set the right access for an account.
From a security point-of-view there is a lot that can go wrong.
ConfigMgr requires a lot of security rights on client computers, on active directory, and servers ( if you use it for servers ) And if someone manages to get full access to the console well.. then you’re screwed.
Even if you managed to lock down your environment as tight as uncle scrooge’s vault, that won’t mean a thing if you didn’t setup the site for encrypted traffic (of course there is a lot of hassle for someone to make some damage to your environment , but it can be done ) ConfigMgr 2012 leverages PKI for encryption, authentication and proof-of-identity between clients and site servers (Check my previous post on setting up PKI for SCCM 2012) But there are also some other options that we will go trough in this post which can heighten your security level in ConfigMgr.

In order to configure ConfigMgr for PKI, you have to change a site property, configure Site system settings for HTTPS only.
In order to deploy certificates to clients you can use the following deployment types.

* Use the /UsePKICert parameter with ccmsetup (This is most used for clients that connect from the internet) and remember you must also specify /:mp (With FQDN )
   If a certificate is not found, it will fall back to http with a self-signed certificate.
* Deploying autoenrollement of certificates in AD. (Best for intranet clients)
* Using client push (Best for intranet clients)

NOTE: Because the location of the CRL is added to a certificate when it is issued by a CA, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager will use.
NOTE: When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you do not have to specify this root CA certificate. However, if you use multiple CA hierarchies and you are not sure whether they trust each other, import the root CA for the clients’ CA hierarchy.

If you are unable to use PKI. you can configure use of signing and encryption using 3DES and SHA-256.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure.

  3. On the Home tab, in the Properties group, click Properties, and then click the Signing and Encryption tab.

  4. Configure the signing and encryption options that you want, and then click OK.

    Remember to check that all your clients supports SHA-256, older computers with old version of XP or Server 2003 might have some issues with this. 
    Remember this options of signing, protect the data from tampering but it does not encrypt the data.
    And the option of encryption, encrypts the inventory data and state messages that clients send to management points in the site. But remember the additional CPU usage that will be required on clients and the management point to perform the encryption and decryption.

If you manage to setup SCCM with PKI Good! but there are a lot of other factors that you need to check as well.

* Keep your systems up to date.
Patching, patching & patching. Always remember to have the latest security updates installed. We saw from a little while ago how short amount of time It took before an exploit was available for the security hole in RDP.

* Site-to-site server
Although Configuration Manager does secure communication between the site server and the computer that runs SQL Server, Configuration Manager does not secure communication between site system roles and SQL Server, therefore you should use  IPsec to secure communications between these servers. If you do not setup secure communication here, they can be the victim of man-in-the-middle attacks.

* Site server to package source server
You should also use IPsec here if possible, if not use SMB signing to ensure that the files are not tampered with before clients download and run them.
Of course in order to view communication between servers a user would have to be on the same network as the servers are. But always remember to use custom VLAN and ACLs where possible.

* Use non-default port numbers
A lot of attackers go after well-known ports. For instance 1433 is a known SQL server port, and HTTP & HTTPS use 80 & 443. If you want to use custom port numbers, remember to use them consistently across all sites in the hierarchy.

* Isolate site system roles
By having a server for each role you reduce the attack surface against vulnerabilities on one site system can be used against a different site system. The fallback status point on the other hand should never be collated with other roles since this site system role accepts unauthenticated data from clients.

* Restrict user access.
Use RBAC, and delegate only permissions as needed.

* Job rotation
If someone has full admin access to ConfigMgr (of for that matter the CAS) remember to have a job rotation schedule, the biggest threat for a company is always a disgruntled employee that has full access from the inside.

* PowerShell execution policy set to Bypass.
This setting allows clients to run unsigned PowerShell scripts, which cloud allow for instance malware to run on client computers.

* Deploying applications to “All systems”
If you have a licensed application like an Adobe application distributed to all systems, would mean that if a rogue client installs an agent, get its client information from AD would get access to that application.

* Desktop Viewers option
Make sure that you create a custom policy for each computer group, so you don’t have a help desk user that can remote view every computer (and user for that matter) in your site.

* Client Push Account
Create your own service account for this user, and create a policy to deny the account the right to log on locally, since this account needs to be a member of the local admin group on each machine.
If someone gets access to this account, then that lucky guy would have access to every client in your site. Of course you don’t need to use the client push install, and just do it by group policy.

* Require a password to PXE boot
If you enable this option, this adds an extra level of security to your site. Since now you reduce the risk of a rouge computer joining your site.
Also remember not to include business applications that contain sensitive data in a task sequence, since we don’t want the rogue computer getting access to get data.

* Restrict whether users can install software interactively by using the Installation permissions client setting.
If you have this settings enabled for all users, and you have this setting enabled for servers. Users that have access to that server that install an application on a terminal server.

* Best practice from Microsoft.
Microsoft has a free tool available named Security Configuration Wizard (SCW) which allows you to create a security policy which you can apply to all your servers.
It also has a template available for ConfigMgr 2012 which you can download here –>

These are just some pointers of what you have to think about when deploying ConfigMgr 2012. There are a lot of other factors as well, which depends on what features you think about deploying in your site.
I recommend you check the TechNet documentation Microsoft has regarding Security in ConfigMgr


Something new in ConfigMgr 2012 is that Microsoft added a new site type, which is the CAS (Central Administration Site)
Microsoft says the following about it” The central administration site coordinates inter-site data replication across the hierarchy by using Configuration Manager database replication. It also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. Use this site for all administration and reporting for the hierarchy”

This role is needed for large scale deployment and sits at the top of the hierarchy in ConfigMgr 2012. The top reasons for using this role is:
       * If you have over 100.000 clients in your environment.
       * If you wish to split up your environment in general.
       * If you need more then 1 Primary site

Top reasons not to use this role:
        * One extra server to maintain with licensing, monitoring and such.
        * SQL enterprise is most likely needed since this supports up to 400.000 clients (SQL server standard)  
           only support up to 50.000 clients.
        * The CAS role needs some heavy machinery since it needs to process a lot of data. Microsoft
            recommends 16 cores, 64 GB of ram and 1.5 TB disk space for all the files.
            If your environment  consists of 100.000 clients the database files alone will take approx. 500 GB                    
The CAS can support up to 25 child primary sites.

A typical CAS setup would look like this (If we had 2 domains)


Something that you need to know about the CAS role

It does not process data from clients

It does not accept client assignments

It participates in database replication

So this is a role that just “sits” there and receives data from other sites in the hierarchy.  Since the CAS also participates in database replication all inventory data and information will be replicated to the CAS server, therefore it is very useful to use for reporting services.

Also something to consider, in a multiple domain forest and multiple sites. Who has access to the CAS, who has admin access on the CAS? The users that have access to the CAS has access to every sites and its db information.

But remember if you need to use a CAS site in your environment, remember that you have to install the CAS role BEFORE you install a primary site. If you installed the primary site first, the only way to join that primary site to the CAS is to reinstall it.

Citrix XenApp infrastructure.

Something we all have struggled with is how a XenApp farm communicates internally (Okay maybe not all of us, but some 🙂 ). There are a lot of services and roles involved, and unless you have done your research it can be troublesome to get the overview you need.
So hopefully you will be able to understand a bit more about how xenapp communicates after you have read this post.

First there are a couple of terms that you need to know.

A zone is a grouping of XenApp servers that communicate with a common data collector. In large farms with multiple zones, each zone has a server designated as its data collector. Data collectors in farms with more than one zone function as communication gateways with the other zone data collectors. The data collector maintains all load and session information for the servers in its zone. All farms have at least one zone, even small ones. The fewest number of zones should be implemented, with one being optimal. Multiple zones are necessary only in large farms that span WANs.

Data Store port 1433 for MSSQL server
The data store is the database where servers store farm static information, such as configuration information about published applications, users, printers, and servers. Each server farm has a single data store.
This usually resides on a MSSQL server.

Data Collector
A data collector is a server that hosts an in-memory database that maintains dynamic information about the servers in the zone, such as server loads, session status, published applications, users connected, and license usage. Data collectors receive incremental data updates and queries from servers within the zone. Data collectors relay information to all other data collectors in the farm. By default, the data collector is configured on the first server when you create the farm, and all other servers configured with the controller server mode have equal rights to become the data collector if the data collector fails. When the zone’s data collector fails, a data collector election occurs and another server takes over the data collector functionality. Farms determine the data collector based on the election preferences set for a server. Applications are typically not published on the data collector.

Web Interface
The Web Interface is where where users access their applications using either Receiver (PNagent service site) or a Web browser.

Citrix XML Broker and the Web Interface
The Citrix XML Broker functions as an intermediary between the other servers in the farm and the Web Interface. When a user authenticates to the Web Interface.The XML Broker Receives the user’s credentials from the Web Interface and queries the server farm for a list of published applications that the user has permission to access. The XML Broker retrieves this application set from the Independent Management Architecture (IMA) system and returns it to the Web Interface.

Independent Management Architecture (IMA) port 2512
Is a service that is used for transferring the background information between Xenapp servers, including server load, current users and connections, and licenses in use.

Independent Computing Architecture (ICA) port 1494
Is a protocol that is used for client-to-server connections.

Local Host Cache (LHC)
A local cache of the data store, which allows a server to function in the absence of data store.

I have setup a basic diagram here, which contains a basic setup in Xenapp. Which consists of a
1 * data collector
1 * data store
1 * web interface
And a bunch of Xenapp servers.
And of course we have the users that connect from the wan to the servers.


So lets go trough a couple of scenarios.

What happens when you add a new server to this farm (lets say server 4)
1: Server 4 via the IMA service establishes a connection to the data store for the farm. The service then downloads the information it needs to initialize. It also check that the data in the LHC is current.
2: When the IMA service is the started, it registers with the data collector for the farm and publishes what applications the server is contributing to.

What happens when a client connects to a server? (lets say client 1)
1: The client requests the data collector to resolve the published application to the IP address of the least loaded servers in the farm.
2: The Data collector checks what server has the published applications available, and has the least load.
3. The client then connects to the least loaded server returned by the data collector.
4. The member server then updates its information to the data collector via the IMA service.

What happens if the Data collector goes down ?
1. Data collector server goes down.
2. The servers in the zone recognize that the data collector has gone down and start the election process. In this example the back up data collector is elected as the new data collector for the zone.
3. The member servers in the zone then send all of their information to the new data collector for the zone. This is a function of the number each server has of sessions, disconnected session, and applications.
4. In turn, the new data collector replicates this information to all other data collectors in the farm.
(Incase you have to set a preferred backup data collector)

Even if a Data collector is unavailable the servers will continue to function. The users that are already logged in will not be affected.

What happens if a update a setting on a Xenapp server?
1. you make some changes in the Appcenter Server Console affecting all the servers in the farm.
2. The server that the Appcenter Console is connected to updates its LHC and write the change to the data store via IMA.
3. The member server then forwards the change to the data collector for the zone in which it resides. The data collector updates its LHC.
4. The data collector in turn forwards the change to all the member servers in its zone. All servers update their LHCs with the change.

What happens if the Data store goes down ?
1. Data store Server goes down (And you have a backup from the Data store available, If you don’t you would have to recreate all the farm settings) dsmaint backup takes a backup of the data store.
2. Run a dsmaint migrate to migrate the settings to a new data store.

Even if a Data store is unavailable the LHC contains enough information about the farm to allow normal operations for an indefinite period of time. However, no new information can be published, or added to the farm, until the farm data store is online.

If you need to start from scratch with a new data store, prepare a new data store the way you did before configuring XenApp and run the Server Configuration Tool from any farm server. After running the Server Configuration Tool, manually reenter the lost settings. If you use the same name as he previous data store, you do not need to reconfigure the farm servers.

Citrix Web interface customizing

This article is written with mind of changing and customizing the web interface (v 5.4)
Sometimes the default web interface isn’t enough.


Of course its pretty to watch and has clean layout, but sometimes you need it to fit the business standard.
The web interface consists of two folders.

C:Program Files (x86)CitrixWeb Interface5.4.0

Unless you specify some other folder during install.

You can of course do much of the customization with the Web Interface administration console, but doing changes here might revert that changes that you did manually.
So we are going to change the layout manually.

The first folder C:Program Files (x86)CitrixWeb Interface5.4.0
contains the clients for Xenapp, client detecting scripts(and some graphics) &  language files (so here you can change the default language)

Deploying client using web interface
If you wish to deploy a new client via web interface you need to download the new client from Citrix, put the client in the
C:Program Files (x86)CitrixWeb Interface5.4.0ClientsWindowsReceiver (Im using the windows client for this demo)  folder.
And go to the C:inetpubwwwrootCitrixXenAppconf and open the webinterface.conf file (as admin) and look up this string.

ClientIcaWin32=Filename:CitrixReceiver.exe,Directory:Windows,Mui:Yes (double check that the .exe file is named citrixreceiver.exe ) This string point to the other folder and finds the exe file and offers it to users that need the client.
You can also specify a version nr at the end of the string, in case the web interface will offer a client to the user if the user has an older version installed.

ClientIcaWin32=Filename:CitrixReceiver.exe,Directory:Windows,Mui:Yes,Version:13.0 for instance.

After this is done, do an iisreset.

If you don’t want to deploy clients via the web interface you can either guide users to the citrix download web site

or you can use a merchandising server (Which handles client deployment )

Add your own language files to web interface

If you wish to add your own language file and make it available for web interface there are a couple of things that you need to do.

Go to the folder C:Program Files (x86)CitrixWeb Interface5.4.0languages, you will see there that there is a lot of duplicate files each with their own language code at the end.
If order to add your own, create a duplicate of each file with your own language code. In my case I choose Norwegian and therefore used the no code.

So the files now look like this.


I just took a copy of the default ones that are in English and translated the words in these files to Norwegian.
After you have created these files and you are finished with the translation the change should be available after an iisreset.
(In case you wish to download a Norwegian language pack for web interface, head over to Wedel IT –>

If you wish to change the new language to default open the C:Program Files (x86)CitrixWeb Interface5.4.0innstallanguage.conf and change the code there.

Changing webinterface.conf

Much of the changes that you can do in web interface is done in webinterface.conf, most of the settings that are in here are documented at Citrix eDocs –>

But I’m going to go trough some of them, that I find useful.

* DomainSelection (Here you can specify a default domain for the users that enter) for instance if you have the AD domain test.local the string to say DomainSelection=test
* HideDomainField=On (This should also be used in conjunction with Domainselection, all this does is hide the domain field under username & passord.
* AppTab is used to specify which tabs that should appear in the website. For instance

Changing layout

If you wish to change the layout, by removing images or to using your own images.
Open the file

Now, if you want to hide the header logo, “Citrix XenApp,” locate the “#horizonTop img” section and add the following line: display: none
if you wish to remove the bottom logo you can find the #footer img section and add the line “display: none”.

Remember to take a backup of before you start editing it.

And also if you wish to add a javascript before the user logs in you can add this to the login.js
which is under C:inetpubwwwrootCitrixXenAppauthclientscripts

or the default.html file located in the root folder.

If you wish you can write your own version of the web interface, Citrix has an SDK available for download
The SDK download also includes tutorials for how you can build your own WI.

But take note now that Web interface is EOL in 2015, and will be replaced by Storefront.
You can read more about it at Thomas Kötzing blog –>

Citrix has later integrated this into Cloud gateway.

Windows server 2012 roadshow

For those who are interested in windows server, and wish to know more about whats coming in server 2012 I suggest you sign up for
The windows server 2012 roadshow in a location near you 😉
You can find the dates and locations (and sign up info) here

Im attending the one in oslo for those that wish to say “hey!”

The desktop you are trying to open is currently unavailable on terminal servers (Xenapp)

When you are trying to use RDP in conjunction with Citrix Xenapp you might get the error message when connecting to full desktop via ICA or RDP on the terminal server, “the desktop you are trying to open is currently unavailable”
This is because by default, Citrix restrict the use of full desktop.

In order  to allow “full desktop” access you have to create a Citrix user policy.

So open Citrix Appcenter –> Go down to Xenapp –> The farm –> Policies

Open the User tab, and choose the default policy and click edit.

And under ICA there you can enable “Desktop launches”


Incase you are using Remoteapps also you need to configure the “Launching of non-published programs during client connection” in order for it to work.

IT Certifications

I’m a big fan of certifications, and I’m currently pursuing multiple exams.
Such as Microsoft Lync, Citrix Xenapp & CASP for the moment.
Many people say that getting certifications are useless and a waste of money, well I disagree.
First of when you pass an exam  an employer knows what to except of you skill wise, and it boost your self esteem when you have passed an exam.
Also it is a good way to keep your skills up to date, since IT is ever-changing, and it is a good way for you to raise your salary. 

Of course there is a lot of cheating with dumps in certifications, which of course is the downside of taking IT-certifications. +
A lot of employers can never be certain if you actually studied hard for the exam or just studied a dump, so therefore a lot of people seeking jobs are being placed in the back of the line.
After taking a lot of certifications over the last couple of years, I can tell you it works Smile

I started my path of certifications with Windows, since I previously worked with mostly windows clients.
After that I  began pursuing server exams after I took most of the client exams. After that I move towards networking and started with Comptia and ended up with Cisco.

Now after 3 years I ended up with taking a lot.
Here you can find a copy of those I have taken for Microsoft

The purpose of this post is to show you where you can begin with certifications on the different vendors & products.
First of when you want to register for an exam, you have to register on test sites like

Here you can register for an exam, choose were you want to take the exam (and of course pay for it )
Some Vendors are only available via Pearsonvue and some via Prometric so take a look at the vendor list.
For instance Citrix is only available via Pearsonvue.

Microsoft has a huge list of certifications available, starting with entry exams and going up to master level.
The certification track is split up to 3 (4 with the entry level exams which are not associated with other exams)
You have the Associate level which is based up the MCTS (Technology Specialist title) and if you want to purse it further you can take (if available) Expert level (MCITP title)
not every product has a certification available for the expert level. And If you want to pursue it further you can continue with the MCM Master title, there are only a few products available
that you can take this exam. This includes Exchange, Lync, SharePoint, SQL server and AD.

If you are uncertain where you want to begin with Microsoft exams I suggest taking a look at the exams available from Microsoft’s site.
Most of Microsoft’s exams have a study guide book, which most of them are available  Amazon (Just search on amazon with the exam code)

Incase there aren’t any books available, take a look at or they offer eLearning videos of many of the Microsoft exams.
I would also recommend, taking a dive into the documentation that Microsoft has available on their TechNet site regarding the product you are pursuing an exam in.
For instance, Operations Manager 2012

Also don’t just study the book it will only get you so far, if you have a home lab environment use it, setup virtual machines and test the product! Microsoft offers trials on most of their products which are available for download from their website.
You can also take a look here –> Microsoft sometimes offers a free exam from time to time.

Once you take an Microsoft it is valid for a lifetime, but again if you have OpsMgr 2007 exam in the year 2030 its not much worth.

Comptia was pretty unknown to be before I started in the certification marked, but they offer a wide range of certifications. They say that they have  “vendor-neutral” exams (besides the Linux exams) And has some good entry level exams on topics like
storage, network, computer technician, and security +.
You can see the list of certifications available on their website –>
Amazon also offers wide range of study books on their exams, I’ve used a couple of books for my exams there.
Trainsignal and CBT also have some learning videos on their exams.

Before you go ahead and start pursuing Comptia, check the “See what the exam covers “ section on each exam so you know what topics are covered.
Note that when you take an Comptia exam, it is valid for 3 years, unless you take another exam which is “above” the other one.

For instance if you take the A+ exam, it is valid for 3 years unless you take the network+ which will renew the exam with another 3 years.

Citrix also has a wide range of exams, but… there isn’t much literature available on their products, there are a few books available on Amazon, but they are mostly outdated.
Their exams are also known to be a bit more difficult then Microsoft’s exams, and have a lot of simulation exams.

Much of the literature available is gained trough taking courses via Citrix or by looking at the guide for the particular product on Citrix eDocs website.

Again, trainsignal and CBTnuggets have loads of learning material on citrix products.
Citrix also has multiple levels of exams, starting with the CCA entry level for a product, like CCA XenApp, then you can build it with the next level which is CCAA XenApp. And the next one is CCEE.
Citrix also offers a load of trials on their software mostly in form of a virtual appliance.

But I suggest you take a look at the exams available at their website.

Cisco also offers a huge range of certifications of their different products. And they have 4 levels,
CCENT (Which is the entry level exam) or you can take the CCNA exam (Which is CCENT + another exam in one, it consists of ICND1 + ICND2)
Then you can choose what you want to specialize in, for instance you have Security, Wireless, Voice, Service Provider, then you need to take a new CCNA exam.
Or if you want to pursue Routing and Switching you can just start on the next level which is CCNP.
And last but not least you can upgrade the CCNP to CCIE which is the highest level.

You can view the different exams and tracks here –>
In my case when I took the CCNA I joined a study group on their learning website,

Also there is no use studying for a Cisco exam unless you have some cisco hardware. First of the CCNA exam consists of a lot basic networking skills, but then it continues into how-to configure switches, routers and such.
You can buy some cheap cisco stuff from EBay or you can download GNS3 (Which is a virtual network simulator) and use some Cisco ios images if you happen to have those available

And again Cisco offers loads of study guides for each exam, for instance CCNP route

The only thing I find difficult with studying to these exams is having the hardware unless you are working with Cisco at your job.

A lot of jobs today require that you have some kind of certification within a specific product, like this job (is Norwegian) requires Cisco CCNP, and there are always new certifications available on the horizon.
And its not always easy to keep track, and what you should pursue.
A good rule is to pursue what interests you, if you are interested in Networking take a look at Cisco, Juniper and if you want to add some security to the mix, look at Cisco Security or Checkpoint.
If you want to take a closer look at databases, check for oracle or MSSQL.

I would also recommend that you take a look at Mirek Burnejko’s  site 
Which is the most complete list of all the IT certifications avaliable I’ve seen on the web, it also includes a lot of news regarding new certifications that are coming.

Lync 2010 setup and installation

Now, in my previous post I went trough the roles and features of Lync 2010.
In order to get a better understanding of it, im going to walkthrough the installation and setup of a basic server.
This is going to consist of;
1 x SQL server (Back-end)
1 x Front-end server (Which is going to be collated with A/V Web conferencing roles)
So I’m most interested in trying VOIP, IM, Conferencing, desktop sharing.

Since this is going to be in a lab environment I don’t need the edge role and the director role. And I also don’t have a PSTN line or a SIP line, so I don’t need the mediation role as well. I will be implementing the archiving role and the monitoring role in a later post. I will also implement a front-end pool in case I want to install more front-end servers later on.

Before we continue, remember that you need to have a domain admin account, since we need to make changes to the schema, forest and the domain.
When we launch the setup on the Lync installation media,


This will deploy the files needed for the installation, (including the schema updates)
When that is done you can open the setup again and you will come to this screen.
(Note here thou, that I’ve already updated the schema and prepped the domain and the forest for this setup so if you haven’t done that yet you wont get the “Complete” mark there)
But if not we start with Preparing Active Directory –>

(Note this has do be done as a schema domain admin)
Click the Run button –>


Click next –>


After this screen is done, take a look at the report that was generated under the appdatalocaltemp folder.
Incase you want to verify that the changes made to the schema were correct, open ADSI edit –> Choose connect to –>


Under the tree you will find this value, SIP-schemaversion.

Check that the value for this is
rangelower: 14
rangeupper: 1100


Now that the schema updates are done we can prep the forest.
We get the same menu as before, just click continue –>
And again check the reports for errors.  If you want you can double-check as see that these users appear in your AD.
these users are installed as a part of the script.


Next we continue with the domain prep –>



In case you have multiple DC’s you would want to double-check to see if the changes you made to the domain has been replicated.
Open the Lync shell and run the command “Get-csaddomain”
You should get the response LC_DOMAINSETTINGS_STATE_READY


Now that we are done with the AD changes, we can continue with the Lync setup.
Next we continue with the topology builder, this is the tool we use to setup our lync infrastructure.
So install this on the “to-be” lync server.


After its installed you can see that there’s a check mark behind it. So then you can open to topology builder.
The first menu – choose New topology.


Enter a sip domain. In my case it is test.local

Click next, now I get asked if I want to specify additional domains incase I had a larger AD infrastructure.
I could add those domains here.


click next, and then define the first site.

Click next –>
Here you need to enter site details, then click next –>


Now that you are finished, check the mark at “Open the new front end wizard” and click finish.


Click next here –>


I choose enterprise front end pool here , click next –>


now add the computers that are going to participate in the pool.
Click next –>
Now we choose what other features we wish that this pool should manage, in my case I choose only the first one
“Conferencing, audio, video and application sharing”
And click next –>

Now I get the option to collocate other features in the front-end pool, so then I choose the A/V conferencing service.
Click next –>


I don’t want to enable any of these features yet, so I just click next –>


Now we get to the SQL store, enter the server name of the SQL server, choose default instance if you haven’t chosen any other name for the instance during SQL install.


Now we have to define a file share,
(NOTE that the setup does not create this share It has to be created before continuing)
If you are doing this in a lab environment create a file share with EVERYONE:F access.

Click next –>


Specify a url for the external base URL, click finsh!

Now when that’s complete what did we actually do ?
We actually just created a file which contains XML on how we want our topology to look like.
As you can see we have the Front-end pool we created,
The File share & and SQL store, but this is just a config file nothing has been created on the SQL server and no files have been created on the file share.
So now we have to publish this topology


So click the Action button and choose Topology and choose Publish.


As a part of this you will get the option to create the Lync database as well, so click next.

Choose the Front-end pool that is available on the drop down menu, click next


After that is done, (and everything went smooth ) you will get this screen.


Now we have to open the to-do list and see what we have to do further.
This is just a text file, that says we need to update our DNS records for the pool and the other addresses.


But still we haven’t actually installed anything on the Front-end server we have defined as “scsm” So we continue the install.
We have created the topology, and distributed this to the back-end server. So now we have to install the Front-end server.
So start the setup menu again.


And click on the Install or update Lync Server system, click on the Install Local Configuration Store (this will setup a local SQL express and copy down the Configuration from the CMS)



Once that is done, we can continue with the installation, so back to the setup menu and choose “Setup or Remove Lync Server components”


Click next –> This will install the roles that are defined for the server in the topology
(This part might take a while, and will require a reboot, after the reboot run the setup again)
When that is done you will get back to the setup menu. Now we have to assign certificates to the server.
NOTE: This requires that you have your own PKI setup, if you haven’t configured a PKI before I suggest heading over to my other post regarding SCCM and PKI.


So start by clicking Request –>


Click next –>


Choose send the request immediately, ( or in case you have an offline ca choose that option ) that click next –>


I already have a CA in my domain so I select that I click next –>


If I had to use another account to get the certificates I would enter them here, but im fortunate that my current account is full admin so click next Smile

In case you have created a different template for Lync you could choose another one here, if you want it to use the default which is “(Webserver template) just click next –>


enter a “Friendly name” and choose next (Leave the bit length at default ) –>

This field will automatically get populated based on the topology so just click next –>


In my case I only have 1 SIP domain, so I mark it and click next.

if you have any other SAN you wish to enter, you can enter them here.


If not click the next button –>

Now it is sending a request to the sub-ca, so after this is completed click next –>


And as you can see the setup has now added a certificate to the local store.

Just click close now, and we get back to the wizard.


Now we have the green checkmark on the certificates and we can continue with starting the services,

Even thou is says “Completed” It takes some time before the services all are started.
In my case it took over 1 min before the front-end service got started.


But now that they are all started, we can continue on to setting up Lync.


Now when that Is done remember to add the front-end pool host in DNS or you will get an error when you try to open the Lync Control Panel.
And remember the lync control panel is based on silverlight Smile


Now before we conclude this post, I want to SIP enable my user Administrator,
And make sure I can authenticate with the client. 

You can download a trial of the Lync Client here –>

So when I enter my username@test.local and press login voila! it works.
(In my case I forgot to create the SRV which the client uses to find the dns name for the client, therefore I had to enter the FQDN for the server)


Incase you are having some trouble with connecting your client, open the options tab and choose
”Turn on Windows Event logging for Lync” then you can see in the application log if you are having any issues.


I will continue on with some posts regarding policies and such later.

SCVMM 2012

So I’m back on the System Center track, this time I’m going to continue with SCVMM which basically is the frontline product for Microsoft’s “Cloud” concept.
What is SCVMM (System Center Virtual Machine Manager) ? is it Microsoft’s management product to manage Hyper-v, it is the Microsoft equivalent of vCenter.
Of course with it you can also manage other type-1 hypervisors such as Xenserver and VMware ESXi, from one console.

SCVMM has come along way since the first release in 2007, and there are tons of new features available in the latest release such as.

  • Defining logical networks, IP pools, MAC address pools, VIP pools for load balancers
  • Service Templates
  • Power Optimization
  • Hyper-V and Cluster Lifecycle Management – Deploy Hyper-V to bare metal server, create Hyper-V clusters, orchestrate patching of a Hyper-V Cluster
  • Storage Management – Classify storage, Manage Storage Pools and LUNs
  • New Self-service portal
  • Service Creation Designer
  • + More

So if you haven’t touched SCVMM yet, I suggest you download it and try it on a VM.

SCVMM consists of the following roles.

1 * DB
1 * Management server (Which is the brain behind the operations
1 * Self-service portal (Which is the web site where users can operate their own vms or order new ones)
And 1 or more Hyper-V servers

Now during the typing of this post I had some trouble with one of my home-lab servers so I don’t have a hyper-v server to connect to VMM, but all the hyper-v hosts that you want to manage via vmm needs to have the vmm agent installed. Which you
can find on the installation media of vmm. But I’m going to go trough the installation of vmm and setup the basics and setup the self-service portal. First of have a Windows Server 2008 R2 with Service Pack 1 installed before you continue.


The setup menu is the same as the other SC products, in my case I remove the mark from “Get the latest” and click Install.

I wish to install the VMM management server, console and the Self-service portal on the same server.


Click next here, this will set the product in evaluation mode.


Accept the terms and click next.


Click yes or no here.


I choose no here since I have my own WSUS server that will handle updates for this product.

Select the installation location and choose next,


Now you will get a prerequisite check,
note that the management servers needs.
.Net 3.5
Windows AIK for Windows 7
(in my case I get a warning since I only have 2 GB of ram for my server, but since its just a warning I can continue)


Next I choose the database configuration, enter the server name of your sql server, and with credentials that you know has access to the db server, and click Next.


Now we have to configure an service account for VMM, (You should create a new account for this purpose)
If you want to have HA management server choose to store the keys in AD.
(NOTE: After the installation is done you can view the encrypted information in AD Users & computers )

Click next on the setup,

Review the port setup and choose next,


This is the self-service portal setup, since I have the Management server on the same server as the self-service portal I just have to enter the host name of that server in the vm server name.
And also I don’t have any other web sites on this server so I just click next.


Now I enter the information regarding the library I don’t have a lot of storage available so I just choose the local drive.
NOTE: .The library contains files stored on library shares, and it contains operating system, hardware, and template configurations stored in the VMM database. Library resources are added, created, used, and managed in Library view here –>

The best practice is to have this on a SAN, so other VMM servers can access the same library.

Then click next and install.

If everything completed successfully you should see this screen.


If you bump into some errors, check the event log and/or under c:program data vmmlogs.
If not choose close.


Now we can start the console from the start menu.
NB: If you altered the port settings during setup remember the port nr for “communication with the vmm console” and click Connect.


So this is the console of VMM, now its just a pretty empty shell. Before we continue exploring the console I want to finish setting up the self-service portal. Enter the IIS management and change the authentication setup of the self-service portal to Windows Authentication, so that we get SSO for internal users.

After that Is done you can open the Web site.


When you open it you will get the following message, note that the account you use to install vmm automatically becomes a full administrator, but!
even thou my account has full administrator It is not allowed access to the self-service portal. So before we continue we have to add my account to access the self-service portal. So open the VMM console,
Goto Settings –>  User Roles –> And choose Create User Role



Give the role a fitting name and choose next,


Choose Self-service user, then click next,


Add a user from AD to the role, in my case I want my administrator account. And click next.

now choose what rights this user gets inside the self-service portal, then click next, next – finish.

Now this time when I open the Self-service portal I get access.
NOTE: You should use https for the self-service portal using an external cert for improved security.


That’s part 1, when I get my Hyper-v server up and running again I will continue on creating services, templates and clouds