Category: Clients


I have been tasked with working with an Access 2010 database. this database needs to be available to non-technical users for basic data entry, and the CEO of my company needs to be able to run reports off of dynamic data. My first thought was to make a custom ASP.NET solution off of the database back-end, but let’s face it- that’s a lot of work. So I decided upon another route.

  • The database will be split in Access into a front end and back-end.
  • The front-end’s will be turned binary and distributed to multiple users.
  • In the front-end’s, our designer will create the forms needed for users to input information.
  • We will link the back-end access file to an instance of SQL.
  • The back-end file will remain editable, for the database creator to add data and fields.
  • SQL Server Reporting Services will connect to the linked SQL database.
  • I will pre-configure reports for the CEO.

This article takes into account that you know a thing or two about computers.

  1. How to share and distribute an item.
  2. The differences between file formats (.accdb, .mdb, .accde)
  3. You have all the required software installed and configured (SQL Non-Express, Access, IIS 6+).
  4. You are willing to use new tools.
  5. You are familiar with connection strings and working with database connections.

My set up (And you should have most of the items here, or at least comparable).

Member server running Windows Server 2008 R2.

SQL Server 2008 R2 Enterprise- most full editions will work.

SQL Server Reporting Services- this will not run on some versions of Express, and I had trouble getting it installed on a Small Business Server 2008 server.

Micrososft Access 2010. Access 2010 Help.

We are going to download a few more items to make this easier. These items are not always necessary, but just the way I went about it with limited database knowledge.

Download and install SQL Server Migration Assistant 2008 for Access from Microsoft here.

Download and install Microsoft Access Runtime 2010 here. You should not need this if you have Access 2010 installed (which I did and do), but the installer for the first tool told me to do it, so I did 😛

Optionally, I also installed Microsoft SQL Server 2008 Reporting Services Add-in for Microsoft SharePoint Technologies.

You need to have your Reporting Server up and running, and configured. For help on doing this, visit this page. Once you are set up, make sure your Report services is running of an SQL instance. For this walk-through, mine is named

MEMBERSERVER\REPORTING

My websites (automatically configured by SSRS) are set as

http://memberserver/reports

-and-

http://memberserver/reporting

Lets begin.

Create a Shared Drive on your server or on a secure PC. Enable the drive to be accessible by Everyone, or Authenticated Users. I created my share on the member servers C: drive and named it theDatabase (UNC location: \\memberserver\thedatabase).

I am going to drop my Access 2010 database file there, which is still in .accdb form. The database has roughly 6 tables, 300 rows in the main table, and 20 columns. It will receive roughly 6 entries per week max, from no more than 2 users. As you can see- small scale project.

Inside of this shared folder, create a folder named Backup. At this time, before we do anything, you should make a backup of your Access database, make the filename into todays date and time, and place it in this folder. We will create several backups throughout this process, and they should all follow this format and location.

With the file in the right place, and backed up, open up the tool we installed SSMA 2008 for Access.

SSMA Wizard

SSMA Wizard

You are presented with a wizard (I love wizards) that tells you the upcoming steps. Let’s use it:

Click Next.

Enter a name for the project (not the database or connection). I named mine SQLMigration1. Make sure the last box is set on SQL (for this blog post. You can change this if you are doing other sources).

SSMA Project Name

SSMA Project Name

Click Next.

Click Add Database (or find database, but we know where it is). In the popup, browse to the folder we created and placed the database in, then select it and click Open.

Add Database File

Add Database File

You might at this point receive an error. Reading this error, you can upgrade your connectivity drivers, or you can re-run the program. Mine was running in 32-bit mode (shortcut on desktop). To run in 64-bit mode, go to the file location and double-click the .exe file without the 32 on it.

The default location is:

“C:\Microsoft SQL Server Migration Assistant 2008 for Access\bin\SSMAforAccess.exe”

Repeat the steps and it should complete successfully. Select the items that you are going to import or link (in my case) to SQL. I selected both of the queries and all the tables.

Select Table and Queries

Select Table and Queries

Now type in your destination SQL server information.

Server name: MEMBERSERVER\REPORTING

Server Port: [default]

Database: WIMS

Authentication: Windows Authentication.

Since there is no database named WIMS in that instance of SQL, the wizards asks about creating it. I select yes.

Create Database Error

Create Database Error

If you want to link it, check the box. Read the paragraph for more information.

Link Tables

Link Tables

Let the tool run. You will get a popup about metadata, triggers, indexes, etc. Just click ok and let it run.

After it finishes, I have a boatload of errors- so we will send the database back to the creator to fix, but we will continue the process with this database, today.

At this point if you open up the database in access, you should see all of the linked tables. You will also see your database does exist in SQL Management Studio.

Linked Tables in Access

Linked Tables in Access

Database Created in SQL

Database Created in SQL

Close out Access, and close out SSMA. Save your project. Now backup (copy) your database into the backup folder.

Now browse to your Reporting Server site (http://memberserver/reports).

I have created a few folders here, do not mind them. On the link bar in the middle of your screen click New Data Source.

New Data source

New Data source

Now customize this page to fit your set up. Here is a link on how to create the connection string portion. the security will be of your own choosing, I use Windows Integrated.

When you are finished, Test it (you will see a green success or a red error message), then click Ok.

You will then see an icon for the Database on your home view- oops! I do not want users to see that. click the little arrow next to the database, select manage. check the box for hide in tiled view and click apply changes, then navigate to home again.

Now click on Report Builder, and get to making your reports. I will get into that in my next post, mostly because I do not know how to use the tool well as of yet.

Now we are going to split our linked Access Database into a front and back-end. We will leave the back end in the shared folder, and distribute the front end. when users make changes to the front end, they trickle down to the back-end, which replicates to SQL, and is then displayed in your reporting.

Open up your Access database. Click on Database Tools Ribbon, and then select Move Data > Access database.

Access Move Data

Access Move Data

Select Split Database. Save it, I typically leave the default formatting alone- which is to add _be (back-end) to the file name. This is the file you leave alone. you now give out copies of the original file for people to access the database.

You can make this a compiled project by saving it as accde, in the file menu> Save and Send, then save as ACCDE.

I am going to glaze over the beginning processes, because I have already performed and documented them here.
This is a Lync Server 2010 install on a domain member server running Windows Server 2008 R2 Enterprise.

I will pick up: Prepare First Standard Edition Server.

This goes through the process, and completes this time, installing SQL 2008 Express and an instance named RTC, which is started and running.

Next, select Install Topology Builder, and let the tool complete.

Topology Builder
Topology Builder

Now let’s do some prep. First, add the account you are using to DomainAdmins and RTCUniversalServerAdmins groups. You can do this via ADUC, by double clicking the group, selecting the members tab, and adding the name of your account.

RTCUniversalServerAdmin

RTCUniversalServerAdmin

Next, create the share you will be using during your topology setup. The default sharename is share, on the server you are installing Lync 2010 on. I will name it LyncShare, as this server has little else to do besides Lync, and no other shares. I create a new folder on any drive, right-click it and select share with, specific people. I then add Domain Users and Everyone with read/write permissions. We can change these to least access later on.
File Sharing

File Sharing

Make sure the account you are using is in there as well- and this should be a domain account.
DNS Records for your Server Pool need to exist, as well as simple URL’s. We will add those after we build the topology, before we publish it.

Now, go to Start>All Programs>Lync Server 2010, and select Topology Builder.

Click on New Topology.

The Primary SIP Domain can be any domain name that you use, I leave mine set to my internal domain name. For this example, I will use company.local.

Primary SIP Domain

Primary SIP Domain

Click Next. I am not adding any added domains, so click Next again.

Under Site Name, name your site something nice, like CompanyLync.

First Site

First Site

Click Next. Enter your City, State, and Country.

Check the box: Open the New Front End Wizard… and click Finish.

New Front End Wizard

New Front End Wizard

Click Next.

Select Standard Edition Server, and enter the domain member server’s FQDN.

Front End FQDN

Front End FQDN

Click Next. Check no boxes, click Next.

Select Features

Select Features

Uncheck Mediation Server, and hit Next.

Collocated Server Roles

Collocated Server Roles

Enable anything you want, I leave all unchecked. Click Next.

Associated Server Roles

Associated Server Roles

Click Next on the grayed out options screen for SQL Store, to leave them at the default settings for new.

Select the name of a File Share, leave File Server alone or set to your company’s file server- in this case it is all on one server, so enter that servers FQDN. Click Next.

File Share

File Share

Leave Web Services URL alone- remember this is going to be used for internal IM only. You can change this as you see fit, if you will be hosting external access.

Web Services URL
Web Services URL

I named my External URL ExternalPool.company.local. I will now create DNS records for both pools. Open up DNS MMC, and add an Alias(CNAME) entry for both internal and external base urls, pointing to the correct FQDN address of the server.

DNS Alias for Pool

DNS Alias for Pool

You can now view the properties of everything you have configured.

Properties
Properties

Click Edit Properties from the menu on the right. Click Simple URLs on the left of the window that opens.

Add an Administrative access URL. I did mine to match the other too, changing the first word to admin.
Click Central Management Server and select the only option.
Simple URLs

Simple URLs

Now let’s add DNS entries for these three Simple URLs.
Back in the DNS MMC, add a Alias(CNAME) for dialin, meet, and admin.

In the menu on the right, click Publish Topology.

Read the requirements, and when ready, click Next.

Leave this to default and click Next.

Central Management Server

Central Management Server

Now I decided to change my pool name, and I got all sorts of problems. If you get warning messages about your pool not existing in AD, then you can use Lync Management Shell to remove the pool, and redo the set up. The post on how to do this is here.

Now when I hit Publish, it completed successfully.

Publish Progress

Publish Progress

Publish Success
Publish Success

Nice, but we still have more to do. Microsoft says that this is the point in which you rerun the setup on all servers that will be handling Lync. Since I am only using one, we do not need to do this. Go back to the Lync Server Deployment Wizard. This time click on the link to the left- Install or Update Lync Server System.

Install or Update Lync Server System

Install or Update Lync Server System

Click Run next to Install Local Configuration Store. Leave the default options on both screens, and click next.
Let the Wizard complete. Hopefully you will receive success on all the prerequisites.
NOTE: Make sure to always expand the prerequisites tab before each item and make sure you are in compliance.
Installing Local

Installing Local

Once complete, click Run next to the next item, Lync Server Components.

Click Next.

IIS Roles

IIS Roles

I get an error about IIS features. I remember when I added the Feature IIS, I left most of the boxes cleared by default. Lets enable all of that now.

Click Server Manager, and select Roles. At this point you will have IIS installed, so click on the link. Scroll down a bit and click Add Role Services. I then added all of the roles that the error message mentioned. I suppose you could add all, but why add extra stuff that you do not need?

IIS Role Services

IIS Role Services

Click Next, click Install.

It will complete (no reboot needed), and go back to your Lync Deployment screen, and re-run Setup Lync Server Components.

Click Finish once that completes without errors.

Run the next task: Request, Install, or Assign Certificates.

A box appears with a Default Certificate, which is unassigned. Click Request next to it. You could also click request, and formulate a CSR to an Offline CA. I will select send the request immediately to an online CA, and click Next.

Certificate Wizard
Certificate Wizard

It should automatically pull up your CA server, which in my case is my DC. I will click Next if this is correct. You can then specify alternate credentials, if you are not signed in as a domain admin account. I am, so I will leave this alone. Click Next.

Click Next pas the Alternate Template page.
Specify a friendly name. I used lyncfriendly
Ill let you decide what to put here, for OU and Organization. Consult the Lync Documentation if you need help with this. Click Next and fill out your locale.
Click Next twice.
Check the box next to your SIP Domain, and click Next.
SIP Domain

SIP Domain

Click Next.

Click Next again.

And Again, and let the wizard do it’s thing.

Certificate Request Completed

Certificate Request Completed

You will get a message about thumbprints, make sure the box is checked, and click Finish.

Online Certificate Request Status

Online Certificate Request Status

Now you will be ported to the Assignment screen. Click Next.

Click Next again- I won’t show you all of my company internal information. Once the wizard completes, click Finish.

Click Close, and select Run on the next object: Start Services.

On the wizard that opens, click Next.

Cross your fingers! Yay! It completed successfully. Click Finish.

Click on Service status to see if they are all running.

Lync Services

Lync Services

Close out everything, and open Lync Control Panel from the Start Menu. It should open and look like this.

Lync Control Panel

Lync Control Panel

Now I am going to end this God awful long post, and go about adding my users. If there is an area I could be clearer, please comment. If I did something wrong, please let me know! I posted this mainly for my own documentation purposes, and to help out the next guy who is not comfortable with certificates, pools, SIP domains, etc. Thanks for reading!

Update: I stumbled across this post, by Jeff Guillet. He is the author of some of the books I have read, and this post and tool are amazing. Thanks for the GREAT contribution Jeff!

http://www.expta.com/2011/01/introducing-lyncaddcontacts.html

A tool to add contacts to a users Lync over and over. Say you have a domain of 20 users who will use Lync (as I did). Adding 20 people, 20 times (as I did) takes forever. Use this tool to set up one client once, and then re-run it to perform the same actions on other clients. Ingenious.

 

UPDATE: When you first install the client, the initial sync can take a while. If you are like me, you need to get it up an running quick so you do not further disturb the network or desktops. There is a registry entry you can add. What I do is install Lync Client. Then I import the company contacts from the GAL to the users contacts list. Then exit the client.

Now open an elevated command prompt. Type this command:

reg add hklm\software\policies\microsoft\communicator /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f             (And that is a zero at the end).

Now wait one minute, and restart the Lync Client. It will now have all of the users contacts synced up and ready to add.

NOTE: This process DOES NOT WORK! I thought that maybe I could trick Lync 2010 to install on a DC, but the SQL failure got quite annoying, and I gave up. Instead, I will be installing both SQL 2008 and Lync 2010 on a Windows Server 2008 R2 member. I will get back to you on that configuration.

If you would like a walkthrough on how to install Lync Server 2010 on a Windows Server 2008 R2 member server, read this post here.

Do not attempt this install, it will not work.

I am going to install Lync Server 2010 on SBS 2008 SP2. This is a production server- I do not recommend doing this until you have planned and tested it first. I do not have a test server available, so it is going on a live server. The server also has Exchange 2007 SP2, and runs one Sharepoint site on WSS 3.0. Server traffic consists of Sharepoint Document Sharing, File and Print, Exchange Email, and Windows Internal Databases. We have no other applications running that use network or server bandwidth.

I am running a HP Proliant ML150 G5 Server, 8GB RAM, 2x mirrored 150GB HDD’s. This set up is VERY weak, and I am not sure as to the impact of the Lync Server- hopefully by the end of this post I will be able to inform you on what it is doing to my network. We have 18 workstations which will use the Lync Client, remote workers will not use it. We will also only be using Lyns for IM and Presence to start, no video, voice, or conferencing. My install will differ than yours if you are installing the Enterprise version, or have a need for A/V conferencing, phone system integration, or server pools. This will be a Single-Server install, or a stand-along server. It will host the Management Site as well.

Microsoft has a site with all of the information you need. I would suggest printing off and reading all of the planning and deployment guides, as well as watching the videos. The site is here.

Run the Lync Server Planning Tool, which can be downloaded here. It is pre-release at the moment.

I got the Lync Server 2010 and the Lync Client from my MAPS subscription. I will install and evaluate, and purchase licenses as we see fit. I personally do not need any license keys with the technology- how you get the disks and licenses is your problem. I burned two DVD’s- one with the server, and one with the client.

I will now run the Planning Tool, display the results, and go over some further documentation. After that, I will install Lync Server first, then one client to test. After that I will proceed to install the rest of the clients.

I am not vouching for this process, as it will consist of my troubleshooting problems that may arise during install. I do suggest you use this as a guide when you install, if you are in the same scenario- as it will be easier to understand that Microsoft’s technical documents.

run the installed Planning Tool. I usually participate in the Improvement Plan’s, if only because it stops alerts from being displayed in the SBS Console and BPA.

Lync Planning Tool

Lync Planning Tool

I selected to start from the beginning. I selected No for A/V conferencing.

I selected No for Web conferencing.

I selected No for Enterprise Voice.

I selected No for Archiving Server.

I de-selected both Federation check-boxes, as I do not use any External organizations, and I do not wish users to connect to public chats like Yahoo! or MSN.

I selected No for High Availability- I only have one server.

I left the selection alone for Shared WAN. We do not have remote sites as a part of our network, only our Local LAN will use this application.

Central Site

Central Site

I will name my site something appropriate- my companies name plus Lync. I suggest you do the same, and do not include any crazy characters, etc.

Fill in your user count. I only need 10 to start, and 18 to finish, so I will enter 20 to be safe.

For my internal SIP domains, I enter both my local domain name, and my remote domain name, which I use for RWW, OWA, and Exchange. they are company.local, and company.org.

I then select No for External User Access- this will only be used inside my office.

You will now see a topology of your setup. Thankfully, mine is REALLY simple.

Topology

Topology

Clicking on my site, then double clicking the icon, I see some requirements.

Requirements

Requirements

I don’t have enough RAM, or all the correct ports open for the software load balancing. I also do not have SSD’s, or enough NIC’s. Well, I have two, but one is disabled and not in use. These requirements are also planning for way more features than what I will be using. I will print this and proceed for now, and open ports or install services as they come up.

Keep in mind now that I am installing Lync Server 2010 on a stand alone production server with a low amount of RAM and not enough requirements met for install. Do this at your own risk. Back up frequently- a 2 hour restore is not to bad if you destroy your server.

Microsoft also recommends that you install Lync onto a child site of your AD Domain. I have such a small AD, that I will just stick it in there with the 40 users and other objects.

I have been reading Microsoft’s Guides, and a lot of their steps are for specific scenarios, and I get a hint that most of mine will be automatically configured- such as DNS SRV records for SIP domains. So I insert the DVD, and click on E:\Setup\amd64\Setup.exe

I get a pop-up about installing MS Visual C++ 2008, and click Yes.

Microsoft Visual C++ 2008

Microsoft Visual C++ 2008

You are then presented with the Lync Install screen. I changed the default path to D:, this is my application/data drive and has more space.

Lync Server Install

Lync Server Install

Click Install.

Check the box to accept the license, after reading it of course 🙂

License Agreement

License Agreement

The installer does it’s thing.

Core Components Install

Core Components Install

You then enter the Deployment Wizard screen.

Deployment Wizard

Deployment Wizard

This is taken from the help link under Prepare Active Directory.

To begin the installation of Microsoft Lync Server 2010, you must prepare the Active Directory Domain Services (AD DS) schema, forest, and domains that will host servers and users. The Lync Server Deployment Wizard will guide you through the steps required to prepare Active Directory Domain Service (AD DS), beginning with the schema and then into the forest preparation. After confirming that AD DS replication is successful, you then prepare each domain that will host users or servers.

Important:
To successfully prepare the schema, you must be logged in as a member of the Enterprise Admins group and the Schema Admins group. To prepare the forest, you must be logged in as a member of the Enterprise Admins group or logged in as the administrator in the forest root. For domain preparation, you must be logged in as a member of the Domain Admins group.

Now we click the button to prepare the AD. The next screen has a few options. Now, extending the schema is a huge deal. So, I decided to do a full server backup before I press any more buttons. And good thing- the last backup 6 hours ago failed for some reason. Ill look into those event logs later on. I will finish this backup, make sure it was successful, then proceed.

At this point, Windows Update popped up, with 14 new important updates to install. Booo. Ok, so I install those, and then reboot. My server is great, minus a few warnings that can “be safely ignored” according to Microsoft. Now I resume.

Click Prepare Schema, and Run, then click Next.

Prep AD Schema

Prep AD Schema

Once it completes, I clicked View Log. I then expanded the fields, and browsed the log. I noticed some errors in the log, though the action DID complete successfully.

Extend AD Schema Log

Extend AD Schema Log

I clicked finish, and then checked the deployment using the steps written here. As you can see from the screenshot, my schema was configured correctly.

ADSI Edit Schema

ADSI Edit Schema

I Then ran Prepare Current Forest, and left it set to Local Domain.

Universal Group Location

Universal Group Location

I wont post the screenshot of the log, because editing my personal information out of it would take ages, but you should take time to review it, and make sure everything was created and completed successfully.

You should verify this as well using the steps described here.

Now click Run under Prepare Current Domain, then next.

Prepare Domain

Prepare Domain

Once that completes, check that it was successful using the steps listed here.

Lync Management Shell

Lync Management Shell

Lastly, I will add my account to the CsAdministrators group, which will allow me access to the Management Console. Open ADUC, go to My Business, SBSUsers, and double-click your account, or the account you want to make admin.

Click the Member Of tab, and then click add. Type in CsAdministrators, and click ok.

CsAdministrators Membership

CsAdministrators Membership

I then Exited the Wizard, with everything complete.

I clicked Install Topology Builder, which is a pre req to deployment.

I re opened the Deployment Wizard, and clicked on Single Server Deployment, to the right.

Single Server Deployment

Single Server Deployment

The first screen gives me a message about SQL Server 2008. I have the default SQL 2005 Express installed. Not being comfortable with SQL Server Management, and having the knowledge that side by side installs of the same project can be tricky (And also that migrating my databases to a different SQL version can be hard), I decide to stop for the night. I will run a full backup, because right now everything is still working correctly. I will also contact Microsoft support chat and read my documentation to see the process for this step- I will get back to you in the morning.

Good morning. I did some research, and Lync Server will install SQL 2008 Express. I do not wish to migrate, so it will be a side by side install. In order for that to work, some workstation components of SQL 2005 Express need to be uninstalled.

Click Programs and Features in the Control Panel. Select SQL 2005 Express and click Change. Select Workstation Components. Uninstall everything that comes up when you get to the component screen. This is removing only the tools, not the database or database server.

SQL 2005 Workstation components Uninstall

SQL 2005 Workstation components Uninstall

Uninstall Success

Uninstall Success

Now I will pick up the Lync Server 2010 Setup via the Lync Server Deployment Wizard in the Start Menu.

Click on Prepare First Standard Edition Server. Click Next, and let the commands finish.

Single Standard Edition Setup

Single Standard Edition Setup

This step takes some time, over 20 minutes for me.

Install

Install

After some time, the setup completes, with a bright red item.

Setup Failure

Setup Failure

Checking the log, I see that SQL Backwards compatibility and Native Client are installed, but not SQL 2008 Express itself. What a pain. I think I will try to install SQL 2008 Manually through its GUI, then if needed, command line.

Navigate to C:\Program Data\Microsoft\Lync Server\4.x.xxxx\ and double-click on SQLEXPR_x64.exe.

That opens up the SQL 2008 setup. I then clicked Hardware and Software Requirements, and Configuration Checker.

SQL 2008

SQL 2008

In the tool, I received one warning and passed the rest. Fail.

SQL Install on DC Error

SQL Install on DC Error

After some reading, Microsoft states:

Installing SQL Server on a Domain Controller
For security reasons, Microsoft recommends that you do not install SQL Server 2008 R2 on a domain controller. SQL Server Setup will not block installation on a computer that is a domain controller, but the following limitations apply:

On Windows Server 2003, SQL Server services can run under a domain account or a local system account.

You cannot run SQL Server services on a domain controller under a local service account or a network service account.

After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.

After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.

SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.

SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.

So I think I can get away with it, I just can’t use local accounts. So I will ignore this error, and click New SQL Server…..

New SQL 2008 Install

New SQL 2008 Install

On the window that appears, click install to install setup support files. It comes back with a few warnings, one for Windows Firewall. I will let you battle this one out yourself, but some information can be found here.

Click Next, and it will ask for a product key- which is greyed out. I have a full version of SQL 2008 Standard, but I wan’t to leave this Express- the less management and install I have with SQL the better, IMHO.

SQL Product Key

SQL Product Key

Click Next.

Accept the license and click next.

Select all products, leave the directory alone, and click Next.

Select All

Select All

Leave it at Named Instance, in this case SQLExpress. You can change this if you want- I do not.

Instance ID I also left alone. For the root directory, I moved it to the D:\ drive and created a new folder called D:\Program Files\SQL 2008 Root Dir\

Only to save space on my C:\ drive.

Instance Configuration

Instance Configuration

Click Next, and you should get a success message.

Success

Success

Click Next.

Now I am not going to use NT\Authority for SQL Server Database Service Account. this helps with least privileged, separation of duties, plus I do not think you can do the side by side install using NT\Authority.

So create a new user in Users ADUC, and use that account and password to set up this account.

Select that user, and enter the password, then hit Next.

Select Mixed Mode, and enter a strong unique password for sa. Add the SQL administrators using the add button on the bottom. I am the only one, so I clicked Add Current User.

SA

SA

Click Next. Check both Microsoft Reporting boxes (or not, if you wish), and click next. It should complete with 8 Passes, and no errors.

Click Next. Review your settings, and click Install when ready. It will take a while to complete. While the bar progresses, cross your fingers and hope the side by side install of SQL works, and doesn’t bork your system.

Success

Success

Everything succeeded, and you get a reboot message. Now this is a production server, and it is 11 AM on Friday. I can’t reboot, and wont continue untill I do reboot. Ill be back later tonight, when no one is in the office.

After reboot, everything is up and running just fine. No errors, SQL is automatic and started fine. Now its time to resume the Lync install. Double click the Lync Server Deployment Wizard from the Start Menu again.

Click Prepare Single Edition Server. Click Next and it will resume where we left off when it failed the first time. It failed again, this time while trying to create an instance RTC in SQL 2008. So I run this command from the command line:

“C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7457.0\SQLEXPR_x64.exe” /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=RTC /TCPENABLED=1 /SQLSVCACCOUNT=”NT AUTHORITY\NetworkService” /SQLSYSADMINACCOUNTS=”Builtin\Administrators” /BROWSERSVCSTARTUPTYPE=”Automatic” /AGTSVCACCOUNT=”NT AUTHORITY\NetworkService” /SQLSVCSTARTUPTYPE=Automatic

So I check the event logs, and see that SQL Server Browser did not start, and a new instance could not be created. I go to services, and see that SQL Server Browser for SQLExpress (which is my 2008) is disabled. Enable that by right clicking the service, and selecting properties. Then change start type to automatic, and click ok.

SQL Service

SQL Service

I then realized that I did not have Management Studio Express installed, so I downloaded and installed that from here. I changed the SQL Server Agent Service log on account to the same account I set up for SQL.

Turns out that I can’t install the tools package, some sort of Digital Signature Error, which is going to be a pain. So… I wen to Add/Remove Programs, clicked on SQL 2008, clicked Change. Then added new features, blah blah blah. The information on how to do that is here, scroll to the comment at the bottom. Thanks guys.

Another reboot to continue, I am now up to three- not great fun on a production server. So I mucked around and added the SQL2008 account- the account I use to run both the Server Agent and the SQL instance- to some Administrator and SQL Admin roles, to no effect. Every time I tried to run the SQL Server Agent, I got the start stop message and an event id of  103, Service Control. I know that this is a permissions thing, so I change both of the services to Local Account, and now the services start fine- but the installation still fails.

At this point I am finally able to push the Management Console through. Instead of modifying an existing instance, which doesn’t allow you to add tools, I select new instance, then select Management Tools.

Management Tools Install

Management Tools Install

The install failed, and I am seeing messages for SQLExpress recovery, services will not start still, what the hell. I uninstall all SQL 2008 items, and start over. At this point I spend an additional 6 hours messing around with the innards of Lync and SQL 2008, only to come to the conclusion that I do not have the skill to perform this install. I uninstall everything, back to normal. I am now going to add a Windows Server 2008 R2 member to my domain, and repeat this install there. I will post that when it happens.

Checking the server for errors as is customary every morning, I open up server manager and see a few warnings and a few errors on the server roles.

ADDS Error

ADDS Error

 Lets investigate the warning on Active Directory Domain Service (ADDS) first. A quick examination of the event log leads me to event 2886.

Event 2886

Event 2886

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

They further go on to describe the problem in these words:

The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL)LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as Negotiate, Kerberos, NTLM, or Digest.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on a LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

If you don’t understand these security features and what SASL bind or LDAP simple binds are- then imagine it simply as clients accessing and communicating with the AD using plain english, which anyone could eavesdrop on. You certainly don’t want anyone listening to your AD.

In order to see if your clients are using these communication methods, we need to turn up the logging level for LDAP Interface Events, and then wait to see if we get any error messages. I would suggest monitoring these events for a few days before making changes- blocking these binds will cause a client using them to disconnect, and better to work on that proactively.

Open Regedit (Start>Run>Regedit) and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Registry/Diagnostics

Registry/Diagnostics

You will see that this key has listed a bunch of diagnostic features, all set to zero. You can enable the logging for each of these events by changing the number to anything up to 5. A list of what each number does can be found here.

Change the value of 16 LDAP Interface Events to 2 by double clicking it and changing 0 to 2, and hitting enter.

Now keep your eye on the Event Log for event ID 2889, which will contain the IP Address of the client connecting with these binds.

Alternately, if you disable these binds, the server will post one log event every 24 hours with ID 2888.

After a few days, or hours, or no time depending upon how patient you are, you may check the Event Log and find these entries, or not. To make things easier you could create a custom log in event viewer, and filter in only event id’s 2886, 2888, and 2889.

LDAP Event Log

LDAP Event Log

As you can see, my filter is only finding event id 2886, which is the security for the bind warning. I am not seeing any 2888 or 2889, which would mean that clients were connecting using these binds. So let’s go ahead and correct the security vulnerability less privilege is more.

To do this, we need to configure the server to REQUIRE LDAP signing. This is done by Group Policy. Microsoft recommends that you make this change in the Default Domain Policy– yet I do not touch that one. So I am going to make a new GPO and link it in the domain, then apply it to all computers. You can make the changes to the Default Domain Policy if you want.

Open up GPMC from Start>All Programs>Administrative Tools>Group Policy Management.

Right click your domain, and click Create a GPO and link it here…

New GPO

New GPO

Name it something appropriate, like LDAP Signing.

Then open the GPO by right clicking it and selecting Edit. Now drill down to:

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options.

Right-click on Domain Controller: LDAP Server Signing Requirements and select properties.

Check off Define this Policy Setting.

Select Require Signing in the drop-down box.

Require Signing

Require Signing

Click ok and accept the warning. You can follow the link to Microsft’s KB article describing what is going on.

Basically, older clients might be configured to use these unsigned binds, pretty much pre XP Pro SP2. If all of your clients are updated or using newer Windows versions, you don’t have to worry about configuring them to start signing. If you have older clients, and don’t know how to change them- you might want to leave this setting alone.

This is a good setting to change to lock down your server, and close unneccessary vulnerabilities in the path between client and server. A hacker might be able to intercept a unsigned packet and change it, then forwarding it to your server. The server would read the packet and execute actions based on the hackers unsigned packet.

As always if you break your network, it’s not my fault 🙂

%d bloggers like this: