Category: DNS


I am going to glaze over the beginning processes, because I have already performed and documented them here.
This is a Lync Server 2010 install on a domain member server running Windows Server 2008 R2 Enterprise.

I will pick up: Prepare First Standard Edition Server.

This goes through the process, and completes this time, installing SQL 2008 Express and an instance named RTC, which is started and running.

Next, select Install Topology Builder, and let the tool complete.

Topology Builder
Topology Builder

Now let’s do some prep. First, add the account you are using to DomainAdmins and RTCUniversalServerAdmins groups. You can do this via ADUC, by double clicking the group, selecting the members tab, and adding the name of your account.

RTCUniversalServerAdmin

RTCUniversalServerAdmin

Next, create the share you will be using during your topology setup. The default sharename is share, on the server you are installing Lync 2010 on. I will name it LyncShare, as this server has little else to do besides Lync, and no other shares. I create a new folder on any drive, right-click it and select share with, specific people. I then add Domain Users and Everyone with read/write permissions. We can change these to least access later on.
File Sharing

File Sharing

Make sure the account you are using is in there as well- and this should be a domain account.
DNS Records for your Server Pool need to exist, as well as simple URL’s. We will add those after we build the topology, before we publish it.

Now, go to Start>All Programs>Lync Server 2010, and select Topology Builder.

Click on New Topology.

The Primary SIP Domain can be any domain name that you use, I leave mine set to my internal domain name. For this example, I will use company.local.

Primary SIP Domain

Primary SIP Domain

Click Next. I am not adding any added domains, so click Next again.

Under Site Name, name your site something nice, like CompanyLync.

First Site

First Site

Click Next. Enter your City, State, and Country.

Check the box: Open the New Front End Wizard… and click Finish.

New Front End Wizard

New Front End Wizard

Click Next.

Select Standard Edition Server, and enter the domain member server’s FQDN.

Front End FQDN

Front End FQDN

Click Next. Check no boxes, click Next.

Select Features

Select Features

Uncheck Mediation Server, and hit Next.

Collocated Server Roles

Collocated Server Roles

Enable anything you want, I leave all unchecked. Click Next.

Associated Server Roles

Associated Server Roles

Click Next on the grayed out options screen for SQL Store, to leave them at the default settings for new.

Select the name of a File Share, leave File Server alone or set to your company’s file server- in this case it is all on one server, so enter that servers FQDN. Click Next.

File Share

File Share

Leave Web Services URL alone- remember this is going to be used for internal IM only. You can change this as you see fit, if you will be hosting external access.

Web Services URL
Web Services URL

I named my External URL ExternalPool.company.local. I will now create DNS records for both pools. Open up DNS MMC, and add an Alias(CNAME) entry for both internal and external base urls, pointing to the correct FQDN address of the server.

DNS Alias for Pool

DNS Alias for Pool

You can now view the properties of everything you have configured.

Properties
Properties

Click Edit Properties from the menu on the right. Click Simple URLs on the left of the window that opens.

Add an Administrative access URL. I did mine to match the other too, changing the first word to admin.
Click Central Management Server and select the only option.
Simple URLs

Simple URLs

Now let’s add DNS entries for these three Simple URLs.
Back in the DNS MMC, add a Alias(CNAME) for dialin, meet, and admin.

In the menu on the right, click Publish Topology.

Read the requirements, and when ready, click Next.

Leave this to default and click Next.

Central Management Server

Central Management Server

Now I decided to change my pool name, and I got all sorts of problems. If you get warning messages about your pool not existing in AD, then you can use Lync Management Shell to remove the pool, and redo the set up. The post on how to do this is here.

Now when I hit Publish, it completed successfully.

Publish Progress

Publish Progress

Publish Success
Publish Success

Nice, but we still have more to do. Microsoft says that this is the point in which you rerun the setup on all servers that will be handling Lync. Since I am only using one, we do not need to do this. Go back to the Lync Server Deployment Wizard. This time click on the link to the left- Install or Update Lync Server System.

Install or Update Lync Server System

Install or Update Lync Server System

Click Run next to Install Local Configuration Store. Leave the default options on both screens, and click next.
Let the Wizard complete. Hopefully you will receive success on all the prerequisites.
NOTE: Make sure to always expand the prerequisites tab before each item and make sure you are in compliance.
Installing Local

Installing Local

Once complete, click Run next to the next item, Lync Server Components.

Click Next.

IIS Roles

IIS Roles

I get an error about IIS features. I remember when I added the Feature IIS, I left most of the boxes cleared by default. Lets enable all of that now.

Click Server Manager, and select Roles. At this point you will have IIS installed, so click on the link. Scroll down a bit and click Add Role Services. I then added all of the roles that the error message mentioned. I suppose you could add all, but why add extra stuff that you do not need?

IIS Role Services

IIS Role Services

Click Next, click Install.

It will complete (no reboot needed), and go back to your Lync Deployment screen, and re-run Setup Lync Server Components.

Click Finish once that completes without errors.

Run the next task: Request, Install, or Assign Certificates.

A box appears with a Default Certificate, which is unassigned. Click Request next to it. You could also click request, and formulate a CSR to an Offline CA. I will select send the request immediately to an online CA, and click Next.

Certificate Wizard
Certificate Wizard

It should automatically pull up your CA server, which in my case is my DC. I will click Next if this is correct. You can then specify alternate credentials, if you are not signed in as a domain admin account. I am, so I will leave this alone. Click Next.

Click Next pas the Alternate Template page.
Specify a friendly name. I used lyncfriendly
Ill let you decide what to put here, for OU and Organization. Consult the Lync Documentation if you need help with this. Click Next and fill out your locale.
Click Next twice.
Check the box next to your SIP Domain, and click Next.
SIP Domain

SIP Domain

Click Next.

Click Next again.

And Again, and let the wizard do it’s thing.

Certificate Request Completed

Certificate Request Completed

You will get a message about thumbprints, make sure the box is checked, and click Finish.

Online Certificate Request Status

Online Certificate Request Status

Now you will be ported to the Assignment screen. Click Next.

Click Next again- I won’t show you all of my company internal information. Once the wizard completes, click Finish.

Click Close, and select Run on the next object: Start Services.

On the wizard that opens, click Next.

Cross your fingers! Yay! It completed successfully. Click Finish.

Click on Service status to see if they are all running.

Lync Services

Lync Services

Close out everything, and open Lync Control Panel from the Start Menu. It should open and look like this.

Lync Control Panel

Lync Control Panel

Now I am going to end this God awful long post, and go about adding my users. If there is an area I could be clearer, please comment. If I did something wrong, please let me know! I posted this mainly for my own documentation purposes, and to help out the next guy who is not comfortable with certificates, pools, SIP domains, etc. Thanks for reading!

Update: I stumbled across this post, by Jeff Guillet. He is the author of some of the books I have read, and this post and tool are amazing. Thanks for the GREAT contribution Jeff!

http://www.expta.com/2011/01/introducing-lyncaddcontacts.html

A tool to add contacts to a users Lync over and over. Say you have a domain of 20 users who will use Lync (as I did). Adding 20 people, 20 times (as I did) takes forever. Use this tool to set up one client once, and then re-run it to perform the same actions on other clients. Ingenious.

 

UPDATE: When you first install the client, the initial sync can take a while. If you are like me, you need to get it up an running quick so you do not further disturb the network or desktops. There is a registry entry you can add. What I do is install Lync Client. Then I import the company contacts from the GAL to the users contacts list. Then exit the client.

Now open an elevated command prompt. Type this command:

reg add hklm\software\policies\microsoft\communicator /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f             (And that is a zero at the end).

Now wait one minute, and restart the Lync Client. It will now have all of the users contacts synced up and ready to add.

Advertisements

NOTE: This process DOES NOT WORK! I thought that maybe I could trick Lync 2010 to install on a DC, but the SQL failure got quite annoying, and I gave up. Instead, I will be installing both SQL 2008 and Lync 2010 on a Windows Server 2008 R2 member. I will get back to you on that configuration.

If you would like a walkthrough on how to install Lync Server 2010 on a Windows Server 2008 R2 member server, read this post here.

Do not attempt this install, it will not work.

I am going to install Lync Server 2010 on SBS 2008 SP2. This is a production server- I do not recommend doing this until you have planned and tested it first. I do not have a test server available, so it is going on a live server. The server also has Exchange 2007 SP2, and runs one Sharepoint site on WSS 3.0. Server traffic consists of Sharepoint Document Sharing, File and Print, Exchange Email, and Windows Internal Databases. We have no other applications running that use network or server bandwidth.

I am running a HP Proliant ML150 G5 Server, 8GB RAM, 2x mirrored 150GB HDD’s. This set up is VERY weak, and I am not sure as to the impact of the Lync Server- hopefully by the end of this post I will be able to inform you on what it is doing to my network. We have 18 workstations which will use the Lync Client, remote workers will not use it. We will also only be using Lyns for IM and Presence to start, no video, voice, or conferencing. My install will differ than yours if you are installing the Enterprise version, or have a need for A/V conferencing, phone system integration, or server pools. This will be a Single-Server install, or a stand-along server. It will host the Management Site as well.

Microsoft has a site with all of the information you need. I would suggest printing off and reading all of the planning and deployment guides, as well as watching the videos. The site is here.

Run the Lync Server Planning Tool, which can be downloaded here. It is pre-release at the moment.

I got the Lync Server 2010 and the Lync Client from my MAPS subscription. I will install and evaluate, and purchase licenses as we see fit. I personally do not need any license keys with the technology- how you get the disks and licenses is your problem. I burned two DVD’s- one with the server, and one with the client.

I will now run the Planning Tool, display the results, and go over some further documentation. After that, I will install Lync Server first, then one client to test. After that I will proceed to install the rest of the clients.

I am not vouching for this process, as it will consist of my troubleshooting problems that may arise during install. I do suggest you use this as a guide when you install, if you are in the same scenario- as it will be easier to understand that Microsoft’s technical documents.

run the installed Planning Tool. I usually participate in the Improvement Plan’s, if only because it stops alerts from being displayed in the SBS Console and BPA.

Lync Planning Tool

Lync Planning Tool

I selected to start from the beginning. I selected No for A/V conferencing.

I selected No for Web conferencing.

I selected No for Enterprise Voice.

I selected No for Archiving Server.

I de-selected both Federation check-boxes, as I do not use any External organizations, and I do not wish users to connect to public chats like Yahoo! or MSN.

I selected No for High Availability- I only have one server.

I left the selection alone for Shared WAN. We do not have remote sites as a part of our network, only our Local LAN will use this application.

Central Site

Central Site

I will name my site something appropriate- my companies name plus Lync. I suggest you do the same, and do not include any crazy characters, etc.

Fill in your user count. I only need 10 to start, and 18 to finish, so I will enter 20 to be safe.

For my internal SIP domains, I enter both my local domain name, and my remote domain name, which I use for RWW, OWA, and Exchange. they are company.local, and company.org.

I then select No for External User Access- this will only be used inside my office.

You will now see a topology of your setup. Thankfully, mine is REALLY simple.

Topology

Topology

Clicking on my site, then double clicking the icon, I see some requirements.

Requirements

Requirements

I don’t have enough RAM, or all the correct ports open for the software load balancing. I also do not have SSD’s, or enough NIC’s. Well, I have two, but one is disabled and not in use. These requirements are also planning for way more features than what I will be using. I will print this and proceed for now, and open ports or install services as they come up.

Keep in mind now that I am installing Lync Server 2010 on a stand alone production server with a low amount of RAM and not enough requirements met for install. Do this at your own risk. Back up frequently- a 2 hour restore is not to bad if you destroy your server.

Microsoft also recommends that you install Lync onto a child site of your AD Domain. I have such a small AD, that I will just stick it in there with the 40 users and other objects.

I have been reading Microsoft’s Guides, and a lot of their steps are for specific scenarios, and I get a hint that most of mine will be automatically configured- such as DNS SRV records for SIP domains. So I insert the DVD, and click on E:\Setup\amd64\Setup.exe

I get a pop-up about installing MS Visual C++ 2008, and click Yes.

Microsoft Visual C++ 2008

Microsoft Visual C++ 2008

You are then presented with the Lync Install screen. I changed the default path to D:, this is my application/data drive and has more space.

Lync Server Install

Lync Server Install

Click Install.

Check the box to accept the license, after reading it of course 🙂

License Agreement

License Agreement

The installer does it’s thing.

Core Components Install

Core Components Install

You then enter the Deployment Wizard screen.

Deployment Wizard

Deployment Wizard

This is taken from the help link under Prepare Active Directory.

To begin the installation of Microsoft Lync Server 2010, you must prepare the Active Directory Domain Services (AD DS) schema, forest, and domains that will host servers and users. The Lync Server Deployment Wizard will guide you through the steps required to prepare Active Directory Domain Service (AD DS), beginning with the schema and then into the forest preparation. After confirming that AD DS replication is successful, you then prepare each domain that will host users or servers.

Important:
To successfully prepare the schema, you must be logged in as a member of the Enterprise Admins group and the Schema Admins group. To prepare the forest, you must be logged in as a member of the Enterprise Admins group or logged in as the administrator in the forest root. For domain preparation, you must be logged in as a member of the Domain Admins group.

Now we click the button to prepare the AD. The next screen has a few options. Now, extending the schema is a huge deal. So, I decided to do a full server backup before I press any more buttons. And good thing- the last backup 6 hours ago failed for some reason. Ill look into those event logs later on. I will finish this backup, make sure it was successful, then proceed.

At this point, Windows Update popped up, with 14 new important updates to install. Booo. Ok, so I install those, and then reboot. My server is great, minus a few warnings that can “be safely ignored” according to Microsoft. Now I resume.

Click Prepare Schema, and Run, then click Next.

Prep AD Schema

Prep AD Schema

Once it completes, I clicked View Log. I then expanded the fields, and browsed the log. I noticed some errors in the log, though the action DID complete successfully.

Extend AD Schema Log

Extend AD Schema Log

I clicked finish, and then checked the deployment using the steps written here. As you can see from the screenshot, my schema was configured correctly.

ADSI Edit Schema

ADSI Edit Schema

I Then ran Prepare Current Forest, and left it set to Local Domain.

Universal Group Location

Universal Group Location

I wont post the screenshot of the log, because editing my personal information out of it would take ages, but you should take time to review it, and make sure everything was created and completed successfully.

You should verify this as well using the steps described here.

Now click Run under Prepare Current Domain, then next.

Prepare Domain

Prepare Domain

Once that completes, check that it was successful using the steps listed here.

Lync Management Shell

Lync Management Shell

Lastly, I will add my account to the CsAdministrators group, which will allow me access to the Management Console. Open ADUC, go to My Business, SBSUsers, and double-click your account, or the account you want to make admin.

Click the Member Of tab, and then click add. Type in CsAdministrators, and click ok.

CsAdministrators Membership

CsAdministrators Membership

I then Exited the Wizard, with everything complete.

I clicked Install Topology Builder, which is a pre req to deployment.

I re opened the Deployment Wizard, and clicked on Single Server Deployment, to the right.

Single Server Deployment

Single Server Deployment

The first screen gives me a message about SQL Server 2008. I have the default SQL 2005 Express installed. Not being comfortable with SQL Server Management, and having the knowledge that side by side installs of the same project can be tricky (And also that migrating my databases to a different SQL version can be hard), I decide to stop for the night. I will run a full backup, because right now everything is still working correctly. I will also contact Microsoft support chat and read my documentation to see the process for this step- I will get back to you in the morning.

Good morning. I did some research, and Lync Server will install SQL 2008 Express. I do not wish to migrate, so it will be a side by side install. In order for that to work, some workstation components of SQL 2005 Express need to be uninstalled.

Click Programs and Features in the Control Panel. Select SQL 2005 Express and click Change. Select Workstation Components. Uninstall everything that comes up when you get to the component screen. This is removing only the tools, not the database or database server.

SQL 2005 Workstation components Uninstall

SQL 2005 Workstation components Uninstall

Uninstall Success

Uninstall Success

Now I will pick up the Lync Server 2010 Setup via the Lync Server Deployment Wizard in the Start Menu.

Click on Prepare First Standard Edition Server. Click Next, and let the commands finish.

Single Standard Edition Setup

Single Standard Edition Setup

This step takes some time, over 20 minutes for me.

Install

Install

After some time, the setup completes, with a bright red item.

Setup Failure

Setup Failure

Checking the log, I see that SQL Backwards compatibility and Native Client are installed, but not SQL 2008 Express itself. What a pain. I think I will try to install SQL 2008 Manually through its GUI, then if needed, command line.

Navigate to C:\Program Data\Microsoft\Lync Server\4.x.xxxx\ and double-click on SQLEXPR_x64.exe.

That opens up the SQL 2008 setup. I then clicked Hardware and Software Requirements, and Configuration Checker.

SQL 2008

SQL 2008

In the tool, I received one warning and passed the rest. Fail.

SQL Install on DC Error

SQL Install on DC Error

After some reading, Microsoft states:

Installing SQL Server on a Domain Controller
For security reasons, Microsoft recommends that you do not install SQL Server 2008 R2 on a domain controller. SQL Server Setup will not block installation on a computer that is a domain controller, but the following limitations apply:

On Windows Server 2003, SQL Server services can run under a domain account or a local system account.

You cannot run SQL Server services on a domain controller under a local service account or a network service account.

After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.

After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.

SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.

SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.

So I think I can get away with it, I just can’t use local accounts. So I will ignore this error, and click New SQL Server…..

New SQL 2008 Install

New SQL 2008 Install

On the window that appears, click install to install setup support files. It comes back with a few warnings, one for Windows Firewall. I will let you battle this one out yourself, but some information can be found here.

Click Next, and it will ask for a product key- which is greyed out. I have a full version of SQL 2008 Standard, but I wan’t to leave this Express- the less management and install I have with SQL the better, IMHO.

SQL Product Key

SQL Product Key

Click Next.

Accept the license and click next.

Select all products, leave the directory alone, and click Next.

Select All

Select All

Leave it at Named Instance, in this case SQLExpress. You can change this if you want- I do not.

Instance ID I also left alone. For the root directory, I moved it to the D:\ drive and created a new folder called D:\Program Files\SQL 2008 Root Dir\

Only to save space on my C:\ drive.

Instance Configuration

Instance Configuration

Click Next, and you should get a success message.

Success

Success

Click Next.

Now I am not going to use NT\Authority for SQL Server Database Service Account. this helps with least privileged, separation of duties, plus I do not think you can do the side by side install using NT\Authority.

So create a new user in Users ADUC, and use that account and password to set up this account.

Select that user, and enter the password, then hit Next.

Select Mixed Mode, and enter a strong unique password for sa. Add the SQL administrators using the add button on the bottom. I am the only one, so I clicked Add Current User.

SA

SA

Click Next. Check both Microsoft Reporting boxes (or not, if you wish), and click next. It should complete with 8 Passes, and no errors.

Click Next. Review your settings, and click Install when ready. It will take a while to complete. While the bar progresses, cross your fingers and hope the side by side install of SQL works, and doesn’t bork your system.

Success

Success

Everything succeeded, and you get a reboot message. Now this is a production server, and it is 11 AM on Friday. I can’t reboot, and wont continue untill I do reboot. Ill be back later tonight, when no one is in the office.

After reboot, everything is up and running just fine. No errors, SQL is automatic and started fine. Now its time to resume the Lync install. Double click the Lync Server Deployment Wizard from the Start Menu again.

Click Prepare Single Edition Server. Click Next and it will resume where we left off when it failed the first time. It failed again, this time while trying to create an instance RTC in SQL 2008. So I run this command from the command line:

“C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7457.0\SQLEXPR_x64.exe” /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=RTC /TCPENABLED=1 /SQLSVCACCOUNT=”NT AUTHORITY\NetworkService” /SQLSYSADMINACCOUNTS=”Builtin\Administrators” /BROWSERSVCSTARTUPTYPE=”Automatic” /AGTSVCACCOUNT=”NT AUTHORITY\NetworkService” /SQLSVCSTARTUPTYPE=Automatic

So I check the event logs, and see that SQL Server Browser did not start, and a new instance could not be created. I go to services, and see that SQL Server Browser for SQLExpress (which is my 2008) is disabled. Enable that by right clicking the service, and selecting properties. Then change start type to automatic, and click ok.

SQL Service

SQL Service

I then realized that I did not have Management Studio Express installed, so I downloaded and installed that from here. I changed the SQL Server Agent Service log on account to the same account I set up for SQL.

Turns out that I can’t install the tools package, some sort of Digital Signature Error, which is going to be a pain. So… I wen to Add/Remove Programs, clicked on SQL 2008, clicked Change. Then added new features, blah blah blah. The information on how to do that is here, scroll to the comment at the bottom. Thanks guys.

Another reboot to continue, I am now up to three- not great fun on a production server. So I mucked around and added the SQL2008 account- the account I use to run both the Server Agent and the SQL instance- to some Administrator and SQL Admin roles, to no effect. Every time I tried to run the SQL Server Agent, I got the start stop message and an event id of  103, Service Control. I know that this is a permissions thing, so I change both of the services to Local Account, and now the services start fine- but the installation still fails.

At this point I am finally able to push the Management Console through. Instead of modifying an existing instance, which doesn’t allow you to add tools, I select new instance, then select Management Tools.

Management Tools Install

Management Tools Install

The install failed, and I am seeing messages for SQLExpress recovery, services will not start still, what the hell. I uninstall all SQL 2008 items, and start over. At this point I spend an additional 6 hours messing around with the innards of Lync and SQL 2008, only to come to the conclusion that I do not have the skill to perform this install. I uninstall everything, back to normal. I am now going to add a Windows Server 2008 R2 member to my domain, and repeat this install there. I will post that when it happens.

I used to use Register.com as my trusted certificate provider. They issue a certificate which you install on the server. This certificate lets users connecting to remote web workplace that your server is legitimate, secure, and trustable. Without this certificate, users can sometimes get security warnings that vary by web browser. The IE error looks like this:

SSL Error IE

SSL Error

This is only a warning, and can be disregarded in cases where we know the server is safe. the problem with this is that end-users often do not understand the massage, or even do not read it. When they see this page they call support and complain about the internet being broken. Another bad thing about this error page is that to continue on to the site, you need to hit the red button. Be design, we associate red with stop, not continue.It is easy to get a certificate. We turn in some paperwork to a trusted authority, and they send us a certificate, which we then install. You server, upon creation, generates a private key. This key is what the trusted authority generates your SSL certificate on.My problem with Register.com is that I reinstalled my server. even though I have the same exact configuration, my private key was changed. Which means that my SSL was invalid. And Register.com was reluctant to issue me a new key. They had the special of $15 when I first bought it, though it is now $24. You get what you pay for, but in this case the simplest and cheapest the best. So after shopping around I see Comodo’s Positive SSL, only $9.95.So go to the Comodo website, and click to purchase a 1-year Positive SSL.
You will notice the address bar, displaying both a green color, https and a locked symbol. this is what we will achieve with the SSL.
Alright, lets generate our CSR for this website. On your server, open Windows SBS Console. Navigate to Network>Connectivity, and click Add a Trusted Certificate on the left.
SSL Choice

SSL Choice

There is a little disclaimer, click next. Select that you wish to buy a certificate from a certificate provider. The other option is for if you already have your certificate, and just need to install it. Click next.

Fill in the correct info in all of the boxes. This is an important step, and wrong information here might very well ruin the validity of a SSL Certificate. Enter all fields correctly, and write it down for later. Remember that the SSL is accompanying your domain name, which is mycompany.mysuffix. Mine is blankhealthcare.org, and my server added the prefix remote for my RWW and remote services. So I will enter remote.blankhealthcare.org in the Issued To: box, because this is the site I am securing. I blanked out the field to preserve confidentiality.
Verify SSL

Verify SSL

On the next screen, your CSR is generated. You need to copy all of that information that is in the gray box, including the title “—–BEGIN NEW CERTIFICATE REQUEST—–“. Hit the copy button. To be on the safe side, I also save it to a file, and put that file in a safe backup location.
CSR

CSR

In the next window, it asks if you have the cert, or will add it later. I just leave this box open. Now go back to the Comodo site and paste your CSR in the box they request it in. Select your software from the drop down box. In the case of SBS 2008 it will most likely be IIS 7.x and greater. Click one year.
I left the first 3 free upgrades in effect, and did not check the last one. No one will be purchasing on my site. Total cost is $9.95, excellent. Hit next.
This next step can be tricky. If you use an external domain to host your website, which then forwards email to your box using MX, the associated email accounts can be tricky. I do a little tricking myself. There is no address admin@mydomain.org, but Ill create a user really fast. then I grant myself full access permissions, and have the email sent there. I access it, and then shut down the account. You can have it sent to any of the other addresses in the list, though I would not suggest messing around with any important emails accounts such as postmaster, hostmaster, or webmaster.
Fill in your info. I am going to glaze over this part- if you don’t know how to fill in your own company information in a webform, press Ctrl-Alt-Del, select lock workstation, and go home for the afternoon.
Fill in credit info.
Click make payment.
 
 
 
 
 
 
 
 
 
 
They will confirm, and send out a few emails. One email is important. They mail a validation code to the mailbox you specified during set up. Go to Exchange Management Console. Expand user configuration, mailbox. Right click on the account for Admin (or whichever you specified. Click Full Access Permissions. Add yourself. You must be an Exchange Admin to do this. Now log into OWA, in in the top right corner, click your user name. in the box that appears, enter the name of the account you wish to open. Then read the email.
Copy down the validation code.
 
Click the link to enter the code, and paste it into the box. You will receive a confirmation.
Wait for the email to be sent. It can take a little while to arrive.
 
EDIT: At this point, after I validated I waited for one hour. I know the process takes a while, but I was eager to apply the certificate. So I entered a live chat on the Comodo website. After being transferred to a tech named “Jake”, he stopped responding. I gave him 8 minutes to reply to my question, before I hung up and emailed EVValidation. They received my ticket at 12PM….
 
Go back to the Add a Trsuted Certificate Wizard, and click next. You will see boxes to enter your certificate information.
Import Certificate
 
I open the email from Comodo that states my cert is attached, and save the zip file to my desktop. I then extract the folder to my desktop. Again, I blanked out my external domain name. The files inside of the zip are here:
Certificate Files

Certificate Files

I then follow a link in my email, oto make sure I am adding these correctly. I am not sure which cert is which, so Ill read up. The how to is here.
So I open IIS 7, click Server Certificates, and browse to my new files on the desktop. They are not in .cer format, so the wizard does not see them.
Wait a minute…. forget Comodo’s how to guide. Let’s go back to the Add a Trusted Certificate Wizard from the SBS console. Select Locate file. Click on the correct cert. this cert will be your domain name .crt. Mine is remote_blankhealthcare_org.crt.
Click that file, click next, and watch the wizard complete. Alternately you can copy the certificate text from the end of the email, and place it into the box provided instead of choosing the file.
Add Completion

Add Completion

When you head back to the connectivity tab of the SBS console, you will now see your certificate status as trusted- that means it is working correctly. There are 3 other certificates included in the zip file, let’s add those now. To do this, click Start>Run. type mmc.exe. When the MMC opens up, click file, Add/Remove snap-in.
Select Certificates, click add.
Click Computer account and Finish.
Click ok.
Expand Certificates.
Right click Intermediate Certificates, and select All Tasks>Import.
You will now select and Import two of the certificates in the zip file. the one titled
  • Intermediate CA Certificate – UTNAddTrustServerCA.crt -and-
  • Intermediate CA Certificate – PositiveSSLCA.crt
  • Once selected hit next until the wizard finishes, you shouldn’t have to change anything.

    You will also import your Root CA certificate, but instead of into Intermediate Certificates, Import this one into Trusted Root Certification Authorities.

    Now reset IIS and lets check it. Start>Run>type in iisreset. Now navigate to your site. Once on the site, click the lock next to the address bar. Click view certificate. the certificate should be listed as issued by Comodo and should be named PositiveSSL.

    Browser Certificate

    Browser Certificate

    Your done!

    Now Comodo offers some other stuff with the certificate for free, let’s set that up quickly, and also backup our certs and private keys so that if we crash we can reset this.

    You can sign up for HackerProof on the site linked in your email. I will opt to not sign up, as it seems a PC scan. I do not want a web service scanning my server, which already has antivirus anyhow.

    Lets backup our Private Key, then our Certificates. To back up your certificates, I suggest adding them to a zip file. Encrypting that zipfile with a backup. Then placing this zipfile on an encrypted and secure drive, preferrably offsite.

    To export your private key, go to certificates mmc. Drill down to the certificate you just installed. Right click and select Export. Include private key and anything else you wish. Password protect it, and save it in a secure location.

    You can insert the SSL Site Seal into your web site if you wish. I added mine to my background image, and disabled the link.

    EDIT: The SSL package that we just installed is the positiveSSL, which is the basic package for a SSL Certificate. Included in the $9.95 purchase is the EVSSL, Extended Validation. This must be completed by printing the two forms in the email. You must sign and enter your incorporation data, then fax them to Comodo. They will then validate your company, and issue you another more secure SSL, which can be installed the same way. This will give you the green security bar and lock icon.

    This is part one, covering the setup and dhcp tabs.

    Router documentation is well written from a technical standpoint. It tells you exactly what each option is. What it often lacks is a description of what each option does, and what setting is recommended. In this blog post series, I will describe each tab and setting of a RV016 Linksys router, and what the settings do and should be set to. Your settings will obviously not be the same as mine, but my examples should head you in the right direction.

    Before we start, you need to know your IP address scheme. There are a million sites on this, so I will not get into it. I would suggest writing it out on paper to refer to while configuring. It also helps to know what services you will be running on the domain. You only want to allow through what you need to let through, and UPnP often opens “extra” ports in your router that are not specifically needed.

    To get a general understanding of how the router works, I will describe the path information takes when leaving a domain.

    1. A workstations sends out a data packet.
    2. It queries a DNS server on where it should go. The DNS server will in most cases be your server, or a server.
    3. It then gets forwarded to the correct IP address- in this case the internal IP address of your RV016, or your default gateway.
    4. Then that router queries its external DNS, which is most likely your ISP. With that information, your router sends the data to the correct location.

    I know a lot more goes on under the hood, but this is a basic explanation of how the network path will go- keeping a visual of this in your head helps when designing IP addresses and pointing DNS.

    For this explanation, I will assume that you have bought the router, have an internet connection with a static IP address, your server has a NIC, and that you have connected at least 1 workstation and the server to the router ports, and the router is connected to your modem.

    This article also assumes that you know the basics, and can gloss over items not generally used in a simple server network. Furthermore, I assume that you know you must hit save after changes, and how to navigate tabbed browsing- do not get angry if you changes do not take due to not saving your work.

    In this scenario we use Comcast Broadband cable, with a static IP address of 70.89.23x.x5- I am going to leave some IP bits masked for security purposes. Not that I mind if my public IP address is known, but why risk it, right? The internal IP addressing scheme that I used was 192.168.1.1. In hindsight, this was a mistake. As the default, most home network have this type of IP address. this causes problems when connecting remote machines to the network, with IP address conflicts. Pick something else- even as simple as 192.168.5.1.

    Our router is connected, let’s log in. The default IP is 192.168.1.1, so open up a web browser and type that into the address bar. you will be prompted for a user name and password. Administrator is the user name (the RV016 is case-sensitive, fyi) while the password is either admin, or 1234.

    Your ports will not be green, and your ip addresses will not be filled out.

    Summary Screen

    Summary Screen

    The green boxes are port status- telling you if a port is active or not. This can be important for troubleshooting.

    LAN IP is the routers internal IP address. This is 192.168.1.1.

    WAN1 and 2 IP are the external IP addresses of the router. I only use one, but you can configure two to host another network, provide modem failover, bandwidth throttling, etc.

    DMZ is for the demilitarized zone, if you plan to provide a separate network segment for internet access.

    You will want the mode to say Gateway if this is your main router.

    Then you have DNS, this is your external DNS- the DNS of your IP. Comcast’s main DNS is 68.87.73.242. This can be changed to suit your needs and location. Google Public DNS and OpenDNS are alternatives.

    The rest of the settings are for later, lets just skip over them.

    The first thing you will do is set up your IP address. Click the setup tab up top.

    Setup Tab- Network

    Setup Tab- Network

    Host and Domain name will most likely be left blank.

    Device IP address will remain at 192.168.1.1, unless your address scheme is different. Say your network is 10.1.10.1, then this would be the device IP address.

    Chose a subnet mask to fit your network. The default and mine is 255.255.255.0. And explanation of ip addresses and subnets can be found here. After, you can add multiple subnets. I have one added, though it is not in use. If you don’t know what this is, you don’t need to change it 🙂

    In the bottom tables, you have settings for your WAN ports. I only use WAN2, so I will leave WAN1 set to automatically obtain IP address, which is nothing in this case. I will also leave DMZ alone, as I do not use a DMZ. Click edit for each of these items if you wish to use them.

    Click Edit on WAN2, and we will configure this ports settings.

    WAN2 IP Setup

    WAN2 IP Setup

    Select Static IP.

    Enter in the WAN IP address provided by your ISP. this is your internet IP.

    Provide the subnet mask and default gateway they they provide. This should all be on the pink slip you got when the internet was installed.

    DNS server are your external ISP’s DNS servers. For most cases, leave MTU to auto- we can alweays adjust it later if necessary. Save and click on password subtab.

    Change the router password. Use complex strong passwords, and change them every couple of months. I have a string that I remember because it rhymes, but it is very complex with all the trimmings. I would suggest doing the same, and NOT writing it down.

    If I was a burglar, and I broke into your server room, the first thing I would do would be to check drawers, under the keyboard and calendar, and notebooks for written down passwords (then I would probably pry open the case to steal your HDD’s, but that’s for later).

    Save and move on to Time. Leave this as default, unless you need to change it. DMS Host- we dont need to change this with no DMZ.

    Forwarding- this is a BIG one! In order for your network to even work, there are certain things that you need to forward to the server. This is telling certain types of communication coming into your network via the external IP address that they need to report to the server, who then forwards them on to their destination (ther server is the internal DNS server).

    I will list the things you need to forward to your DNS server. Bold text is necessary, underlined is probably necessary, and regular text is optional depending upon services.

    Setup Forwarding

    Setup Forwarding

    • SMTP– TCP25, allows mail to come in, dependent upon your email configuration
    • HTTP– TCP80- web browsing, and a lot of default services
    • HTTPS– TCP443- Secure HTTP, used for Remote Companyweb/RWW/etc
    • Companyweb– TCPxxx- this is the port that you set up remote Sharepoint access on, which is changed in IIS Manager
    • PPTP- TCP1723- if you dont know what this is leave it alone, but this allows VPN connection
    • Hostmonster- TCP26, my remote mail provider does not operate on port 25, we use 26 instead
    • RWW– TCP4125, for Remote Web Workplace access
    • HTTPS Secondary- TCP8443, default secondary HTTPS port, used for multiple secure sites. I use mine for a private database site
    • FTP- TCP21, use this if your network has any FTP sites or servers
    • TELNET- TCP23, use this if you have any need to telnet into the server. I use this for mail troubleshooting, and disable it when not needed
    • L2TP- UDP1701, this is used for VPN tunneling protocol. DO NOT enable this unless you use L2TP VPN
    • RD– TCP3389, Remote Desktop port. This can be defined through your network access policy

    You can of course add to this list. If you need a port open for a particular application, then open that port and forward it to the server. Do not open spare ports for the heck of it. Remember that this router supports UPnP. You can also run UPnP, and then run the Connect to the Internet Wizard. I prefer not to do this, personally.

    One to the one-to-one nat tab; you probably don’t need this enabled for a simple network. MAC Clone, DDNS, and Advanced Routing you will most likely leave alone.

    DHCP Tab

    You will only enable this if your router is handling DHCP, which provides IP addresses for connected devices. A typical server setup will have the server providing DHCP. There are configurations using both server and router DHCP in case of server failure or vice versa- but typically you will leave this setting alone. The status tab tells you the status of the router DHCP if it is enabled.

    I work for a healthcare company, and as such we deal with sensitive information. In order to comply with HIPPA regulations, we need to have all computers in this office time out after 15 minutes of inactivity, and password lock the computer. I also like this rule because users often leave their desk for the day without logging out. Walking by a PC today I noticed that it was not timing out. Let’s troubleshoot why.

    First, lets check the policy. Open GPMC through Administrative Tools>Group Policy Management. I already have the policy in effect, but I will tell you how to make a new one and apply it. Drill down Forest>Domains>YourDomain. you will see some items, such as Default Domain Policy, Windows SBS CSE Policy, etc. You will never edit these default policies- always create and link a new policy.

    Right click on your domain, and select Create and link a new GPO here. Assign it a name- in this case I name it Screen Saver Time Out. You will see the new policy appear in the list; right click the new policy and select edit.

    Group Policy Management Console

    Group Policy Management Console

    Expand Policies under User Configurations, and then exapnd Administrative Templates. Expand Control Panel, and then click on Display.

    These changes will be applied to all users in your orginizations- which means that any computer that a user log into gets this policy. These are the settings that I enabled:

    Group Policy Management Editor

    Group Policy Management Editor

    Hide Screen Saver Tab

    Screen Saver

    Screen Saver Executable Name

    Password Protect the Screen Saver

    Screen Saver Timeout

    If you do not enable most of these, they will not work. A description of what each thing does is listed in the description tab of each item. For timout, I set it to 15 minutes. For the executable name, I set it to logon.scr. This can be different depending on which screensaver you want- make sure that the one you chose exists on all computers in the %windir% directory.

    Thats it. Give it 20 minutes to replicate, or go to a warkstation and type gpupdate at the command line. Now lets explor who this applies too.

    Exit out of that specific Group Policy, back to the main GPMC window. Highlight the Group Policy you created. On the scope tab, look under Security Filtering. This should list Authenticated Users, which applies this to everyone. In my case, I use security groups to apply this, and one person was missing from a group, which allowed their creen saver to never come on.

    To test if this is being applied, we can run a command right from the server. Under the list of GPO’s, click Group Policy Modeling. Right click it and select the Wizard. Click Next, Next. Now select the User Radial Button, and enter the user you want to test (Bob@solace.local). Now click the computer radial button and click the computer you want to test (c5.solace.local). You can go through the next pages if you want, but for most pages you can select the checkbox asking if you want to skip them.

    Group Policy Modeling Wizard

    Group Policy Modeling Wizard

    The wizard will display your results. Expand Settings, and drill down to Display again to see if the policy was applied.

    %d bloggers like this: