Daniel's IT Blog

Hi Guys,
As per my previous blog, my blog site has now moved... my new address is http://daniels-it.spaces.live.com/

come back and visit often...

cheers

Hi Everyone,
                    I have now left the UK and returned to my home in Melbourne, Australia, havign spent just over 2 and a half years worth of living & working in London, it gave me the opportunity to learn a heap, get some great experience and of course travel!

I will be moving to a new .AU blog site soon when I decide upon which one takes my fancy.. As soon as I have decided on one, ill post the address for you guys..

in the meantime keep visiting this site for the latest and greatest info....

thanks

Dan

Hi Everyone,
                  Part 3 of my Windows Server 2008 series is covering Active Directory Federation Services. 

So what is AD FS?

Active Directory Federation Services (AD FS) is a feature in the Windows Server 2003 R2 and Windows Server 2008 OS's that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.

Features in AD FS

In Windows Server 2008, AD FS includes new features that were not available in Windows Server 2003 R2.
This new functionality is designed to ease administrative overhead and to further extend support for key applications:

•	Improved installation: AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.
•	Improved application support: AD FS is more tightly integrated with Microsoft Office SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS).
•	A better administrative experience when you establish federated trusts: Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.

The following are some of the key features of AD FS:

Federation and Web SSO

When an organization uses Active Directory Domain Services (AD DS), it experiences the benefit of SSO functionality through Windows Integrated authentication within the organization's security or enterprise boundaries. AD FS extends this functionality to Internet-facing applications. This makes it possible for customers, partners, and suppliers to have a similar, streamlined, Web SSO user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organisations to facilitate business-to-business (B2 federated transactions between partner organizations.

Web Services (WS)-* interoperability

AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Windows identity model to federate with Windows environments.

Extensible architecture

AD FS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with Forest Trust design). AD FS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organisations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies.

Extending AD DS to the Internet
AD DS serves as a primary identity and authentication service in many organisations. With Windows Server 2003 Active Directory and Windows Server 2008 AD DS, forest trusts can be created between two or more Windows Server 2003 forests or Windows Server 2008 forests to provide access to resources that are located in different business units or organisations.

However, there are designs in which forest trusts are not a viable option. For example, access across organisations may have to be limited to only a small subset of individuals, not every member of a forest.

By employing AD FS, organisations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.

AD FS supports distributed authentication and authorisation over the Internet. AD FS can be integrated into an organisation's or department’s existing access management solution to translate the claims that are used in the organisation into claims that are agreed on as part of a federation. AD FS can create, secure, and verify the claims that move between organisations. It can also audit and monitor the communication activity between organisations and departments to help ensure secure transactions.

ok installing ADFS...

First up, install the role through server manager,

you will then get the welcome screen, please ensure the Domain controller or member server is a member of the domain, and bear in mind when you install additiona features of ADFS you MUST seperate the ADFS proxy server and the ADFS feature foles.  You cannot run both on the one box.

Note:  you will be required to install the additional IIS services as well.

In this demonstration i will be installing the ADFS service and the Web Agents. choose next

As I am installing the Web Agents Role, it is prompting me for an SSL certificate, I have some existing ADCS certificates which i could use, or if your organisation has its own set of SSL certificates for IIS, select them now, or alternatively create a new one.  For the purpose of this demo I will create a new certificate.

Again because I am installing the Web Agent feature, one of its sub-requirements is token authentication, at this point it is asking me for a certificate for that.  I will create a self signed one, but in a production environment you would have a certificate signed by a External CA to issue. 

It is now prompting me for my federation server for web agent communications.  In a production environment you should have this on a seperate federation server, but for this demo I am going to point it to the local DC.  Selecting Validate will confirm web agent communication with your desired federation server.

The next stage involves specifying the trustpolicy xml location.  If your organisation has its own policies for this please make the appropriate changes, but I will keep everything as default.

The next part of the install involves configuring your IIS7 components, choose next to the welcome screen.

Leave all IIS components selected as default unless you have specific requirements.

Confirm your installation requirements and choose install.

installation proceding..

installation finishes... choose close

note:  no restart is required.  you can access the AD FS snap in through mmc.  In the example below I have created an AD account store.  Also note you break up your policy for internal clients and external clients (partners).

I am now going to create a new application definition, to do this, right click on applications and select new and application...

The wizard starts, choose next

Now you need to specify whether your application will use token based authentication or claims-aware (.net), in this example I am going to use claims-aware.

now enter your display name and URL path, in this case I will be using my HP SIM application. 

Please note:  Do NOT use ADFS with Sharepoint SSO, use either one or the other not both, although SSO works great, if your organisation has a policy to use ADFS only, ensure you remove the SSO option in your initial sharepoint installation configuration.

Now you specify your identity claims, as HP SIM uses UPN, thats the option ill be selecting, however as you can see by the screen dump you have a few different options.

Now you choose whether to enable the application immediately or not. choose next

Wizard is finished, hit Finish.

As you can see my application is initialised and is using UPN for its IC.

Hi guys,
           Following on from my last post about Active Directory Directory Services, now lets move into Windows Server 2008's other Active directory based services.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) provides customisable services for creating and managing public key certificates used in software security systems that employ public key technologies.  ADCS Comprises of the following feature compnents, all configurable through Server Manager (I will run through the install procedure later on):

Certification authorities (CAs) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates, retrieve certificate revocation lists (CRLs), and perform smart card certificate enrollment.
 
Online Responder service. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information. 
 
Network Device Enrollment Service (NDES). NDES allows routers and other network devices that do not have network accounts to obtain certificates.

Benefits of AD CS

Organisations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Among the new features of AD CS in Microsoft Windows Server2008 are:

• Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.
 
• Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.
 
• Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

Hardware and software considerations

AD CS requires Windows Server 2008 and Active Directory Domain Services (AD DS). Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals.

CAs can be set up on servers running a variety of operating systems, including Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and lab testing before you deploy AD CS in a production environment.

Ok lets go through the install Procedure..

As per usual you use Server Manager to install the role, Select Add Roles, and select Active Directory Certificate Services

Welcome Page is below

i'm going to add our primary role and the feature Certificate Authority Web Enrollment (see above for description on features)
Please note when you add CAWE you will be prompted to install the required IIS Services

If you plan to install Network Device Enrollment Services, please note you need to complete Certification Authority setup before you can install & setup this service.

The next step involves involves selecting whether you use AD DS to simplify issuing of certificates or select standalone mode whereby you have a bunch of extra configuration steps.   Enterprise configuration is the recommended way of deploying certificates.  Choose next

The next step involves configuring your CA.  You can select Root CA if this is your only certificate authority or if you have another CA provider (whether it be internal or external) you can select Subordinate CA.  In this example I will be setting this server up as a Root CA Authority.

The next step involves setting up your private key.  If you dont configure a private key or select an existing key, certificates will NOT be issued to clients.  As i do not have an existing key from another CA etc, i will choose to create a new one.

Before you can issue Certificates, your Private key needs to be encrypted, this Cryptography section of the wizard involves selecting a CSP and a hash algorithm, there are a massive amount of different CSP's, so choose what is appropriate, depending on your organisation's Security policy.

I will be using Microsoft Base Cryptographic Provider 1.0 with a sha1 algorithm for this example.

The next step involves configuring your CA name, Generally you would leave all options as is, as it registers it against the server FQDN, but changing the common name is ok too.  Choose Next.

Now you need to set the Certificate expiry the client/device will have before needing to get a certificate reissued.  The default is 5 Years, which is what I have left mine at.  However in regards to best practices it should be considerably less, but this depends on your internal organisation policies.

Next you need to specify the install location of the database & logs, I am going to leave it as default, however for performance or policy reasons you may choose to change this.

Remember earlier on it asked if you wanted to install the required IIS services?  now here is where you configure the individual IIS components, choose next to the welcome page.

Generally you can leave all the default selections, however I am installing the additiona IIS 6.0 components for my exchange install later on (blog will follow!)  then choose next

Finally we are at the confirmation page, confirm everything is OK and hit next.

Installation starts.

Once completed you will see a screen like the below.

Now you will see the role under server manager (No restart is required for this role) however in my experience i have found it will not function correctly until a restart.  Additionally if you plan to install any other featured of ADCS you will need to restart prior.

Now you will see you have access to the new Certificate Server snap in under Admin Tools.  From here you can view issued certificates, revoked certificates, pending requests, failed requests & templates.

Now, templates.... In Windows Server 2003 R3 you had the previous facilities but NOT templates, I think this is a fantastic feature that they have added, and its dead easy.  For example, I would like to setup a certificate template for Smart Card Authenticated users... EASY!  select Certificate Templates, you will see the preinstalled templates.

Right Click on Certficate Templates and choose new template, and add your required certificate for clients.

As you can see there are heaps of templates available, what I like best about it, is that once you add them they are all preconfigured, there is no additional work required! 

Now clients can connect to the servers iis web site and request new certificates if required.

All they select is 'Request a certificate, the below is displayed..

If any additional information is required it will prompt you here, but in this case i have left everything default, so the user chooses submit, therefore sending a request to the ADCS server for a new certificate, and of course it will appear under pending and or issued certificates under the certserv tool.

User gets a warning message, select YES

Certificate has been issued, select install this certificate..

another prompt..select YES

Certificate Issuing Complete

 COOL

Hi Folks,
I have had a few requests from people out there about the Windows Server 2008 System, mainly in relation to release date, and items such as roles, features and step by step info.

Now, Microsoft released Windows Server 'Longhorn' Beta 3 about 6 weeks ago to Technet Plus subscribers, and now is readily available to everyone, microsoft's official release date on this product has yet to be determined, but all signs indicate that manufacturing will start at the end of this year, ready for early 2008 (as the name Suggests).

Tecnet Plus subscibers will notice that Windows Server 2008 IDS-3 is now available on technet in both standard, & enterprise.
So whats the difference?! As far as I can see there are not too many, however I have come across a few differences thus far.
First up, the installation was slightly different, everyone who has used Longhorn knows you have 2 install methods you can choose, a Windows Server Core install, or Windows Server server, i'm just going to take a moment to explain the differences....Essentially, Server Core is a slimmed-down, appliancelike version of Longhorn Server that functions in a couple of limited roles and does nothing else.

Server Core, as I see it, has three main advantages: it’s extremely focused, which means it does what it does very well, resulting in better performance, resilience and robustness than a full-fledged operating system. It also has limited dependencies on other pieces of the Windows puzzle, in that the Core is designed to work without a lot of other software installed; it can generally work by itself. In comparison, many of the previous Windows components aren’t really necessary -- like Windows Explorer or Internet Explorer, for example, which is something that can’t be said for Windows Server 2003.

All of this translates into a far smaller attack surface than the standard Windows Server product, given all of the material that's been stripped out.

ok back to the differences... during install mode I was not prompted to set an Administrator password, which i thought was a bit strange, but it did speed up the install process.. on my Vm machine it took about 15 Minutes to install the OS.
Upon First load you now actually get prompted to set the Administrator password..

now set your password

You also now have the facility to create a password reset disk, handy, however so far I cannot see a USB key option, which i'm sure will come around prior to final release.
Once your password is set and you log in, you will notice one little difference, nothing important, but in my opinion means they are finally getting closer to releasing the various RC's which is a good sign...In the bottom Right Hand Corner it has always stated Windows Server 'Longhorn' eval..... It now states Windows Server 2008.

I also noticed boot up time is incredibly quicker, os loaded in under 1 minute!
ok, moving right along, naturally you you will get asked to fill in the usual info in the 'initial Configuration Tasks' wizard, i.e Time Zone, Networking, Computer name & domain, automatic updating & feedback, install updates, add roles and add features, enable remote desktop and customise windows firewall

Now lets run you through roles. now server manager is still what you use to install roles and features, in this example we are going to install Active Directory but the screen dump lets you see what roles are available.

Best Practices: Make sure prior to installing Active Directory that you have assigned the server a static IP, and that you have set its DNS primary pointing to its loopback address of 127.0.0.1.
First up you will get your welcome screen

next comes the confirmation screen, notice taht in all prior server versions, once you install AD and restart it is up and running, but in Windows Server 2008 you need to run dcpromo AFTER initial install of AD to activate the role, which i will cover later.

Active Directory starts to install and then finishes.

Now you need to run dcpromo, you access this via selecting the active directory services role in server manager and selecting the link selected in red below.

now lets kick off the dcpromo config. you get the usual welcome screen

go next, now you will hit Deployment Configuration page, please note in this example I am setting up the first dc in my forest.

next comes your forest root domain name, in this example, my FQDN is XtremeIT.com

next comes your AD firest level, in my example i'm going with 2008 and following that is your DNS.

now you will recieve the following warning message

this message is basically telling you it cannot contact another DNS zone, this is of course true, as I am doing a first Domain Controlller install and I am using this DC as my primary DNS If you are running a seperate delegated DNS (i.e you have another DNS Server and appropriate zone)you only need to manually create a connection to this on your other DNS Server and zone.
The next warning message you get is quite lengthy, but all it is talking about here is that if this server will be your primary DNS, you need to ensure your primary DNS settings reflect the server. This is what i was talking about earlier in the best practices section, by point it to 127.0.0.1, if you forgot to do that prior to install, selecting yes on this screen will make the appropriate changes

the next part of the wizard will prompt you about installtion loactions for SYSVOL etc, now best practices on DC's is to segment these directory locations for performance, but in this example i'll leave it as default.

moving along, the next screen prompts you to set a restore password for Authoritive and Non-Authoritive and DS restores, as well as a review of all wizard steps.

hitting next kicks off your install

you will then get a completed screen and naturally the prompt to restart.

once you restart, under server manager you will now see AD installed.
Now please, please, please remember if you plan to install other Active Directory roles like Certificate Services or Federation Services, you MUST install this first and install ONLY this role, meaning although you have the option to install multiple AD roles at once, they will NOT work correctly until this role is installed and configured, so Install the Directory Services role first then move on to other roles.

Ok my next blogs in my Windows Server 2008 series, will cover the following.
Active Directory Certificate Services
Active Directory Federation Services
Active Directory Rights Management Services
Network Policy & Access services
Health Authority Services
Windows Depoyment Services & deploying Windows Server 2008 & Vista
Exchange 2007 Installation & configuration.

Stay Tuned!

Hi Everyone,  Apologies for the long break since I have been blogging, all of december I was back home with Family in Australia for a great 4 week holiday in the sun, and before that was all preparing to go! 

Happy new year! to all my readers, its a new year and plenty of new blogs to come so should be back in full swing next week, please come back often!

Cheers

Dan

Where is Telnet in Vista/Longhorn beta builds?

Telnet is now made an optional component in Vista and Longhorn Servers. This means if you type telnet in command shell, you will be out of luck.

Why have microsoft done so?

As time has passed, fewer users use telnet. Thus, to decrease the foot print as well as the attack surface, they decided to make it an optional component.

Great, now how do I get telnet client/server working again?

Vista -

Use software explorer or Click Start, Control Panel, Programs, and then Turn Windows Features on or off. In the list, scroll down and select Telnet Client. Click OK to start the installation.

Longhorn -

Use RMT to install

If you want to use command line options - please use the following commands -

Command line to install telnet server:

start /w pkgmgr /iu:"TelnetServer"

Command line to install telnet server:

start /w pkgmgr /iu:"TelnetClient"

enjoy...

Hi Everyone,
            A lot of people have asked me whether Microsoft have released a version of the adminpak.msi for Windows Vista.  Unfortunately, in the current builds there is no version, and will not be until the final release.

If like me, you use the Windows Server 2003 Admin Tools very frequently this becomes a real pain, and, If you try to install the current  win server 2003 release adminpak in vista it will give you an error saying 'wrong version' which relates to the windows version check. 

However, you can create your own installer for the admin tools pak (win2k3) which WILL work on Windows Vista, and I am going to show you how!

As Mentioned above, The Windows 2003 SP 1 Admin Pack cannot be installed on a Windows Vista  machine due to a version check in the installer. Since there is also a bug with the compatibility mode for elevated processes, you must modify the MSI file to remove the version check.

Below are instructions for modifying the MSI.

Note that the same basic process may be used to correct version issues with other installers.

Download & install Windows Server 2003 SP1 Platform SDK from http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en

Once installation has completed, install Orca.msi (Located in %Program Files%\Microsoft Platform SDK\Bin)

Unpack adminpak.exe
 
Select adminpak.msi, Right-click and choose Edit with Orca

In the ‘Tables’ view (left pane) select ‘LaunchCondition’

Select in the right pane:   ‘Condition’ = (MsiNTSuitePersonal <> 1) AND ((VersionNT = 501 AND  (ServicePackLevel >= 1 OR QFE_DSPROP = "Yes")) OR (VersionNT = 502 AND ServicePackLevel <= AdminpakServicePackLevel ) )

Select ‘Transform’ à ‘New Transform’

Edit:   ‘Condition’ = (MsiNTSuitePersonal <> 1) AND ((VersionNT = 501 AND  (ServicePackLevel >= 1 OR QFE_DSPROP = "Yes")) OR (VersionNT = 502 AND ServicePackLevel <= AdminpakServicePackLevel ) ) to ‘Condition’ = (MsiNTSuitePersonal <> 1) AND ((VersionNT = 501 AND  (ServicePackLevel >= 1 OR QFE_DSPROP = "Yes")) OR (VersionNT = 600 AND ServicePackLevel <= AdminpakServicePackLevel ) )

Select ‘File’ à ‘Save Transformed As…’ and save to AdminPak_Vista.msi

Close Orca

Install AdminPak_Vista.msi on computer running Windows Vista

Easy! hope this helps.

Hi Everyone,
in my last blog on terminal services in longhorn server, i discussed the installation and setup of remote programs. Taking it one step this further in this post, we will discuss one of the other 2 major components of Terminal Services, TS Web Access (TS Gateway to follow in the next blog).

Ok let's jump straight into it: TS Web Access

What is Terminal Services Web Access?

TS Web Access is a feature that makes Remote Programs available to users from a Web browser. With TS Web Access, a user can visit a Web site—either from the Internet or from an intranet—to access a list of available Remote Programs. When a user starts a Remote Program, a Terminal Services session is started on the terminal server that hosts the Remote Program.
TS Web Access includes a default Web page that you can use to deploy Remote Programs over the Web. The Web page consists of a frame and a customizable Web Part, where the list of Remote Programs is displayed. Alternatively, you can incorporate the Web Part into a Microsoft Windows SharePoint Services site.

Deploying TS Web Access:

You must install the TS Web Access role service on the Windows Server "Longhorn"-based server that you want users to connect to over the Web to access Remote Programs. When you install TS Web Access, Microsoft Internet Information Services (IIS) 7.0 is also installed as a required component.
After you install TS Web Access, you can specify the data source to use to populate the list of Remote Programs that appears in the Web Part. The Web server can populate the list from an external data source. Therefore, the Web server does not have to be a terminal server.
If you want users to access the Web page from the Internet, you can use TS Gateway to help secure remote connections.

TS Web Access Data Sources

TS Web Access can populate the list of Remote Programs that appear in the Web Part from either of the following data sources:
• Active Directory directory service
• A single terminal server
By default, the list of Remote Programs is populated from Active Directory.
If Active Directory is specified as the data source, the list of Remote Programs that appears in the Web Part is specific to the individual user. Only .msi packages (with an .rap.msi file name extension) that are published for that specific user by using Group Policy software distribution appear in the list.
If a single terminal server is specified as the data source, the list of available Remote Programs that appears in the Web Part is not specific to the user. Instead, all Remote Programs that are configured for Web access on that server's Allow List appear on the page.

Install the TS Web Access Role Service

Install the TS Web Access role service on the server that you want users to connect to over the Web to access Remote Programs. When you install the TS Web Access role service, Microsoft IIS 7.0 is also installed.

To install TSWeb access role service it is pretty much the same procedure you would follow to install Terminal Services and setup Remote programs.

The server where you install TS Web Access acts as the Web server. The server does not have to be a terminal server. After you install TS Web Access, you can configure TS Web Access to populate the list of Remote Programs from Active Directory or you can designate a single terminal server as the data source.

To install TS Web Access (if the Terminal Services role is already added)

First up, go to server manager (Start> Server manager or servermanager.msc)

Under Roles Summary, click Terminal Services. Under Role Services, click Add role services.

Then on the select components screen select TS Web Access, it will also prompt you to install additional supporting services (IIS7 etc) so choose 'Add Required Role Service'

then choose next.

On the Intro screen, hit next.

On the role services screen select next

On the confirm installation Options screen, hit install.

on the installation completed page, choose close.

you will now see the role in the list.

Use Active Directory as the Data Source

By default, TS Web Access populates its list of Remote Programs from Active Directory. When Active Directory is specified as the data source, the Terminal Services Remote Programs Web Part is populated by the Remote Program .rap.msi packages that are published to a user through Group Policy software distribution. The advantages to this deployment method are as follows:

• TS Web Access will only display packages that are specific to the current user.
• Remote Program .msi packages that point to different terminal servers can all be consolidated into a single list in the Terminal Services Remote Programs Web Part.

To specify Active Directory as the data source

1. Use Internet Explorer to connect to the default TS Web Access Web page. By default, the Web page is located at the following address (where server_name is the NetBIOS name or fully qualified domain name (FQDN) of your TS Web Access server): http://server_name/ts
2. Log on to the site by using an account that is a member of the local Administrators group or by using an account that is a member of the TS Web Access Administrators local group. (If you are already logged on to the computer as one of these accounts, you are not prompted for credentials.)

Note In Windows Server "Longhorn" Beta 2, the TS Web Access Administrators local group is added when you install TS Web Access. To open the Local Users and Groups snap-in, click Start, click Run, type lusrmgr.msc and then click OK.
3. In the upper-left corner, under Personalization Scope, click Shared.
4. In the Display Mode list, click Edit.
5. At the top of the Web part, click the drop-down arrow on the right side of the Terminal Services Remote Programs bar, and then click Edit.
6. Under Terminal Services Remote Programs Properties, click Active Directory.
7. Click OK to apply the changes and to close the Editor Zone dialog box.

Now as per my previous blog, web accessed applications are added/controlled via the remote programs screen.

The one field you need to worry about is the TS Web Access Column, as long as the application has a yes in there, you will see it displayed on the web access screen.

If you want to use Active Directory as the data source to populate the Terminal Services Remote Programs Web Part, you must do the following:

1. On the terminal server where you added Remote Programs, create an .msi package for each Remote Program that you want to make available through TS Web Access.
Important

If Active Directory is specified as the data source, Remote Programs must have an .rap.msi file name extension to appear in the Web Part. When you create the .msi package from a Remote Program that is enabled for TS Web Access, the package is automatically created with an .rap.msi file name extension. If the Remote Program is not enabled for TS Web Access when you create the package, the package is created with an .rdp.msi extension. If you created an .rdp.msi package and you later want to make the package available for TS Web Access, you can rename the file name extension to .rap.msi.

2. Make sure that the .rap.msi packages are saved to a shared network folder, and that users have access to the shared folder.

3. Distribute the .rap.msi package to users by using the Software installation node in Active Directory Group Policy.
Note: to locate the Software installation node in a Group Policy object (GPO), expand Software Settings under User Configuration, and then click Software installation. For more information about how to use Group Policy software distribution, see the Microsoft Knowledge Base article "How to use Group Policy to remotely install software in Windows Server 2003" (http://go.microsoft.com/fwlink/?LinkId=29166).

4. Make sure that the computer account of the server that is running TS Web Access has Read access to the Remote Programs that you make available by using .rap.msi packages. To do this, make sure that the software distribution Group Policy settings are also applied to the computer account of the TS Web Access server.

• If you applied the GPO at the domain level, and you do not use security filtering to filter the scope of the GPO, the TS Web Access server automatically has Read access.

• If you applied the GPO at the domain level, and you use security filtering, or if you applied the GPO to an organizational unit (OU) that contains both the computer account of the TS Web Access server and the users who you want the policy to apply to, you must add the computer account of the TS Web Access server to the list of users and groups on the Security tab when you view the properties of the GPO. When you add the account, make sure it has both Read and Apply Group Policy permissions.

• If you applied the GPO to an OU that contains the users who you want the policy to apply to, and the computer account of the TS Web Access server is in a separate OU, you must link the GPO to the OU that contains the computer account of the TS Web Access server. Additionally, you must add the computer account of the TS Web Access server to the list of users and groups on the Security tab when you view the properties of the GPO. When you add the account, make sure it has both Read and Apply Group Policy permissions.

Note: Before you can add a computer account to the list of users and groups on the Security tab when you view the properties of the GPO, you must click Add, click Object Types in the Select Users, Computers, or Groups dialog box, select the Computers check box, and then click OK.

Use a Single Terminal Server as the Data Source

By default, TS Web Access populates its list of Remote Programs from Active Directory. However, you can configure the Terminal Services Remote Programs Web Part to populate its list of Remote Programs from a single terminal server instead. This is known as the Simple Publishing configuration. When a single server is specified as the data source, the Web Part is populated by all Remote Programs that are configured for Web access on that server's Allow List. When a single terminal server is used as the data source, the list of programs is not customized for the user.

To specify a single terminal server as the data source

1. Use Internet Explorer to connect to the default TS Web Access Web page. By default, the Web page is located at the following address (where server_name is the NetBIOS name or FQDN of your TS Web Access server): http://server_name/ts

2. Log on to the site by using either an account that is a member of the local Administrators group or by using an account that is a member of the TS Web Access Administrators local group. (If you are already logged on to the computer as one of these accounts, you are not prompted for credentials.)

Note: In Windows Server "Longhorn" Beta 2, the TS Web Access Administrators local group is added when you install TS Web Access. To open the Local Users and Groups snap-in, click Start, click Run, type lusrmgr.msc and then click OK.

3. In the upper-left corner, under Personalization Scope, click Shared.
4. In the Display Mode list, click Edit.
5. At the top of the Web Part, click the drop-down arrow on the right side of the Terminal Services Remote Programs bar, and then click Edit.

6. Under Terminal Services Remote Programs Properties, click Terminal Server.
7. In the Terminal Server Name box, type the name of the terminal server that you want to use as the data source.
8. If you want to configure access to the Remote Programs on the terminal server through TS Gateway, select the Use TS Gateway check box. Additionally, you must do the following:

a. In the TS Gateway Name box, type the name of the TS Gateway server.
Important
The server name must match what is specified in the SSL certificate for the TS Gateway server.
b. Under Gateway Authentication Method, click either Smart Card or Password depending on your environment.
9. Click OK to apply the changes and to close the Editor Zone dialog box.
10. If the TS Web Access server and the terminal server that you specified as the data source in Step 7 are separate servers, you must add the computer account of the TS Web Access server to the Terminal Server Publishing Access group on the terminal server. To do this, follow these steps on the terminal server:

a. Open the Local Users and Groups snap-in. To do this, click Start, click Run, type lusrmgr.msc and then click OK.
b. In the left pane, click Groups.
c. In the right pane, double-click Terminal Server Publishing Access.
d. In the Terminal Server Publishing Access Properties dialog box, click Add.
e. In the Select Users, Computers, or Groups dialog box, click Object Types.
f. In the Object Types dialog box, select the Computers check box, and then click OK.
g. In the Enter the object names to select box, specify the computer account of the TS Web Access server, and then click OK.
h. Click OK to close the Terminal Server Publishing Access Properties dialog box.

To Access TS Web Access from the client

By default, you can access the TS Web Access Web page at the following location (where server_name is the NetBIOS name or FQDN of the Web server where you installed TS Web Access):
http://server_name/ts

Important:

If you specified Active Directory as the data source, and you want to test TS Web Access while logged on locally to the TS Web Access server or while connected to the server's desktop over a Remote Desktop connection, you must turn off protected mode for the local intranet zone.

To turn off protected mode
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Security tab, in the Select a zone to view or change security settings box, click Local intranet.
4. Clear the Enable Protected Mode check box, and then click OK.
5. Click the Refresh Current Page button (green button with arrows) to refresh the Internet Explorer page.

Client Requirements and Configuration

To connect to TS Web Access, the client computer must be running any one of the following operating systems:
• Microsoft Windows Server "Longhorn" Beta 2
• Microsoft Windows Server 2003 with SP1
• Microsoft Windows Vista
• Microsoft Windows XP with SP2

Additionally, the client computer must be configured as follows:

• The client computer must be running Remote Desktop Connection (RDC) client 6.0. If you are running an earlier version of the RDC client, you are prompted to upgrade the client when you visit the TS Web Access Web page.

Note: RDC client 6.0 is not yet available on the Microsoft Windows Update site. For the Windows Server "Longhorn" Beta 2 release, you can download the RDC client 6.0 installer package from the Microsoft Connect Web site (http://go.microsoft.com/fwlink/?LinkId=49779).

• The Terminal Services ActiveX Client control must be enabled. If you are prompted to run the Terminal Services ActiveX Client control when you access TS Web Access, click the message line, click Run ActiveX Control, and then click Run.

Note: If you are running Windows Server "Longhorn" Beta 2 or Windows Vista click the bubble at the lower-right corner of the screen (if it appears) to enable the ActiveX control.

• The TS Web Access server must be added to the Trusted sites zone or the Local intranet zone in Internet Explorer. To do this, use the following method:

Note: If you are running Windows Server 2003, you may be automatically prompted to add the URL of the TS Web Access server to the Trusted sites zone when you visit the TS Web Access Web site. To add the site to the Trusted sites zone, click Add, make sure that the Require server verification (https for all sites in this zone box is cleared if the site does not require server verification, click Add, and then click Close. To manually add the site to the Trusted sites zone or to the Local intranet zone, use the method described in the following procedure.

Add site to Local intranet or Trusted sites zone by using Internet Options
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Security tab.
4. If the TS Web Access server is on your intranet, click Local intranet. Otherwise, click Trusted sites.
5. Click Sites.
6. Use one of the following procedures, depending on the zone that you selected:

• If you are adding the site to the Local intranet zone, click Advanced. In the Add this website to the zone box, type the URL of the Web server (for example, type http://server_name), and then click Add. If the site does not require server verification, clear the Require server verification (https for all sites in this zone box. Click Close to apply the settings. (In Windows XP, click OK to apply the settings.)

• If you are adding the site to the Trusted sites zone, in the Add this website to the zone box, type the URL of the Web server (for example, type http://server_name), and then click Add. If the site does not require server verification, clear the Require server verification (https for all sites in this zone box. Click Close to apply the settings. (In Windows XP, click OK to apply the settings.)

If you remember from my previous example, I published Remote Calculator.

So here it is under my TS Web Access (after saying yes to activex)

Once you click on the icon, it will start your rdc to the published application and will open exactly the same as any other remote program (see previous blog)

Easy as that!

I will be covering TS gateway in my next blog, but if you have any questions at all regarding the above, shoot me an email!

Hi Everyone,
Longhorn server has been out for quite some time now, with the latest build being CTP August 06.
One of the huge let down’s I found from Microsoft’s server operating systems was the ability to have What we in the citrix world would call Published Applications.
There has always been a great debate in the Terminal Services World as to what is better, Terminal Services or Citrix, and of course Citrix has the majority of the market due to its published applications ability.. well not anymore!
Well finally Microsoft have developed 2 new components of their longhorn server family, Remote Programs and Terminal Services Gateway.

Additionally a new version of TS Web Access is also included but has many improvements over Windows Server 2003 and R2 TS Web Access

What is Remote Programs?
Remote Programs are programs that are accessed remotely through Terminal Services and appear as if they are running on a user’s local computer. Users can run Remote Programs Side-by-side with their local programs. If a user starts more than one Remote Program on the same terminal server, the Remote Programs will share the same Terminal Services Session.

To use Remote programs please be aware the client must be running on either Longhorn Server Beta2, Windows Server 2003 SP1 or higher, Windows Vista, or Windows XP SP2.
If you plan to use it on Server 2003 or XP, you must install Remote Desktop Connection (RDC) 6.0
You can download the installer from http://go.microsoft.com/fwlink/?LinkId=49779

One of things I love about the new terminal services/remote programs, is that administrators can deploy them via an RDP file, or via an MSI, which is fantastic, especially the MSI, as it can be deployed through group policy!!!

My Lab Environment consists of the following: 1 Longhorn Server Beta 2 Domain Controller (I find Beta2 to be a bit more stable in VM’s than CTP August 06 Release), then 1 Longhorn Terminal Server, and of course 1 vista RC2 Client all joined in a single Domain.

Now I bet you are thinking, ‘well its all well and good talking about how good it is, but how do I set this up for myself to see?!’ It’s a breeze, and I am going to step you through it right now..

Install Terminal Server Role Service

To install the Terminal Server role Service
1. Start Server Manager. To start Server Manager, use any one of the following methods:
• Start, then click Server Manager
• Start, point to Administrative Tools, and then click server manager
• Start, then Run, then type servermanager.msc then ok.
The following screen then appears

Under Roles Summary, click Add Roles
On the before you begin page, click next.

On the Select Server Roles page, Select the Terminal Services role , then next

On the Uninstall & Reinstall Applications page, click next

On the specify licencing mode page, select the most appropriate option and hit next

On the confirm installation option choose Install

When completed hit restart.

Once restarted, under server manager, in roles, select terminal services and ensure it is all running aok.

Next Step, Install programs, for the purpose of this example I have only installed the 2007 office suite, It is strongly recommended that you do NOT install separate components on separate servers for example, don’t just install word, install the whole office suite.

Next, Ensure that under Remote settings, under system in the control panel that you have allowed for your users.
Now under server manager, under Terminal Services you will now see the Remote Programs tool.

Configure Remote Programs

Go to the remote programs tool, right click and choose
Add Remote Programs...

on the welcome screen click next then point to your previously installed application, in this case I am going to choose Microsoft Powerpoint. Then click Next

on the review settings page, click finish.
You will now see your app in the list (I have a few already there)

Creating an msi or rdp file for you application

Now, there is a new snap in for mmc called remote programs, so go to start, then run and type in remoteprograms.msc

From the right hand side actions pane, select create msi or rdp as applicable, in this case I will choose msi

now click next on the wizard welcome screen.

The next step is to tell it where to save the msi. Note if you plan to deploy through group policy, ensure the right permissions are on the directory where you save the msi to.

click next, now the next screen you need to tell it whether you want a desktop icon, a start menu icon or both and the extension, and hit next.

then hit finish.

Now you can deploy the msi from the location via group policy or via a file share etc.. The extension it will call these files is .rap, meaaning remote access program, but works the same as an msi.

now on your client, this is how it works..

In this case I am just going to double click the msi, and do a standard install (non group policy, however it works exactly the same)

you will now see an icon on the desktop, and if you selected it, an icon under start>programs>Remote Programs

double click and launch the application, it will ask you to provide your login credentials but, bar that, thats it!

and behold, there it is, it appears exactly as if it was running on the clients workstation!

One thing I love about it, is that it acts the same as a normal application whereby you can minimise it, move it around the screen etc.. Citrix Published applications could never do that, they only provided you with a single box in the middle of the screen and you couldnt move it around, so thumbs up microsoft

I will continue the remainder of this setup in regards to Terminal Services Web Access (TSWEB ) and TsGateway in the next upcoming blogs... stay tuned!

Hi Everyone,
I have recently been asked about Installing Longhorn Server and/or Windows Vista on VMWare Workstation. There are a few tricks to getting it to work on VMWare workstation.

First up, make sure you are running the latest version, I am running VMWare 5.5.2 Build 29772 which works well on Windows Vista RC2. The catch is during the Virtual Machine setup phase...

First up, create your virtual machine using a typical setup..

Then Ensure you choose 'Windows XP Professional' as the OS

Then Setup the rest as per usual.

Windows Vista and Longhorn Server have a slight compatibility issue with vmware, whereby until the VMware tools are installed, it gets slightly confused with the drivers and displays nothing but a blank screen. So.. before running windows setup, edit the .vmx file for your virtual machine in notepad, and add the following lines:

Svga.maxWidth = "640"
Svga.maxHeight = "480"

and change the following line:
usb.present = "TRUE"
to
usb.present = "FALSE"

your vmx file should look like the below:

The reason you should set usb.Present = "FALSE" is because the OS will hang when shutting down if you dont (vmware to Vista/Longhorn driver issue)

Once you have done this, fire up your machine, install your OS and away you go...

Once you have Installed VMWare Tools on your virtual machine, Shutdown the VM, and take the Svga.maxWidth = "640" and Svga.maxHeight = "480"

out of your vmx file. Save and Close and Happy VM'ing!!!

On the 06/10/2006 Microsoft released Windows Vista Release Candidate 2 (RC2) build 5744 to a select number of Customer Preview Program (CPP) participants, as well as to members of itsTechBeta, TechNet, TAP, and MSDN community.
Being the Technet Plus member that I am, I downloaded it the second it was released! Following the release of Windows Vista RC1 on September 1, Microsoft continued to receive feedback that warranted a second release candidate release. That said, Microsoft hopes this is the last interim build before Windows Vista is released to manufacturing. As for whether Microsoft will meet its shipping goals for Windows Vista, a press release stated, "Microsoft continues to target Windows Vista availability for volume license customers in November 2006 and general availability in January 2007, although the final delivery will be based on quality."

I must say from my experience, Vista RC2 has been fantastic, I have noticed a huge number of differences from RC1, first up more drivers! A lot of devices on my laptop did not pick up at all in RC1, but with RC2 everything got picked up with the exception of my display adapter, it seems a lot faster and more reliable.

They have also added Smart Card support in the new build, I found previously there was no option to use smart card, but now it appears they have upped their game... Also application compatibility, a lot more of my applications are smooth on vista, especially VMWare workstation.

It took ages to find the solution to the following 4 applications that vista has trouble with...
Symantec Antivirus, Cisco VPN Client, Nero and Lotus Notes

The solutions... First up Symantec Antivirus, the following version is available via the symantec website: Corporate Edition V10.0.1.628, this works a treat in Vista RC2. In RC1, all the services used to fail, but this new version from symantec is fine. But please note, you will need to install the following MS update prior to installation: Windows6.0-KB920143-v1-x86.

Cisco VPN Client, due to the enhanced security and User Account Control restrictions in vista it was impossible to get any version to install under vista, it would fail at the point in setup stating 'Installing Network Enhancer' i.e the network connection.. It would hang for an extensive amount of time, then crash. Glad to say cisco are ahead of their game and released version 4.8.01.0410. This is 100% Compatible with vista, just install it, import your existing pcf files and away you go..

Nero: Nero has advised that they are not creating a 100% working version of Nero until Vista is released, but after trial and error I can advise that the following version works fine:
Version 6.6.012, but keep in mind the SmartStart does not work, but who needs that anyways? We are IT Pro's right? as long as you use it via nero.exe it works fine. Vista will alert you that it is not compatible, but you can ignore those messages because I assure you it does!

Last and least, Lotus Notes/Domino. If you are one fo the unfortunate people who are currently stuck with a Lotus Notes Infrastructure as apposed to an Exchange environment, not all hope is lost with Vista. The only version of Lotus Notes/Domino Administrator that work with Vista are Notes R7.0.1, any version of Notes 6 (which most notes users run) is not compatible and will crash as soon as you try to open it.

Can you upgrade from a previous version of Vista to Vista RC2?? YES YOU CAN, you can upgrade from Vista Beta 2 or RC1 without any issues at all! which was impossible under RC1.

One thing I have found strange though, is when my screen saver kicks in (the default vista one) it comes up saying Windows XP Media Edition! OOPS Microsoft... I have informed them of this.. quite embarassing...

there are also a huge mound of new Gadgets available for the Vista Sidebar.. some useful ones I have found are the ping gadget and the Remote Desktop Connection..

get your gadgets here:

http://gallery.microsoft.com/Results.aspxvista=landing&rdm=797722&l=1&ti=2

To get Vista go to the follwing: http://www.microsoft.com/windowsvista/

All I can say is, vista kicks ass!

I highly recommend giving it a go, i'll be blogging more and more on vista in upcoming days...

Hi Everyone,
Welcome to the first ever entry on Daniel's IT blog! This Blog site is a resource for all IT professionals out there, wanting to get their hands dirty in the latest Products from Microsoft, there will be posts on everything from ISA Server 2005 to Windows Vista, Longhorn and Exchaneg 2007 as well as any hints, tips and problems I find along the way with any products!

One thing you dont have to worry about is, 'Is this guy full of crap?' The answer to that will be NOOOOOO!!!
My qualifications are as follows...A+, CTT+, Linux+, IEUST, CCNA, havent bothered doing the exams but I will sit my MCSE next year, I have had that much experience with all MS Products I figure hey! there's no rush! and I have 7 years active duty in the field providing consulting and Support (2/3/4)on everything from Security to Active Directory and Large Scale Implementations & Migrations, My specialty being Active Directory.
I Have worked with all sorts, ranging from Small Business/Personal to government of 50,000 people and above...

I will blog whenever I have the chance!

Enjoy and come back often!