Archive for the ‘SBS’ Category

SBS connect / connectcomputer wizard fails

Generally when a computer cannot join the domain using http://connect (SBS 2008 & 2011) or http://SBSname/connectcomputer (SBS 2003) it is due to inability to correctly resolve the name of the domain controller in a timely fashion. Below is a list of common reasons for the connect wizards to fail.

In an SBS domain, the server should be the DHCP server, and if so, items 3 and 4 below should be automatically set through DHCP.  However if addressing is statically assigned or you are using a router you may need to make changes. Items 3 and 4 are also basic networking requirements of a Windows Domain, not just important for joining the domain.

1. If there is more than 1 network adapter installed, wired or wireless, disable all but 1 until domain joined.  If at all possible, make it a wired connection, not wireless. 

2. Many new PC’s also show a Bluetooth connection under “Network Connections”, this should be disabled as well while running the wizard.  If you are using a Bluetooth mouse and/or keyboard these will have to be temporarily replaced.

3. Make sure, using IPconfig /all, that the client’s DNS points ONLY to your internal DNS servers, in this case the SBS.  Do not allow a router or ISP to be added even as an alternate.

4. IPconfig /all should also show next to “Primary DNS Suffix”” your internal domain suffix such as MyDomain.local.  If not you need to add the domain suffix to the client machine. To do so insert it in the “DNS suffix for this connection” box under the DNS tab of the NIC’s advanced TCP/IP IPv4 properties

5. If there are any 3rd party firewalls or security suites installed, disable them until joined to the domain.  The Windows firewall should not need to be disabled.

6. If still failing add the connect web site to the “trusted” sites list in Internet Explorer under Tools | Internet Options | Security |trusted Sites

7. If all else fails you can skip the wizard and use a 3rd party utility called ProfWiz.  

It is important to note that using the connect and connectcomputer wizards is very important.  With SBS 2003 it is especially critical to do so as it performs a long list of tasks other than just joining the domain.  It copies the local user’s profile, configures the user and computer environments, changes permissions, installs SBS related features, makes changes to networking, and much more.  Susan Bradley’s blog outlines this in detail: “So exactly “what” does connect computer do anyway?”  However SBS 2008 and SBS 2011 control most of this through Group Policy.  The key bonus feature with the SBS 2008/2011 wizard is its ability to import current users’ local profiles. Though I still strongly recommend using the wizard, it will only import a local workgroup profile.  If the wizard fails or you are wanting to import a previous domain profile, you may want to consider using Profwiz.  Profwiz by forensit.com a simple little tool that will join the PC to the domain and reset the permissions of an existing profile allowing it to be used as the new domain profile (i.e. import users settings like desktop items, favorites, Documents, and application configurations). For instructions on downloading and running see:  https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

SBS Missing Attributes tab in AD

It seems the Attributes tab is missing on the user profile in Active directory after a migration from SBS 2003 to SBS 2008 and SBS 2011.  Normally this is hidden, but easily reviled by selecting on the AD menu bar; View, and then Advanced Features, however this is not so after a migration.  The issue was addressed in a post by Stuart Hudman  http://social.technet.microsoft.com/forums/en-US/winserverManagement/thread/6e6ef6bd-b5c9-4f16-b346-097832e3b93c/  but I was recently asked to help locate the exact location for the required changes, so I have posted detailed instructions below.

As always, you should have a good backup, including system state, before editing AD.
Note: the values to add, such as “11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}” need to be exact , without quotes. All three entries are similar but copy carefully as they are not the same. There will probably be multiple entries already present under the attribute, you are just adding one more….assuming it is not already present, which you should check first.

-open ADSIedit.msc
-at the top of the ‘tree’ right click on ADSIedit and choose “connect to”
-under connection point select “select a well known Naming context” and in that window choose “Configuration”
-under computer leave as “Default (Domain or server that you logged into)” Assuming you are logged onto the SBS
-click OK
-expand (click on the +) CN=configuration, DC=<your domain>, DC=local
-expand CD=DisplaySpecifiers
-click on CN=your language. The language # can be found on http://support.microsoft.com/kb/324097 (for example US English is 409, so CN=409  (this is the language you chose when setting up the server)
-in the right hand window locate CN=User-Display right click on it and choose properties.
-Locate AdminPropertyPages, highlight it and click “edit” and add the line 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
-in the right hand window locate CN=Computer-Display right click on it and choose properties.
-Locate AdminPropertyPages, highlight it and click “edit” and add the line 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
-in the right hand window locate CN= Default-Display right click on it and choose properties.
-Locate AdminPropertyPages, highlight it and click “edit” and add the line 4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

SBS 2008 / 2011 adding an SSL certificate

[Note: some links point to SBS 2008 configurations, some to SBS 2011, the procedure is the same for both]

Just a quick comment to address the many internet posts suggesting that SBS requires a multi-name SSL certificate (UCC – Unified Communications Certificate).  This is not true.  SBS is designed to use a simple, inexpensive, single name certificate, and it is quite easy to install.  A basic GoDaddy or other vendor certificate is all that is required.  Sean Daniel outlines the process very nicely in his post entitled “Installing a GoDaddy Standard SSL Certificate on SBS 2008 “.  Keep in mind the FQDN for your site as recorded in your public DNS records, the certificate name, and public name used in the “Internet Address Wizard” (see step #7), all must be exactly the same.  As a mater of fact, although it is possible to use a UCC certificate, the wizard will not install it for you, you would have to do so manually.  There is no need for the additional cost or time involved with multi-name certificates.  (The link below will take you to the Godaddy site and should have a menu bar at the top offering you a very good first year discount)

Go Daddy $12.99 SSL Sale!

The primary argument for using a UCC cert is to make use of auto-discovery.   Though you do not need auto-discovery, if you wish to make use of it you still do not need a UCC certificate.  You can in fact configure auto-discovery using a single name certificate and creating an SRV DNS record by following the ThirdTier.net instructions; “Setting up Autodiscover for SBS 2011

Alternatively, you can avoid buying an SSL certificate at all.  After running the SBS “Internet Address Management Wizard”, a self-signed certificate is generated in the SBS Share: \\SBSname\Public\Downloads\Certificate Distribution Package  .  Machines that are joined to the domain after this will have the certificate automatically installed.  If you generate a new certificate (by re-running the wizard), or have non-domain joined computers or devices, you need to manually copy and install the certificate.  To distribute / install the certificate on the PC’s, please see “How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?”  This is often not as easy to do on other devices such as smart phones.  Therefore using a 3rd party certificate becomes much more attractive, as nothing has to be installed on the connecting device.

Should you have a dynamic public IP at the SBS site, I recommend reading “Using DDNS services with SBS 2008/2011” which outlines using a dynamic IP, a DDNS service, and configuring DNS and certificates.

SBS Migration

There are dozens of articles and white papers regarding migrating SBS version 20xx to version 20xx but many people seem to have difficulty locating these.  The following is a collection of some of the more popular options and methods.

Firstly there is no upgrade option, and if you have never done a migration I strongly recommend carefully reviewing documentation and try a migration in a test lab first as it is a lengthy procedure due to all the components included in an SBS environment.  You might want to considering hiring someone experienced with doing so, or perhaps buy a Migration “Kit” from swingmigration.com  SwingMigration.com specialize in migrations, and in particular SBS.  They provide detailed documentation for you specific migration scenario, some basic tools, 90 days support for the migration, and a method that allows you to revert back to your original configuration at any point.

If you want to go it on your own, or just read up on the topic, thee links may be of some help.

SBS 2003 to SBS 2003

Migrating Windows Small Business Server 2003 to New Hardware

SBS 2003 to SBS 2008

Migrating to Windows Small Business Server 2008 from Windows Small Business Server 2003

Philip Elder’s: SBS 2003 to SBS 2008 Migration Guide

Windows Small Business Server 2008 – Build information (Wiki)

SBS 2003 to SBS 2011

Migrate to Windows Small Business Server 2011 Standard from Windows Small Business Server 2003

Philip Elder’s: SBS 2003 to SBS 2011 Migration Guide

Glen Knight’s: Migrate Small Business Server 2003 to Small Business Server 2011 ( SBS 2011 migration guide )

SBS 2011 Standard Migrations – Keys to Success

Small Business Server 2011 Standard Build document (wiki)

SBS 2003 to SBS 2011 migration issues that you can call 1-800-Microsoft (or your local Microsoft support) and will get support and hotfixes included at no charge

SBS 2003 to SBS 2011 Essentials

Migrating Windows SBS 2003 to Windows SBS 2011 Essentials

Migrate All Mailboxes to the Cloud with a Cutover Exchange Migration

Robert Pearman’s: Migrating to SBS 2011 Essentials eBook

Windows Small Business Server 2011 Essentials Build document (Wiki)

SBS 2003 to Server 2008 R2 and Exchange

Glen Knight’s: Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2

Server 2003 standard with Exchange to SBS 2008

Glen Knight’s:Migrate Windows 2003 with Exchange to Small Business Server 2008

SBS 2008 to SBS 2011

Migrate to Windows Small Business Server 2011 Standard from Windows Small Business Server 2008

SBS 2011 to SBS 2011

Migrate Windows Small Business Server 2011 Standard to New Hardware

Migrating Windows SBS 2011 Essentials to New Hardware

How can I add CALs to my SBS 2003, or SBS 2008

SBS 2003 CAL’s and SBS 2008  are no longer available for purchase, however there are still many of these servers in use and some in growing companies in need of additional CAL’s.  The solution is to buy SBS 2011 CAL’s and exercise downgrade rights.  Microsoft does have very good documentation available for doing so, but based on questions in the forum it seems to be very difficult to find, partially because the links have changed several times.  This article is by no means authoritative, you should refer to the current Microsoft documentation, but it is pulled, word for word, from the most recent documents I was able to find;   SBS 2011_Licensing_FAQ

The following outlines the options for purchasing, the downgrade rights available, and how to install the SBS 2003 CAL’s.  SBS 2008 of course does not require the CAL’s to be installed, you just have to maintain documentation for your CAL licensing for any potential audits.

Q. How do I obtain CALs for earlier versions of Windows Small Business Server when they are no longer offered on price lists?
A. It depends on what editions you need CAL for:

  • If you need additional SBS 2008 or SBS 2003 Standard CALs; you will need to acquire Windows Small Business Server 2011 CAL Suites and exercise your downgrade rights.
  • If you need additional SBS 2008 Premium CALs, they will remain available on the Open price lists for a period of time. This is due to the fact that the SBS 2011 Premium Add-on does not include the same components that are in 2008 Premium and therefore the SBS 2011 Premium Add-on CAL Suites do not offer downgrade rights.

Customers who acquire SBS 2011 CALs or SBS 2011 Premium Add-on CALs are eligible for the following CAL downgrades:

image

Q. How will SBS 2003 CAL activation work in that scenario since SBS 2011 [Edit: and 2008] does not require CAL activation but SBS 2003 does?
A. If you have acquired SBS 2011 CALs through the Volume Licensing (VL) channel, you can obtain SBS 2003 CAL product keys through the Volume Licensing Service Center (VLSC); these keys can then be used to downgrade to SBS 2003 (R2) CAL’s. For customers who have acquired SBS 2008 and 2011 CALs from channels other than VL, such as FPP and OEM, please use the following product keys to activate SBS 2003 Standard CALs.

A product key can only be used once to activate the designated number of CALs for that given key. Therefore a combination of keys may need to be used to activate all of your 2003 CALs. We have provided 3 keys that will activate 5 CALs each and 3 keys that will activate 20 CALs each. This is so customers can activate anywhere from 5 to the maximum number of 75 CALs supported with SBS 2003. It is recommended that you use the 20 CAL Keys first and then use the 5 CAL keys to avoid a situation where adding the 20 CAL key(s) last may put you over the 75 CAL limit when you have existing CALs.

image

Connect to Windows VPN at Logon

The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.

  • How can I automatically connect my Windows VPN at start up?
  • Why do I have to re-enter my user credentials when connecting my corporate VPN?
  • How do I get Group Policy to apply to VPN connected users?
  • How do I use my work domain user account when I work from home using a VPN?
  • Why won’t my logon script run when connecting by VPN?

You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon.  As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.

It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed,  However, there are few conditions that must be met to do so:

  1. This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
  2. The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system.  At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same.  Using the same username and password is not enough as logon credentials include domain or computer names.  Domain\JDoe is not the same as LocalPCname\JDoe.  If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection.  To do so please see:  https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
  3. Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
  4. When you create the VPN connection you must check the box “allow other people to use this connection”.

image

Having met these conditions, at logon there is now an option to connect using the VPN during logon.

Windows Vista and Windows 7:

At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.

image

Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows XP:

At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows 8:

Please see the more recent post to enable on a Win 8 PC

Slow Links:

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection.  The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Client Deployment:

Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo.  An earlier post outlines how to do so in detail:

https://blog.lan-tech.ca/2012/01/30/windows-vpn-client-deployment/

Rogue DHCP Servers

On occasion you may be consulted about network issues which suggested a rogue or unknown DHCP server present on the network.  This can show up is several ways including the discovery of a PC with incorrect IP addressing, most often the wrong DNS server, or in an SBS environment the SBS DHCP service has shut down due to the presence of another DHCP server.  The dilemma is how to locate it.  There are a few tools that can be helpful with the process.

You may also have a case of an unknown device in the DHCP management console under address leases.  Some of these tools can be useful in isolating those as well.

Determine the DHCP server’s IP:

The first step is to locate the DHCP server’s IP.  You may be fortunate and have discovered the incorrect addressing on a PC.  In this case the DHCP server will be listed in the IPconfig /all results.  Alternatively you can use two different tools.

The first is Microsoft’s DHCPloc.exe (DHCP locator).  It can be downloaded as an individual executable from http://www.petri.co.il/download_free_reskit_tools.htm or as part of the Server Support Tools on the server’s installation CD.

Warning:  DHCPloc should not be run on the DHCP server itself.  Doing so can cause the DHCP server to stop responding to DHCP requests.

At a command line, from the directory where you have saved DHCPloc enter
  DHCPloc.exe <the workstation’s IP>
You may have to hit enter twice. You will be prompted to enter d, q, or h. Enter d for discover, and again you may have to hit enter twice.  It should return the IP of the DHCP server, or servers, and an offered DHCP address.
DHCPloc syntax:
http://technet.microsoft.com/en-us/library/cc778483.aspx

You may want to temporarily disable the network’s default DHCP service while running these tests.

image

The second method is to use Wireshark, from http://www.wireshark.org, a network packet analyzer and a much a more powerful tool.  Install Wireshark on a workstation, start a scan, and run an ipconfig /release and /renew to force a DHCP request.  Once complete you can filter the log by protocol and locate the DHCP related packets.  Do this quickly as Wireshark collects a substantial amount of data very quickly.  There are tutorials available to become familiar with Wireshark.

image

 

Find the MAC Address:

With any luck you now have the IP of the DHCP server.  Next is to find the device’s MAC address.  By now it should have been recorded in the arp table, but if not try pinging the IP.  Then from a command line run  arp –a  or arp –a |find “IP address”  to recover the MAC address of the device.

image

 

Determine the Manufacturer:

The fist 6 characters of the MAC address are assigned to the manufacturer, therefore we may be able to determine the make of the device in question.  In the example above we would use 00-15-5d  in conjunction with a site such as  http://standards.ieee.org/develop/regauth/oui/public.html and determine the registered manufacturer/vendor was Microsoft Corporation.  This may or may not be helpful since in this case it simply indicates it is a Virtual machine.  Often it will provide results such as Cisco-Linksys, D-Link Corp., Apple Inc. which may give you a better indication as to the type of device, perhaps a Linksys router installed by an employee to add wireless to his or her office.

image

 

Locate the device:

Physical location is much harder to establish, especially if it has been intentionally hidden.  It is always best practice to keep a floor plan with all network drops and to disconnect any unused network drops at the patch panel, but it doesn’t do much to protect you.  If you have managed switches you can locate the port to which the IP or MAC address is connected and start tracing from there.  However, if you do not have managed switches you are best to run a continuous ping  (ping  –t 192.168.19.21) and start unplugging cables at the patch panel until you have dropped packets .  A little crude, but effective.

I will publish an article in the near future to more proactively address this issue using DHCP filtering.

SBS 2008/2011 Renew 3rd party Certificate

It seems many Small Business Server 2008 existing third party SSL certificates are expiring and some people are confused about how to renew.  Instructions on the internet often involve lengthy solutions involving the IIS management console.  The forums show that these methods frequently result in failure to import the certificate or it is not properly bound to the default SBS Web Sites.

SBS makes this process very easy. Once again, use the wizards, use the wizards, use the wizards…

Note: This article addresses SBS 2008 and SBS 2011 Standard. If running SBS 2011 Essentials I recomend reviewing Robert Pearman’s Blog article; Renew your SSL Certificate : SBS 2011 Essentials 

I should confirm this article addresses 3rd party SSL certificates, if you are using an SBS self-signed certificate, you simply need to run the “Fix My Network Wizard” to renew.

Open the Windows SBS console and browse to Network | Connectivity | highlight “Certificate” | in the right hand  menu select “”Add a trusted certificate”

image

Choose “I want to renew my current trusted certificate with the same provider”

image

Allow the encrypted certificate request to be generated and click copy.  You could go from here directly the the vendor from whom you are going to purchase and renew the certificate, but there are often delays with process so I recommend pasting to Notepad to retain the text file for a few minutes.  Alternatively you can click the “save to file” button and accomplish the same thing.

image

If you think the provider will supply the certificate immediately you can leave this window open and wait, but most often you are best to put the process in “suspend mode” by selecting “My certificate provider needs more time to process the request”

image

….and complete the wizard.

image

Next, log onto your certificate provider’s webs site, purchase the certificate renewal, create the certificate by copying and pasting the saved contents of Notepad (the encrypted CSR text) when prompted, wait for your certificate approval (usually sent by e-mail), download the certificate, and save to a location of your choice on the server.

Now you can import the certificate.  Once again open the Windows SBS console and browse to Network | Connectivity | highlight “Certificate” | in the right hand menu select “”Add a trusted certificate”.  This time choose “I have a certificate from my certificate provider”.

image

Browse to the location where you saved the certificate.

image

….and complete the wizard.

image

You can confirm your certificate has been imported / updated by choosing “View certificate properties” from the same Windows SBS console window, and reviewing the expiry date.

image

Drive Mapping Basics

We have all been mapping drives using various methods so long as we have had networked computers.  A recent discussion with a colleague revealed that many IT pros still use the same methods they used with NT4, during the last century. Though these methods still work as well today as they did 10 to15 years ago, if enlightened these folk might find some of the newer options using group policy and preferences easier to manage and apply, in a windows domain environment.  I am sure this article is a very basic review for most, so I have titled each so that you can quickly locate methods that may be of interest, or skip to using group policy near the end like any good “cliff hanger”.

1)  Manually:

The option still exists with Windows 7 to open windows Explorer, click on the menu bar, select “Map a network drive”, select the drive letter and path, and choose whether to reconnect at next logon.  This is hardly a reasonable way to deploy mapped drives to multiple users as it would require going desk to desk.  The other primary downside to this option is end users can override, delete, and add their own mappings which may conflict with mappings you are trying to push out from the server.  The latter to be addressed with the deployment methods #3 and on.

image

2)  From a command line:

Though probably even less practical, the option also exists to duplicate the above from a command line by simply using:

Net Use X: \\ServerName\ShareName /persistent:yes

3)  A batch file

The next step up would be to apply the Net Use commands using a batch file (also called script) which the user can apply by clicking on a desktop shortcut or by adding it to the start menu “StartUp” folder.  Though this method of applying the batch file is not at all practical, using a batch file is a reasonable option. Alternate methods to apply a batch file are discussed later, but I will take this opportunity to discuss the script itself and the syntax.  The script could be written using VBS or other languages, but for simplicity I will stick to DOS commands.  The script is written in a text editor like “notepad” and saved with a .bat (or .cmd) extension.  When saving, to be sure the .txt extension is not automatically added, place quotes around the file name such as “MyScript.bat” .

The basic line to apply the drive mapping is still the same:

Net Use  X:  \\ServerName\ShareName

However, as mentioned in #1 users have a tendency to occasionally create their own mappings, or you may want to make changes from time to time, so I like to start with a clean slate, delete all existing mappings, and make sure they will not automatically be recreated due to the “/persistent:yes” option.  To do so start the script as below, followed by the drive mappings. (Note: DOS commands are not case sensitive)

Net Use /persistent:no
Net Use * /delete
Net Use X: \\ServerName\ShareName1
Net Use Y: \\ServerName\ShareName2
Net Use Z: \\ServerName\ShareName3

It is also possible to add GoTo statements and Labels to filter a script.  For example you may want one script for multiple users on multiple devices, but the required mappings may vary for different users, on different servers or PC’s, or when users are members of different groups.  This is not a scripting lesson but to provide an example, in the following batch file the mappings will not be applied if run on a server named Server1, and User1 and User2 will have different drive mappings than other users.

If "%ComputerName%" == "Server1" GoTo END
Net Use /persistent:no
Net Use * /delete
If "%UserName%" == "User1" GoTo MAP1
If "%UserName%" == "User2" GoTo MAP2
Rem  apply default mappings to all others
Net Use X: \\ServerName\ShareName1
Net Use Y: \\ServerName\ShareName2
Net Use Z: \\ServerName\ShareName3
GoTo END
:MAP1
Net Use X: \\ServerName\ShareName1
GoTo END
:MAP2
Net Use Y: \\ServerName\ShareName2

The following sites will provide additional information regarding DOS commands and syntax, or using IfMember (for group membership filtering)  instead of If %UserName%

4)   Batch file, applied through the user’s profile

Continuing with using the batch file method; it would be more practical to apply it from the server, when the user logs on to their workstation than by installing on each machine.  The crudest method of doing so which has been around for more than 10 years, is to apply the script though the user’s profile in Active Directory Users and Computers on the server.  The default location to place the script is  C:\Windows\sysvol\sysvol\<your domain>\scripts.  This path is also a default share, \\ServerName\Netlogon  for which all domain users have read permissions.  The location can be change but if so permissions have to be considered and the path provided.  Why “re-invent the wheel”, use the default file path.  On server 2008 / 2008 R2 you must be an administrator and have “elevated privileges” to write to this file location. When opening the text editor (Notepad) right click on the application or shortcut and choose “run as administrator”.   Failing do to so will not allow the file to be saved.image

Once the batch file has been placed in the appropriate location, open the user’s profile in Active Directory, and in the box labeled “Logon Script” under the “Profile” tab, insert the name of the script.  It will be applied the next time this user logs on to a domain joined machine.  The only real disadvantage of this method is the name of the batch file has to be manually added to each user’s profile.

image

5) Batch file, applied using Group Policy

Now the 21st century methods:  Group policy is the ideal way of managing users and controlling their environment.  The possibilities are endless, but the focus is on mapping drives.  Again place the script in the default location mentioned above; C:\Windows\sysvol\sysvol\<your domain>\scripts heeding the notes about requiring elevated privileges.  Instead of applying through the user’s profile, which only affects one user, we can now apply to all members of an OU (Organizational Unit) through Group Policy.  This example will use an OU named Sales.  I will assume the users belonging to the Sales OU have already been added in active Directory.  The policy can be applied to an OU at any level, including the domain level if preferred, though it is a “User Policy” so I recommend applying to a User OU.

Open the Group Policy Administration Console under Administrative Tools, and locate the OU to which you wish to apply the Logon script. Right click on the OU and choose “Create a GPO in this domain, and link it here”. The following image shows the OU structure used on a Small Business Server.

image

Name the policy

image

Right click on the new policy and choose edit

image

Expand the tree to locate <your domain name> | User Configuration | Policies | Windows Settings | Scripts (Logon/Logoff) | in the right hand window right click on Logon and choose properties| click add, then enter the path or browse to your logon script.  Save by choosing OK, OK.

image

Group policy can take up to about 90 minutes to apply to workstations.  If you wish to force it to update form a command line run:  gpupdate /force  then log off and back on.  The drive mappings should be applied.

6) Using Group Policy Preferences

The latest method for applying drive mappings also uses Group Policy but does not require a script at all.  Server 2008 introduced Group Policy Preferences.  This method applies the mappings to a specified OU similar to the example above with the Sales OU, but uses a different feature or object within the Group Policy management console.  Again right click on the OU to which you wish to apply the mappings and choose “Create a GPO in this domain, and link it here”, name the policy, and select edit as in #5 above.  This time expand the tree to locate <your domain name> | User Configuration | Preferences | Windows Settings | Drive Maps.  Right click in the right hand window  and choose New | Mapped Drive

image

In the resulting window first choose Create or Replace.  Create seems to be the more common choice.  Replace does function more like the earlier script in that it deletes existing mappings and options, and completely re-creates the new drive mapping.  Next enter the share UNC path and select the drive letter. I prefer not to select reconnect, which is similar to opting for  /persistent:no  as explained in the earlier scripting section.  Then save the drive mapping by simply clicking OK.  For more information on Drive Map options see: http://technet.microsoft.com/en-us/library/cc770902.aspx

image

Once complete the new drive mappings will be displayed in Group Policy similar to the following image:

image

Remember as in #5 if you wish the Policy Changes to be applied immediately, you must run gpupdate /force on the workstations to be affected.

Group Policy Preferences is obviously the simplest method for creating and reviewing mapped drive configurations so chances are you only read the past 2 paragraphs, but hopefully it has be of some help to those looking at other methods or wanting a brief history lesson.

In the event you have problems applying Group Policies make sure you have waited 90+ minutes or run gpupdate /force, then if necessary you can run GPResult on the workstation, or on the server in Active Directory run the Group Policy Modeling Wizard .

Windows VPN Client Deployment

      subtitled: What happened to the SBS Connection Manager?

VPN name resolution is a common problem for many IT folk.  I have addressed in in previous blogs by manually configuring the VPN client to point to the corporate server for DNS, and adding the corporate domain suffix.  This is not practical as it has to be done on every computer on which the VPN client was configured.

Small Business Server 2003 had a very nice little wizard that would create a deployable VPN client called “Connection Manager” which contained server connection information and allowed for proper name resolution over the VPN.  Though the missing feature from subsequent SBS versions inspired this article, it can be used to create a deployable VPN client for any Windows Server.  The SBS wizard basically ran a mini version of a standard Windows tool called CMAK.

Firstly you need to install CMAK, the Connection Manager Administration Kit.  To do so, on a 2008 or newer server, open Server Manager under Administrative Tools, choose Features, and Add Features.  In the features wizard choose Connection Manager Administration Kit, and complete the wizard.

image

Though there are many configurable options and features that can be added with CMAK, for the purposes of this article only the basics will be configured to allow for VPN name resolution, automatic installation, and to try to replicate the old SBS 2003 Connection Manager experience.  One of the additional advantages of the Connection Manager Client is it limits the options with which the client can “tinker”, thus reducing support calls and increasing security.

In this example CMAK is being run on a 64bit machine. The deployable VPN client created can only be used on other 64bit machines. If you need to deploy on a 32bit machine you will need to install and run CMAK on a 32bit computer/server.  CMAK may not available from the built-in windows options on older operating systems.  If so, it can be downloaded as part of the Windows Server 2003 Administration Tools Pack (32bit) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16770

Start The Connection Manager Administration Wizard from Administrative Tools, accept the UAC warning, click next, and select the O/S on which the client will be deployed, remembering the above warning about 32/64 bit.

image

Select New Profile,

image

Enter a ‘Friendly’ name for the connection and a file name (<9 characters) for the deployment package.

image

Rather than cluttering this post with unnecessary images, accept the defaults on the next two pages, “do not add a realm name to the user name” and leave the merge profiles boxes empty. In the next window, as per the image below, check Phone book from this profile, always use the same VPN server, and insert the public FQDN or IP of the VPN server.

image

Next highlight your new connection and choose edit.  Under General select Only IPv4 addresses.  If you like, for added security you can disable file and printer sharing, which blocks access to shares on the connecting client’s computer while connected to the VPN.

image

Under IPv4 add the internal IP for your corporate DNS server.  If you have multiple corporate DNS servers you can add a second, and if you have WINS servers you can add those as well.  Do not add public DNS servers here.  I recommend checking “Make this connection the client’s default gateway” (disabling split-tunneling) which blocks access to to the client’s local LAN while connected to the VPN.  By doing so Internet access is actually made via the VPN, rather than through the local router.  One reason you may need to un-check this is it also blocks access to a local networked printer, i.e. one that is not physically attached to the connecting computer.  Leave “Use IP Header compression” checked.  Note that in a user created VPN client using the tools built into a Windows PC, the “default gateway” option can be changed.  When created with CMAK it cannot be changed.  This is intentional for security reasons.  Split-tunneling, allowing the client simultaneous local and remote network access, is considered a security risk.

image

Under security you can leave the defaults or change to “Only use Point to Point Tunneling Protocol (PPTP)”.  If you are connecting to an old server it may also be necessary to also check CHAP authentication, but this is less secure than MS-CHAP v2, so only do so if absolutely necessary.  All 2008 and newer servers use MS-CHAP v2 by default.

image

Under advanced add the internal corporate domain suffix.  Check “Register this connection’s DNS address in DNS” if for some reason LAN clients need to resolve the name of the remote computer.  I recommend not doing so if not needed as it adds unnecessary entries to DNS that may not be cleaned up if DNS scavenging is not properly configured.  Select OK, Next, and move on to the next window.

image

We are not using “phone books” so uncheck “Automatically download phone book updates”

image

From here accept all defaults in the next 4 windows; Configure Dial-up Networking, Specify Routing Tables, Configure Proxy Settings, and Add Custom Actions.

Note: it is assumed the server VPN configuration is basic, assigning IP’s in the same subnet for VPN clients as LAN clients, which is typical of SBS.  However, if the VPN clients are assigned addresses outside of the LAN subnet, and you want to access resources on the corporate LAN other than the VPN server, you will need to add a routing table file, on the “Specify Routing Tables” page, to have the route pushed out to VPN clients.

Though not necessary at all you may want to add a custom graphic or logo to the connection client. This is done on the “Display Custom Logon Bitmap” page followed by the ability to add a custom graphic in the phone book (list of connections), and on the 3rd related page you can choose to use  custom Icon for the deployed VPN connection.

Leave the “Include Custom Help File” as default, and under “Display Custom Support Information”.  You may want to add contact information. This is displayed on the VPN connection client where they enter their user name and password, when trying to establish a connection.

image

Accept the defaults in the remaining windows; “Display a Custom License agreement” and “Install Additional Files…”.  In the final Window “Build the Connection Manager Profile and its Installation Program” leave Advanced uncheck, and assuming you do not wish to make any changes, click Next, and Finished.  The deployable package will be saved in a folder named profiles in the CMAK folder, the default location being: C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\   You only need to copy the .exe file to the client computer, in this case AcmePkg.exe

image

To configure the client, simply double click on the .exe file.  You will be prompted if you want the client to be available to all users or just the current user.

image

Click OK, and wizard will complete, add a connection icon to the desktop, add the connection to task bar network icon………

image

…….and launch the VPN client.

If you wish to connect enter the user name of a member of your VPN User group, their password, and internal domain name.  The domain name does not have to be present just to connect to the VPN, but in most cases if the PC is not domain joined, it needs to be there to access files using server names, rather than IP’s.

image

You should now have access to resources on the remote server, assuming the VPN at the server end is properly configured, and you have the appropriate Share and NTFS/Security permissions on the server to do so.

If needed, I have bloged in the past about configuring the VPN server.

Configuring a Windows SBS 2003 as a RRAS/VPN Server

SBS 2011 Essentials – Configuring VPN access

Configuring a Windows 2003 RRAS/VPN Server with 1 network adapter

Tag Cloud