Rights Management Service (RMS) – IRM implementation for Exchange 2010 SP2 ActiveSync

This article is written as part 2 for http://exkb.wordpress.com/2012/08/16/rights-management-service-rms-irm-implementation-for-exchange-2010-sp2-owa/

Prerequisite is to have enabled certification pipeline for mobile devices on RMS server if you have Exchange 2010 RTM installed.

  • First thing is to set up correct Active Sync policy (Policy must support device encryption and must not support nonprovisionable devices, Require password parameter must be set.)
new-ActiveSyncMailboxPolicy -Name 'RMS project' -AllowNonProvisionableDevices $false -DevicePasswordEnabled $true -AlphanumericDevicePasswordRequired $false
-MaxInactivityTimeDeviceLock '00:30:00' -MinDevicePasswordLength '4' -PasswordRecoveryEnabled $false -RequireDeviceEncryption $true -AttachmentsEnabled $true
-AllowSimpleDevicePassword $true -DevicePasswordExpiration '500.00:00:00' -DevicePasswordHistory '12' -DevicePolicyRefreshInterval '17.12:00:00'
-MaxDevicePasswordFailedAttempts '6' -IrmEnabled $true
 
Setting AS policy for RMS

Setting AS policy for RMS

Setting AS policy for RMS

Setting AS policy for RMS

  • Second thing is to apply new Active Sync policy to the mailbox, you want to have IRM enabled
Get-CASMailbox <identity> | Set-CASMailbox -ActiveSyncMailboxPolicy "RMS Project"

UPDATE: IRM works even -AllowNonProvisionableDevices is set to $true

Advertisements

Rights Management Service (RMS) – IRM implementation for Exchange 2010 SP2 OWA

RMS implementation is well described in several blogs. I have been requested to implement RMS on user basis. This means to override global / CAS / Virtual directory based settings of IRM and set IRM through OWAMailboxPolicy parameter (Get-CASMailbox ‘ Set-CASMailbox)

  • IRM has been enabled globally:

Set-IRMConfiguration –InternalLicensingEnabled $true

RMS-global

RMS-global

  • IRM has been enabled on CAS servers

Set-IRMConfiguration –ClientAccessServerEnabled $true

  • IRM has been enabled on particular virtual directory (needs iisreset /noforce)

Get-OwaVirtualDirectory -identity *10*owa* | Set-OwaVirtualDirectory -IRMEnabled $true

At this point the only thing which matters is OWA mailbox policy to prevent / allow use of IRM in OWA

  •  Created Two OWA mailbox policies:

New-OWAMailboxPolicy -Name IRM_Disabled

Set-OwaMailboxPolicy IRM_Disabled -IRMEnabled $false

New-OWAMailboxPolicy -Name IRM_Enabled

There is no need to set IRMEnabled to $true since this is default.

  •  Assign policies to mailboxes:

Set-CasMailbox <alias> -OWAMailboxPolicy IRM_Disabled

RMS-disabled

RMS-disabled

Or

Set-CasMailbox <alias> -OWAMailboxPolicy IRM_Enabled

RMS-Enabled

RMS-Enabled

Note: Even though in both ways it seems that IRM is enabled, In case of disabled IRM, there are visible only default RMS Templates and even though you select one of these templates, it will take no action an mail will be sent unrestricted.

  • Also user has to log off from OWA to apply IRM setup changes.
  • For global IRM configuration there is need for IISreset.

BGP – Confederations

Goal:

  • Configure BGP confederations on topology with preconfigured OSPF,RIP routing inside sub-ASes of the confederation AS.

Required time: 120 minutes

Theoretical background:

Theoretical introduction into BGP:

Configuration and command reference for BGP,OSPF and EIGRP:

Topology:

BGP-Confederations

Configuration:

1) Check pre-configured settings

Before starting the configuration of BGP, make sure that routers configuration and network operation are correct. Topology is pre-configured so that every sub-AS has its own interior routing protocol configured
(OSPF, RIP) with passive interface between sub-ASes to prevent IGP connection. Use pingcommand to test connectivity. You should be able to ping all networks inside particular BGP sub-AS.

<RA>
{WAIT 20}
{ENTER}
enable
conf t
hostname RA
interface #RA:RA-RB#
ip address 10.1.0.1 255.255.255.252
no shutdown
exit
interface #RA:RC-RA#
ip address 10.2.0.2 255.255.255.252
no shutdown
exit
router rip
version 2
no auto-summary
network 10.1.0.0
network 10.2.0.0
</RA>
<RB>
{WAIT 20}
{ENTER}
enable
conf t
hostname RB
interface #RB:RA-RB#
ip address 10.1.0.2 255.255.255.252

no shutdown
exit
interface #RB:RB-RD#
ip address 11.0.0.1 255.255.255.252
no shutdown
exit
router rip
version 2
no auto-summary
network 10.1.0.0
passive-interface #RB:RB-RD#
exit
</RB>

<RC>
{WAIT 20}
{ENTER}
enable
conf t
hostname RC
interface #RC:RC-RA#
ip address 10.2.0.1 255.255.255.252
no shutdown
exit
interface #RC:RG-RC#
ip address 10.3.0.2 255.255.255.252

no shutdown
exit
interface loop0
ip address 172.16.1.1 255.255.255.0
no shutdown
exit
router rip
version 2
no auto-summary
network 10.2.0.0
network 172.16.1.0
passive-interface #RC:RG-RC#
exit
</RC>

<RD>
{WAIT 20}
{ENTER}
enable
conf t
hostname RD
interface #RD:RB-RD#
ip address 11.0.0.2 255.255.255.252
no shutdown
exit
interface #RD:RD-RE#
ip address 100.23.0.1 255.255.255.252
no shutdown
exit
interface loop0
ip address 111.0.1.1 255.255.255.0
no shutdown
exit
interface loop1
ip address 111.0.2.1 255.255.255.0
no shutdown
exit
router ospf 1
network 111.0.2.0 0.0.0.255 area 0
network 111.0.1.0 0.0.0.255 area 0
passive-interface #RD:RB-RD#
passive-interface #RD:RD-RE#
exit
</RD>
<RE>
{WAIT 20}
{ENTER}
enable
conf t
hostname RE
interface #RE:RE-RF#
ip address 12.0.0.1 255.255.255.252
no shutdown
exit
interface #RE:RD-RE#
ip address 100.23.0.2 255.255.255.252
no shutdown
exit
interface loop0
ip address 192.168.101.1 255.255.255.0
no shutdown
exit
router ospf 1
network 192.168.101.0 0.0.0.255 area 0
passive-interface #RE:RE-RF#
passive-interface #RE:RD-RE#
exit
</RE>
 
<RF>
{WAIT 20}
{ENTER}
enable
conf t
hostname RF
interface #RF:RF-RG#
ip address 10.4.0.1 255.255.255.252
no shutdown
exit
interface #RF:RE-RF#
ip address 12.0.0.2 255.255.255.252
no shutdown
exit

router ospf 1
network 10.4.0.0 0.0.0.3 area 0
passive-interface #RF:RE-RF#
exit
</RF>

<RG>
{WAIT 20}
{ENTER}
enable
conf t
hostname RG
interface #RG:RF-RG#
ip address 10.4.0.2 255.255.255.252
no shutdown
exit

interface #RG:RG-RC#
ip address 10.3.0.1 255.255.255.252
no shutdown
exit
interface loop0
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 10.3.0.0 0.0.0.3 area 0
passive-interface #RG:RG-RC#
exit
</RG>

2) Perform step 1 of function test

3) Configure BGP

Router RA:

Pay attention! BGP sessions must be full-meshed inside sub-AS, as shown in sub-AS 65101 configuration.

RA(config)#router bgp 65101; set confederation sub-AS number and start BGP processRA(config-router)#no synchronization ; disable synchronization between BGP and IGPRA(config-router)#bgp router-id 2.0.0.3; set unique BGP router IDRA(config-router)#bgp log-neighbor-changes; log neighbor changes

RA(config-router)#redistribute connected; redistribute interior networks via BGP to other ASes

RA(config-router)#bgp confederation identifier 100; set sub-AS 65101 as part of confederation 100

RA(config-router)#bgp confederation peers 65102; set another sub AS 65102 to be a peer in confederation 100

RA(config-router)#neighbor 10.1.0.2 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement

RA(config-router)#neighbor 10.2.0.1 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement

RA(config-router)#no auto-summary; do not summarize networks

Router RB:

RB(config)#router bgp 65101RB(config-router)#no synchronizationRB(config-router)#bgp router-id 2.0.0.1RB(config-router)#bgp log-neighbor-changes

RB(config-router)#redistribute connected

RB(config-router)#bgp confederation identifier 100

RB(config-router)#bgp confederation peers 65102

RB(config-router)#neighbor 11.0.0.2 remote-as 200; set BGP neighbor in external AS 200

RB(config-router)#neighbor 10.1.0.1 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement

RB(config-router)#neighbor 10.2.0.1 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement

RB(config-router)#no auto-summary

Similarly RC:

RC(config)#router bgp 65101RC(config-router)#no synchronizationRC(config-router)#bgp router-id 2.0.0.2RC(config-router)#bgp log-neighbor-changes

RC(config-router)#redistribute connected

RC(config-router)#bgp confederation identifier 100

RC(config-router)#bgp confederation peers 65102

RC(config-router)#neighbor 10.3.0.1 remote-as 65102

RC(config-router)#neighbor 10.1.0.2 remote-as 65101

RC(config-router)#neighbor 10.2.0.2 remote-as 65101

RC(config-router)#no auto-summary

Similarly for AS65201

Router RD:

RD(config)#router bgp 65201RD(config-router)#no synchronizationRD(config-router)#bgp router-id 5.0.0.2RD(config-router)#bgp log-neighbor-changes

RD(config-router)#redistribute connected

RD(config-router)#bgp confederation identifier 200

RD(config-router)#bgp confederation peers 65202

RD(config-router)#neighbor 11.0.0.1 remote-as 100

RD(config-router)#neighbor 100.23.0.2 remote-as 65202

RD(config-router)#no auto-summary

Similarly for AS65202

Router RE:

RE(config)#router bgp 65202RE(config-router)#no synchronizationRE(config-router)#bgp router-id 6.0.0.2RE(config-router)#bgp log-neighbor-changes

RE(config-router)#redistribute connected

RE(config-router)#bgp confederation identifier 200

RE(config-router)#bgp confederation peers 65201

RE(config-router)#neighbor 12.0.0.2 remote-as 100

RE(config-router)#neighbor 100.23.0.1 remote-as 65201

RE(config-router)#no auto-summary

Similarly for AS65102

Router RF:

RF(config)#router bgp 65102RF(config-router)#no synchronizationRF(config-router)#bgp router-id 4.0.0.1RF(config-router)#bgp log-neighbor-changes

RF(config-router)#redistribute connected

RF(config-router)#bgp confederation identifier 100

RF(config-router)#bgp confederation peers 65101

RF(config-router)#neighbor 12.0.0.1 remote-as 200

RF(config-router)#neighbor 10.4.0.2 remote-as 65102

RF(config-router)#no auto-summary

Router RG:

RG(config)#router bgp 65102RG(config-router)#no synchronizationRG(config-router)#bgp router-id 4.0.0.2RG(config-router)#bgp log-neighbor-changes

RG(config-router)#bgp confederation identifier 100

RG(config-router)#bgp confederation peers 65101

RG(config-router)#redistribute connected

RG(config-router)#neighbor 10.3.0.2 remote-as 65101

RG(config-router)#neighbor 10.4.0.1 remote-as 65102

RG(config-router)# auto-summary

Function test:

1) Display routing information before you configure BGP

Verify routing tables on all routers of the network using sh ip route command.
Verify BGP using sh ip bgp neighbor and sh ip bgp on RA and RD.

Rx# sh ip route

2) Display routing information with BGP configured

Verify routing tables on all routers of the network using sh ip route command.
Verify BGP using sh ip bgp neighbor and sh ip bgp on RA and RD.

Rx# sh ip route; x represents every router in topologyRx# sh ip bgp summaryRx# sh ip bgp neighborRx# sh ip bgp

Rx# sh ip ospf neighbors

3) Test connectivity

Test connectivity between AS100 and AS200. For example use ping command from RA to one of the interfaces on router RG. Also test connectivity to other routers.

RA# ping 100.23.0.2RA# traceroute 100.23.0.2

4) Compare routing tables in AS100 and AS200

BGP path in routing table will show confederation AS number instead of sub-AS numbers.

Cisco labs

I have been participating Cisco courses during university studies. My bachelor and diploma thesis were about to create LAB examples. All examples will contain:

  • Task description (Goal)
  • Pre-configuration (What needs to be configured on Cisco routers before actual task)
  • Description of commands and their syntax
  • Link to ZIP file with complete task

All lab tasks were developed for https://virtlab.cs.vsb.cz/index.php?page=30

Uninstallation of incorrectly installed package / RU

Sometimes it happens, that it is not possible to install some updates for example interim update for Exchange (RU), because previous installation was stuck.
The normal way of installing RU works like this:

1. Disable Forefront if installed (FSCUTILITY /DISABLE) – nice article for example here: http://www.urtech.ca/2012/03/solved-how-to-disable-forefront-for-exchange-without-killing-exchange/
2. Run installation of new RU (This will automatically uninstall prevous RU and install new one)
3. Reboot the server
4. Enable Forefront if installed (FSCUTILITY /ENABLE)

In our case the previous try recorded errors in event log:Event ID 1603 or Event ID 2771.
Both errors mean, that there was a problem uninstalling previous version of RU.

We have tried to:

1. uninstall RU manually but without success:
a/ selected your favorite way to uninstall RU (whether to use Control Panel -> Programs and features -> Select view installed updates -> Locate and uninstall needed package or using command line msiexec.exe /x <packagename.msp>
b/ Reboot the server

2. Install previous RU again
No success, the package cannot be applied to the version of the product that is installed on this computer (In normal words the update is already installed)

3. Install new RU

4. Cause 1)
Installation of previous RU went incorrect and package is in half installed state
we have tried to repair installation of the package by executing msiexec.exe /fa <path and name of RU package.msp>, but we have got the same errors (Event ID 1602)

5. Cause 2)
Previous RU package have been removed incorrectly and registry entries of this package are still visible in Programs and features TAB.
This was our case. We have done uninstallation of previous RU update for Exchange 2010 SP2, however record that RU is installed was still present in registry database of installed packages.
Database is located in the following registry key:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall]

and each particular subkey means one installed package. It is in most cases presented as package GUID. If you click on some subkey you will see the similar result as shown in the picture. The important stuff is package name and uninstallation string.
We copied uninstallation string and run it in elevated command prompt but it failed again.

Image

We made sure that previous RU was really uninstalled by checking Exchange version in Powershell, however record was still in the key mentioned above. We have exported the particular registry key and deleted it. After that we were able to install the same RU again and continue.

DNS monitoring via Powershell

There is a Microsoft service called ExRAP. (Exchange health check) and one of the errors in report, provided to you as a result of ExRAP is that internal DNS records are not checked automatically on all DNS servers. I have made a script, which will do DNS records monitoring for you and in case records differs from designed values, it will send e-mail to predefined e-mail address.
Prerequisites:
You must have rights to connect to DNS server and read DNS zones using WinRM.

How it works:

  • It uses powerful Powershell module called DNS Shell (downloadable here: http://dnsshell.codeplex.com/)
  • It connects to each DNS server in organization
  • It compares predefined (designed) values from CSV file with the values read from DNS servers (A and PTR) and if values of DNS records differs, it reports an error to e-mail message
  • Comparison is based on ODD / EVEN number of same records. If ODD record is found in field of read records, it stay that record on DNS server or CSV file is incorrect.

Preparation:

  • Implement DNSShell module to Powershell on server
    Extract DnsShell.zip to one of the paths shown by $Env:PSModulePath
  • Create CSV file with the following format (For each A record one line, for each PTR record one line)

“Name”;”RecordData”
“EXSERVER2″;”192.168.196.102”
“102.196.168.192.in-addr.arpa”;”EXSERVER2.yourdomain.com.”

  • Copy script to the same location as CSV file

# To make this work extract http://dnsshell.codeplex.com/ to C:Windowsystem32WindowsPowerShellv1.0Modules
# author: Zbynek.Salon@salonovi.cz
###################################################################################
$c = $null
$server =@()
$server = “DNS1″,”DNS2″,”DNS3”
foreach ($internalserver in $server){
#internal records check
import-module DNSShell
$tocomp = $null
$tocomp = import-csv .internal.csv -delimiter “;”
$data = @()
$data +=get-addnsrecord *exserver* | select name,recorddata
$data +=Get-DnsZone -Server $internalserver | where {$_.zonename -like “168.192*“} | get-dnsrecord | where {$_.recorddata -like “*exserver*“} | select name,recorddata
#$data | export-csv .tocompare.csv -delimiter “;”
$data +=$tocomp
$out = $data | sort name | group name,recorddata
$changed = @()
foreach ($rec in $out)
{
 $ev=$null
 $ev = [bool]!($rec.count%2)
 if ($ev -eq $false)
  {
  $changed +=”$($rec.name);”
  }
}
if ($changed -ne $null){
foreach ($chan in $changed){
$c +=”DNS server: $($internalserver)- Record: $($chan);<br />”}
}
}
if ($c -ne $null){send-mailmessage -From monitoring@yourdomain.com -To administrator@yourdomain.com,another.admin@yourdomain.com -Subject “Monitored DNS records changed – please check.” -Body “Hello,<br /> <br /> The following DNS records does not match with predefined values in’\SERVERNAMEd$ExchangeScriptsDNSrecordsMonitoringinternal.csv'<br />$(foreach($q in $c){$q;'<br />’})<br /> Please check accuracy. <br /> <br /> S pozdravem / Best regards, <br /> Zbynek” -BodyAsHtml -Encoding ([System.Text.Encoding]::unicode) -smtpserver SMTP.yourdomain.com
}

  • Green text in the script is subject to change
  • Do test run
  • In case of mismatch in DNSs records e-mail message is generated (Do not forget to use open relay connector and correct smtp server)

Hello,

The following DNS records does not match with predefined values in’\SERVERNAMEd$ExchangeScriptsDNSrecordsMonitoringinternal.csv’
DNS server: DNS1-Record: EXSERVER2, 192.168.196.111;;’
‘DNS server: DNS1-Record: EXSERVER2, 192.168.196.110;;’
‘DNS server: DNS2-Record: EXSERVER2, 192.168.196.111;;’
‘DNS server: DNS2-Record: EXSERVER2, 192.168.196.110;;’
‘DNS server: DNS3-Record: EXSERVER2, 192.168.196.111;;’
‘DNS server: DNS3-Record: EXSERVER2, 192.168.196.110;;’

Please check accuracy.

S pozdravem / Best regards,
Admin

  • Plan scheduled task to run the script as often as you want