Just to let you know Cumulative Update 3 for System Center Service Manager 2010 SP1 has been released

Here is the link to the update http://www.microsoft.com/download/en/details.aspx?id=28159&WT.mc_id=rss_alldownloads_all

The Update contains fixes for the following issues:

• MP Import: When a data type is a decimal sometimes the decimal becomes an integer
• Corruption of the Type ManagementEntity table when importing a type extension
• Updates to properties are not brought forward to DW if updates to the instances happens in the same transaction or right before deleting the instance
• AD Connector not bringing in new updates
• When creating a new CR using the new CR form, clicking the Apply button sometimes creates a duplicate record
• Console intermittently freezes when updating/creating incident and clicking apply
• HealthService fails to stop at the end of SP1 DW patch if previous start action takes too long
• When launching the SCSM console on client machines and server the Reporting Wunderbar doesn’t appear
• High CPU in monitoringhost.exe when creating or updating an incident that triggers a notification

Just to let you know Microsoft® SQL Server® 2012 Release Candidate 0 has been released  

Here is the link to the download “http://www.microsoft.com/download/en/details.aspx?id=28145” (Details For Download below referenced From the Above URL)

“Microsoft SQL Server 2012 RC0 enables a cloud-ready information platform that will help organizations unlock breakthrough insights across the organization as well as quickly build solutions and extend data across on-premises and public cloud backed by capabilities for mission critical confidence.

SQL Server 2012 RC0 enables a cloud-ready information platform that will help organizations unlock breakthrough insights across the organization as well as quickly build solutions and extend data across on-premises and public cloud backed by capabilities for mission critical confidence:

• Deliver required uptime and data protection with AlwaysOn
• Gain breakthrough & predictable performance with ColumnStore Index
• Help enable security and compliance with new User-defined Roles and Default Schema for Groups
• Enable rapid data discovery for deeper insights across the organization with ColumnStore Index
• Ensure more credible, consistent data with SSIS improvements, a Master Data Services add-in for Excel, and new Data Quality Services
• Optimize IT and developer productivity across server and cloud with Data-tier Application Component (DAC) parity with SQL Azure and SQL Server Data Tools for a unified dev experience across database, BI, and cloud functions”

With TMG SP2 Microsoft have released a new error page look (See Below)

You can enable this after you upgrade to TMG SP2 by doing the following

1. Open TMG Console
2. Right Click “Forefront TMG (Server Name) and select properties
3. Go to the “Error Pages” tab and select “Use the version available from Forefront TMG SP2 onwards”
4. Apply the Settings and you will have the new error pages

We recently came across a scenario where we had to upgrade Forefront TMG Standard edition to Enterprise edition, it is a very simple procedure and you don’t lose any configuration such as Rules and Network Config.

Steps to Upgrade

1. Open TMG Console
2. Choose System
3. Press the System Tab
4. Right Click the server to upgrade
5. Click product ID Tab and choose upgrade to Enterprise Edition
6. Enter your Product Key and then apply the changes and you’ve Upgraded successfully!

This error will stop you from connecting to RDP:

This is a client based issue with logging onto the server and the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing

Once you have deleted this try the RDP connection again, if it continues to fail then you may need to run the RDP connection as administrator for the first time.

Cheers

Paul

We had a request from on of our clients where they wanted to create new user accounts for around 50 new employees. In order to do this we created a simple PowerShell script that used a populated CSV file to create the users in a certain OU and with a default password.

The CSV file had the following headings:

After saving it to a location we ran the following PowerShell script that created the users:

 

import-module activedirectory
$inputFile = Import-CSV  C:\usersToBeCreated.csv

foreach($line in $inputFile)
{
new-aduser -SamAccountName $line.UserName -Name $line.FullName -AccountPassword (ConvertTo-SecureString -AsPlainText "Password" -Force) -Enabled $true -Path "OU=Domain Users,DC=TEST,dc=LOCAL" -DisplayName $line.FullName -GivenName $line.FirstName -Surname $line.SurName -UserPrincipalName $line.UserPrincipalName -ChangePasswordAtLogon $True
}

 

You can copy and paste the script above where you will only need to change the bold text which is the CSV location, the temporary password for the new users and the OU that you want to put the users into.

As long as you use the same headings in your CSV file then this should work ok. You can, of course add in more details that are accepted by the new-aduser command which are outlined in the URL below:

http://technet.microsoft.com/en-us/library/ee617253.aspx

Cheers

Paul

System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection (previously known as Forefront Endpoint Protection) Release Candidates are now available for download.

New features in the release candidate include:

• Improved endpoint protection functionality, with integrated setup, management and reporting of System Center 2012 Endpoint Protection. (see below)
• Improved application catalog design that provides a better, more responsive experience when requesting and downloading applications.
• New support for Windows Embedded devices, including Windows Embedded 7 SP1, POS-Ready 7, Windows 7 Think PC, and Windows Embedded Compact 7.
• Improved compliance enforcement and tracking, with the ability to create dynamic collections of baseline compliance and generate hourly compliance summaries.
• Platform support for deep mobile device management of Nokia Symbian Belle devices. Pending a platform update by Nokia later this calendar year for these devices, customers will be able to try out the management of Nokia devices with Configuration Manager.

http://www.microsoft.com/download/en/details.aspx?id=27841&WT.mc_id=rss_alldownloads_all

Scenario

We have a CRM server that we need to configure for IFD. We currently have CRM published internally on http://crm.contoso.com. We have no ADFS server currently set up so we will be setting that up from scratch.

The below steps will take you through the steps of setting up IFD and also explain how you can publish the IDS/ADFS Setup via UAG or TMG.

CRM Server Name = CRMSERVER

UAG Server Name = UAGSERVER

ADFS Server Name = ADFSERVER

Pre-Requisites

You will need the following before we start configuring IFD and ADFS.

Certificate San Names

A Wildcard certificate will be your best bet for this process but if this is not an option for you then you will need the following SAN Names

1. Adfs.contoso.com – URL for ADFS

2. Crm.contoso.com – URL for Internal CRM

3. Dev.contoso.com – CRM Web Service Discovery Domain

4. Auth.contoso.com – CRM External Domain

5. Orgname.contoso.com – URL for External CRM

6. Adfsportal.contoso.com – UAG Trunk URL (Needed only if using UAG to Publish)

External IP Addresses

One IP address will be needed if you’re publishing via UAG

1. Adfs.contoso.com, Adfsportal.contoso.com, dev.contoso.com, auth.contoso.com, orgname.contoso.com

Two IP addresses will be needed if you’re publish via TMG

1. Adfs.contoso.com

2. dev.contoso.com, auth.contoso.com, orgname.contoso.com

External/Internal DNS Records

You will need to create internal and external DNS records for the following

1. adfs.contoso.com – Point to ADFS server

2. adfsportal.contoso.com- Point to ADFS server ( Only Needed if using UAG)

3. dev.contoso.com – Point to CRM server

4. auth.contoso.com – Point to CRM server

5. orgname.contoso.com – Point to CRM server

Disable Loopback Check on ADFS Server

Also disable loopback check on your ADFS server , unless your ADFS URL is the hostname of your server otherwise ADFS won’t authenticate and you will receive a 401.1

1. Click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right-click Lsa, point to New, and then click DWORD Value.

4. Type DisableLoopbackCheck, and then press ENTER.

5. Right-click DisableLoopbackCheck, and then click Modify.

6. In the Value data box, type 1, and then click OK.

7. Quit Registry Editor, and then restart your computer.

How to Set up CRM 2011 IFD

These steps explain what we need to run through in the Setup Wizards for CRM and ADFS in a chronological order.

ADFS

1. Install ADFS 2.0 on a Separate Server to CRM named ADFSSERVER

2. Import Certificate from Pre-Reqs onto ADFS site in IIS

3. Configure ADFS and Choose a Stand-Alone Federation Server Deployment

4. Choose the Wildcard/SAN certificate that you requested as part of pre-reqs and select the Federation Service name to be adfs.contoso.com

CRM

1. Open the CRM Deployment manager

2. Right click properties on Microsoft Dynamics CRM and go to the Web Address tab

3. Change the binding tab to HTTPS and configure the following

· Web Application Server

i. Crm.contoso.com

· Organization Web Service

i. Crm.contoso.com

· Discovery Web Service

i. Crm.contoso.com

· Deployment Web Service

i. Crm.contoso.com

4. Open IIS and bind the Wildcard/SAN certificate to CRM Website.

DNS

1. Create a External DNS record for adfs.contoso.com and point it to IP on UAG server and create an internal record for adfs.contoso.com and point it to ADFSSERVER

2. Also Create an Internal record for Crm.contoso.com to point to CRMSERVER

CRM

1. Open the CRM Deployment manager

2. Right click properties on Microsoft Dynamics CRM and configure Claims-Based Authentication Wizard.

3. The Federation Metadata Url will be https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml

4. Select the Wildcard/SAN certificate to use

5. Hit Next and Finish

6. Open the Certificate (Local Computer) MMC Snap in

7. Browse to Wildcard/SAN certificate

8. Right click the certificate, go to all tasks and manage private keys

9. Add the service account responsible for running the CRMAppPool and give it read permissions (Check this by opening IIS on CRMSERVER > Expand server name > application pools and check the identity responsible for running the CRMAppPool. May be running under networkservice account also)

10. Run an IISRESET

ADFS

1. Try browsing to https://crm.contoso.com/federationmetadata/2007-06/federationmetadata.xml to make sure federation metadata loads.

2. In ADFS Console add a Trust Relying Party

3. Choose the option Import data about the relying party published online or on a local network

Federation Metadata address - https://crm.contoso.com/federationmetadata/2007-06/federationmetadata.xml

4. Choose the Display Name to “Internal CRM”

5. Select “Permit all users to access this relying party”

6. Press Finish and know we will need to add a few Transform Claim Rules

7. Choose “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass Primary SID

· Incoming Claim Type: Primary SID

· Pass through all claim values

8. Choose the “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass UPN

· Incoming Claim Type: UPN

· Pass through all claim values

9. Choose the “Transform an Incoming Claim ” Template

· Claim Rule Name: Transform Windows Account Name to Name

· Incoming Claim Type: Windows Account Name

· Outgoing Claim Type: Name

· Pass through all claim values

10. Press Finish now expand Trust Relationships

11. Go to Claims Provide Trusts and right click on Active Directory and choose edit claim rules

12. Now hit Add Rule

13. Choose the “Send LDAP Attributes as Claims ” Template

· Claim rule name: Send UPN from AD to Claims

· Attribute store: Active Directory

· LDAP Attribute: User Principal Name

· Outgoing Claim Type: UPN

CRM

1. Try browsing to https://crm.contoso.com and you should notice an ADFS screen flicker up and then disappear

2. Now choose Configure Internet-Facing Deployment

· Web Application Server Domain: Contoso.com

· Organization Web Service Domain: Contoso.com

· Discover Web Service Domain: dev.contoso.com

3. Hit Next and use auth.contoso.com for the External domain

DNS

1. Create a External DNS record for auth.contoso.com and point it to the UAGSERVER/TMGSERVER

2. Create a External DNS record for dev.contoso.com and point it to the UAGSERVER/TMGSERVER

3. Create a External DNS record for orgname.contoso.com and point it to the UAGSERVER/TMGSERVER

4. Create a Internal DNS record for auth.contoso.com and point it to the CRMSERVER

5. Create a Internal DNS record for dev.contoso.com and point it to the CRMSERVER

6. Create a Internal DNS record for orgname.contoso.com and point it to the CRMSERVER

ADFS

1. In ADFS Console add a Trust Relying Party

2. Choose the option Import data about the relying party published online or on a local network

Federation Metadata address- https://auth.contoso.com/federationmetadata/2007-06/federationmetadata.xml

4. Choose the Display Name to “External CRM”

5. Select “Permit all users to access this relying party”

6. Choose “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass Primary SID

· Incoming Claim Type: Primary SID

· Pass through all claim values

7. Choose the “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass UPN

· Incoming Claim Type: UPN

· Pass through all claim values

8. Choose the “Transform an Incoming Claim ” Template

· Claim Rule Name: Transform Windows Account Name to Name

· Incoming Claim Type: Windows Account Name

· Outgoing Claim Type: Name

· Pass through all claim values.

We now have a decision on how we want to publish CRM 2011 IFD, either by UAG or TMG

Option 1 = UAG

Option 2 = TMG

Option 1 – UAG

UAG

Create Authentication Repository

1. Now if we Open the UAG console we need to configure an ADFS authentication repository

2. In the Forefront UAG console, on the Admin menu, click Authentication and Authorization Servers

3. On the Authentication and Authorization Servers dialog box click Add

4. Choose ADFS 2.0 as Server type and on the Add Authentication Server

· Server Name: ADFSSERVER

· Url of Metadata File: https://adfs.contoso.com/FederationMetadata/2007-06/federationmetadata.xml

5. Choose Retrieve Metadata

6. Select the Claim Type Name from the list.

7. Now select ok and close

Create Portal Trunk

1. In the Forefront UAG Management console, right-click HTTPS Connections then click New Trunk

2. Trunk Type will be Portal Trunk click next

3. Settings for the trunk

· Trunk Name – ADFS

· Public Host name- Adfsportal.contoso.com

· Ip Address – External IP address of your choice that has the appropriate DNS records pointing to it.

4. Add ADFS Authentication Server created above and hit next

5. Choose the Wildcard/SAN certificate and choose next

6. Choose use UAG Forefront Endpoint Policies

7. Hit Finish and Activate Settings (Make a note of Metadata file) “https://adfs.contoso.com/InternalSite/ADFSv2Sites/ADFS/FederationMetadata/2007-06/FederationMetadata.xml”

ADFS

1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

2. Under the AD FS 2.0\Trust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, do one of the following:

5. Use Federation metadata URL “https://UAGSERVER.contoso.com/InternalSite/ADFSv2Sites/ADFS/FederationMetadata/2007-06/FederationMetadata.xml”

6. On the Specify Display Name page, in Display name type UAG and then click Next.

7. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

8. Click Next to save your relying party trust information.

9. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box.

10. Choose “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass Primary SID

· Incoming Claim Type: Primary SID

· Pass through all claim values

11. Choose the “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass UPN

· Incoming Claim Type: UPN

· Pass through all claim values

12. Choose the “Transform an Incoming Claim” Template

· Claim Rule Name: Transform Windows Account Name to Name

· Incoming Claim Type: Windows Account Name

· Outgoing Claim Type: Name

· Pass through all claim values

13. Press Finish now expand Trust Relationships

14. Go to Claims Provide Trusts and right click on Active Directory and choose edit claim rules

15. Now hit Add Rule

16. Choose the “Send LDAP Attributes as Claims ” Template

· Claim rule name: Send UPN from AD to Claims

· Attribute store: Active Directory

· LDAP Attribute: User Principal Name

· Outgoing Claim Type: UPN

UAG

Publish CRM 2011

1. Open the UAG Console

2. Publish the CRM server using the Microsoft Dynamics CRM 2011 template

3. In the main portal properties page on the ADFS Trunk, in Applications, click Add.

4. On the Select Application page of the Add Application Wizard, select Web, and then select Microsoft Dynamics CRM 2011. Then click Next.

5. On the Configure Application page, specify the name CRM 2011. This name will appear in the portal. Then click next.

6. Choose Configure an Application Server

7. On the web servers page the Address should be the internal URL of CRM which is crm.contoso.com

8. The public hostname will be the Organization host name of “Orgname.contoso.com”

9. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request

10. In the Forefront UAG Management console, in the application list, click the AD FS 2.0 application, click Edit, and on the Application Properties dialog box, on the Authentication tab, select the Allow unauthenticated access to web server check box.

11. On the Forefront UAG server in the Forefront UAG Management console, publish the Microsoft Dynamics CRM Discovery Web Service domain “dev.contoso.com” using the Other Web Application (application specific name) template.

12. On the web servers page the Address should be the internal URL of crm.contoso.com

13. The public hostname will be the External Url “dev.contoso.com”

14. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request

15. On the Portal Link page, clear the Add a portal and toolbar link check box.

16. On the Forefront UAG server in the Forefront UAG Management console, publish the external domain selected during configuration of IFD for Microsoft Dynamics CRM which is auth.contoso.com using the Other Web Application (application specific name) template.

17. On the web servers page the Address should be the internal URL of crm.contoso.com

18. The public hostname will be the External Url “auth.contoso.com”

19. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request

20. On the Portal Link page, clear the Add a portal and toolbar link check box.

21. Make Sure the CRM 2011 application is above the External domain and discovery service domain

Option 2 – TMG

TMG

1. On TMG create a Web listener called CRM IFD

2. Select “Require SSL secure connection with clients”

3. Select External and assign the 2 IP’s to the listener that you have assigned for “auth.contoso.com, dev.contoso.com , orgname.contoso.com and adfs.contoso.com”

4. Assign the “Appropriate Wildcard Certificate or San Certificate”

5. Make sure the Web Listener is set to “No Authentication”

6. Hit Next and Finish

7. Now we need to create a publishing rule, press “Publish Web Sites” in the Firewall policy tasks column

8. Name the rule “Publish CRM Organization IFD”

9. Select “Allow”

10. Choose “Publish a Single Web Site or Load Balancer”

11. Now choose “Use SSL to connect to the published Web server or server farm”

12. Internal Site name will be “Orgname.contoso.com” (make sure you have created an internal DNS record for this or it wont work” also select use a computer name and type in the name of your CRM server “CRMSERVER”

13. Don’t enter a path and just press next

14. The public name will be “https://orgname.contoso.com” and again leave the path blank

15. Select the web listener you created earlier “CRM IFD”

16. Select “No Delegation, and client cannot authenticate directly”

17. Make sure the rule applies to “All Users” and hit next and finish

Now we need to create 3 more Web Publishing Rules for auth, dev.contoso.com and adfs.contoso.com

 

Auth.contoso.com

1. Press “Publish Web Sites” in the Firewall policy tasks column

2. Name the rule “Publish CRM Auth IFD”

3. Select “Allow”

4. Choose “Publish a Single Web Site or Load Balancer”

5. Now choose “Use SSL to connect to the published Web server or server farm”

6. Internal Site name will be “Auth.contoso.com” (make sure you have created an internal DNS record for this or it wont work” also select use a computer name and type in the name of your CRM server “CRMSERVER”

7. Don’t enter a path and just press next

8. The public name will be “https://Auth.contoso.com” and again leave the path blank

9. Select the web listener you created earlier “CRM IFD”

10. Select “No Delegation, and client cannot authenticate directly”

11. Make sure the rule applies to “All Users” and hit next and finish

Dev.contoso.com

1. Press “Publish Web Sites” in the Firewall policy tasks column

2. Name the rule “Publish CRM Discovery IFD”

3. Select “Allow”

4. Choose “Publish a Single Web Site or Load Balancer”

5. Now choose “Use SSL to connect to the published Web server or server farm”

6. Internal Site name will be “Dev.contoso.com” (make sure you have created an internal DNS record for this or it wont work” also select use a computer name and type in the name of your CRM server “CRMSERVER”

7. Don’t enter a path and just press next

8. The public name will be “https://Dev.contoso.com” and again leave the path blank

9. Select the web listener you created earlier “CRM IFD”

10. Select “No Delegation, and client cannot authenticate directly”

11. Make sure the rule applies to “All Users” and hit next and finish

Adfs.contoso.com

1. Press “Publish Web Sites” in the Firewall policy tasks column

2. Name the rule “Publish ADFS”

3. Select “Allow”

4. Choose “Publish a Single Web Site or Load Balancer”

5. Now choose “Use SSL to connect to the published Web server or server farm”

6. Internal Site name will be “Adfs.contoso.com”

7. Don’t enter a path and just press next

8. The public name will be “https://Adfs.contoso.com” and again leave the path blank

9. Select the web listener you created earlier “CRM IFD”

10. Select “No Delegation, and client cannot authenticate directly”

11. Make sure the rule applies to “All Users” and hit next and finish

You should now have CRM IFD all published and Working