A colleague of mine brought the following article to my attention:
UK's largest NHS Trust ditches laptops in favor of Windows To Go
Seems that London’s Imperial College Healthcare NHS Trust, have hit the bulls eye here 
Thursday, March 28, 2013
Windows To Go is not just a myth!
Tuesday, February 19, 2013
“Windows To Go” UEFI Only
“Windows to Go”,
I am sure most of you heard and read about this new feature available with Windows 8. For those of you who do not know, “Windows to Go” is a fully fledged Windows 8 OS on a USB stick or external USB drive. One might argue that there are other methods to create an OS on a USB stick, true, but this is more than that. First of all, Microsoft gives for each Windows 8 Enterprise license you pay for a WTG for free. The deployment is made easy and is enterprise ready - Microsoft calls this a “Workspace”. And I believe that in a year or so this will be a widely used method to provide desktops to employees and to encourage the BYOD in the enterprise.
The scenarios that come to my mind:
I have been working by several clients where I am not allowed to connect my own laptop to the client’s network, and even if you do receive a derogation for that, still your machine will be limited in accessing all the resources you might need to use to get the job done. One of my clients has given me a VDI desktop. With a VMware plugin installed I am able to access a Virtual Windows 7 machine hosted on the client’s VDI infrastructure. I must tell you, unless the company has spent enough money on appropriately sizing their VDI environment the experience is really crappy. It is extremely slow and not very smooth. And on Fridays it is even inaccessible because everybody works from home on Fridays here in the Netherlands (even if I manage to connect it is really unusable. I am not joking, it is true).
Another client of mine has given me a laptop with their own image deployed and joined to their domain = a managed machine. Of course this works much better, but this requires me to carry 2 laptops with me at all times, because most of my stuff is on my Avanade machine. Sometimes if you get lucky, and beg long enough, the client will provide a small lightweight notebook which helps with limiting the amount of weight you have to carry daily. And still - schlepping around 2 laptops is not an ideal situation.
Now imagine that these 2 clients, instead of investing in a laptop and/or allocating a VDI desktop for me, would just give me a Windows To Go? A certified USB stick of 64 GB costs about 150 USD/EUR. The OS license is free as mentioned above, I keep my own hardware and do not have to carry anything extra with me. Such a WTG is joined to the customer’s Active Directory Domain and is a managed workstation from every perspective! Couple it with Direct Access, like Avanade did for example, and you have a perfect solution. And even if you are juggling 2 or more projects at a time all you need is to mark the USB keys correctly J !
Another scenario could be: Users get only workstations at work and incidentally they have to work remotely from home, so they do not really qualify for a notebook. Instead of buying them a laptop, give them a WTG! Everybody has a computer at home these days, and 85% of households have a couple, and at least one which is less than 3-4 years old. Why invest in hardware if the user has one at home already?
Take my work room for example: I have a nice big screen attached to a desktop which is nicely built into my desk and all the cables are nicely tucked away, I do not even have a proper spot or space where I can put my work laptop down, which means I need to go work either at the kitchen or dining room table. Which means my family is around me and I am in their way all the time (well actually they are in my way, but hey a husband at home has not rights in the kitchen). The kids are all the time asking something and every time I have to make a phone call I have to hide in one of the other rooms so they do not disturb. Now having the WTG, I just plug it into the desktop in my work-room and start my Avanade workstation which has all my stuff on it and is connected to the Avanade Network with Direct Access.
You know it can even be simpler than that: Imagine you have an office with flexible work places. Place on each workspace a desktop without any OS deployed – really with an empty hard drive (or no hard drive at all). Deploy WTG sticks and give it to the users. They can plug it into any of the workstations and have their own desktop always regardless of which workstation the user is using. What I mean to say is, all you need then is hardware for hardware’s sake – no OS is required on the machines.
Sounds nice no, well there are caveats to WTG from security perspective. You are probably wondering about the title of this article by now, about the “UEFI Only” part right? Well let me explain:
A couple of month ago I went out and bought a 32 GB USB 3 stick with an intention of installing Windows to Go on it. Well I was extremely disappointed when the wizard told me that the stick is not compatible. Reading some articles on TechNet explained this. Windows To Go is only supported on a certified sticks (I’ll post links to supported sticks later in the article). The main requirement is that the stick present itself as a fixed drive to Windows. Well I managed to install windows 8 on the stick using a VHD following one of the articles on the web, but this was not it. It was difficult to install and it performed badly. Then I found a piece of software manufacturers use to modify the sticks in the factories… and after “hacking” my stick I was able to flip the so called “removable bit” value. Now my stick presented itself as a fixed drive and I was able to use the built in wizard in Windows 8 (only enterprise version of Windows 8 has this wizard on board in the control panel). Eureka, I thought, and 45 minutes later I was able to start from my USB drive and actually logged into freshly installed Window 8. The performance was not amazing, but workable. I then went ahead and joined my machine to Avanade Domain and since I am a DA phase 2 pilot (internal pilot for Direct Access we have) I have dispatched an email to our DA man, Justin Martin, to put my new WTG machine into the correct OU. I also put our ITS Windows 8 Deployment lead on the CC (Simon Windell). To my surprise Simon reacted to my message - that the machine I have just joined to the Avanade domain must be immediately dis-joined form the Active Directory Domain, since the WTG is not allowed in Avanade environment for security reasons. I contacted Simon who explained that Windows To Go does not utilize the TPM chip for encrypting the drive and since Avanade requires TPM based encryption the machine is not compliant and thus is not allowed on the Avanade Domain. You can imagine both my surprise and disappointment, if we do not allow WTG ourselves, then how am I going to advise clients to use it? I am not going too deep into the reasons why, but the bottom line is since the standard out of the box Windows to Go installation allows both Legacy and UEFI boot, when booted using Legacy BIOS the system can be compromised, since the encryption pair is not stored on a TPM chip but on the stick itself.
OK, there must be a way to build a WTG which only supports UEFI right? And yes there is! Microsoft designed Windows to Go to work on as much hardware as possible. All you need is a machine which is capable of booting from USB. This is why when created out of the box a Windows to Go stick will support both Legacy BIOS and UEFI boot process. I am not going into the discussion whether the fear of that such a stick can be hacked and decrypted is feasible… Each company should investigate the probability and decide on their own. But in case you do not want to go and investigate then keep reading and learn how you can create an UEFI boot only Windows to Go.
Simon kindly has lend me a certified Windows to Go USB drive and I started to look for the way to build a WTG with UEFI boot only. The base for my method are these 2 TechNet Articles: Windows To Go Step by Step and Deploy Windows To Go in Your Organization. Basically I looked at the PowerShell script mentioned in both articles and following the logic created a Windows To Go stick which only boots if a device supports UEFI boot.
We will need a Machine with Windows 8 Enterprise installed – The WTG Host Machine. And an .iso image of the same Windows available.
To start we need to format the stick with GPT partition table since UEFI boot process only works when the partition is GPT:
Start Diskpart from elevated command prompt.
Type list disk and select the correct one:
In my case it’s Disk 1
Select Disk 1
Type Clean to clean any present partitions
Type Convert GPT to convert the disk to GPT partition table
Now we are going to create the EFI partition:
Type create partition EFI size=100
The MSR partition of 128 MB is already there and I suspect that this is created as soon as I converted the disk to GPT partition table.
Type: format quick fs=fat32 label=EFI
Type: assign letter=S
Now we need to create the OS partition which will take the rest of the space available
Type: create partition primary
Type: format fs=ntfs quick label=UFD-Windows (this can be anything i.e. WTG)
Type: assign letter=w (also the choice is all yours for assigning the drive letter)
Now we need to make it not mountable on other systems. This makes sure that if you plug the WTG into a running machine the drive will not be accessible and will not get a drive letter. Although the drive can be still mounted via the Disk Management in windows (and on MAC it does mount), but since we are going to encrypt the drive it still will not be accessible unless you know the password.
Type: attribute volume set NODEFAULTDRIVELETTER
(Keep the diskpart window open)
Here is what it should look like:
Now we need to load the OS onto the drive and we are going to use DISM.EXE to apply the image. Have the Windows 8 .iso file handy and mounted (which is easy in windows 8, since there is built in support to mount an .iso image)
So start another elevated command prompt, mount the DVD image and run the following command:
dism /apply-image /imagefile:G:\sources\install.wim /index:1 /applydir:W:\
Wait a while till it is completely done (get a coffee, because it will take time).
Once it is ready we need to move the boot files to the correct location:
Move the boot files to the UEFI partition:
W:\Windows\System32\bcdboot W:\Windows /s S: /f UEFI
Now we need to do 2 more things:
Make sure that when the WTG boots the physical drives are not visible and not mounted.
Remove the Windows Recovery Environment (since WinRe is not supported on a WTG)
This we do using the following 2 XML files: Just copy the code from each column and give the files the corresponding names.
| San_policy.xml | Unattend.xml |
| <?xml version='1.0' encoding='utf-8' standalone='yes'?> | <?xml version="1.0" encoding="utf-8"?> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> |
Copy this SAN_Policy.xml file to the root of W: and then execute the following command:
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
This will apply the San_Policy.xml to the image.
Then place the following unattend.xml file into the “w:\windows\system32\sysprep” folder
So now we are all done! We have created a Windows to Go which will only boot using UEFI boot sequence. To check this we can now boot using the WTG, but before you can do this the BIOS needs to be edited to allow UEFI. This is not an issue if you have UEFI only device then there is no need to modify anything in BIOS (besides the boot order perhaps). But my machine is Dell Latitude E6410 and since my currently loaded Windows 8 is not UEFI, I had to turn the UEFI option on. After going through the first time setup of the machine (installing the drivers, etc…) I wanted to verify the fact that this is really booting using the UEFI boot sequence. To do that start elevated command prompt and run
bcdedit /enum
This will tell you whether your machine has booted using UEFI boot sequence or Legacy boot: I would say find the differences
(hint: path in the boot loader section)
| UEFI Boot |
 |
| Legacy Boot |
 |
So I went ahead and joined my machine to the Avanade domain and then wanted to bitlock the OS drive as required per Avanade Policy! Well that was not possible, since the domain policy does not allow Bitlocker on OS drive without TPM. Hmmm, that’s no good! I have booted back to the desktop and decided to turn on the bitlocker from there. The Windows to Go Host machine (this is the machine which is used to create Windows to Go sticks) is capable of accessing the partitions of the WTG which was created on this host and since it is then treated just like any other USB drive I was able to encrypt the drive from the powershell.
Start elevated Windows Powershell command prompt:
First we need to add the recovery password as an option: run the following command:
Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
This will also allow you to save the recovery password somewhere, in my image I have masked the recovery password of course.
Now we need to create a variable to store the password:
$spwd = ConvertTo-SecureString -String <password> -AsplainText –Force
Replace <password> with 6 digit pin code
Then run the following command to turn on Bitlocker encryption:
Enable-BitLocker W: -PasswordProtector $spwd
After this command the encryption process will start and it takes a considerable amount of time. I also read somewhere that you can just pause it and let is continue once you boot with the WTG. Nice thing is also that since my WTG host machine is domain joined the recovery password is also saved to the AD, but under my Host machine name (so not WTG hostname).
So this is all done and we have a working Windows To Go stick that is only bootable utilizing the UEFI boot sequence and is useless on machines where BIOS only support Legacy boot. The last thing I needed to prove to our ITS, was that the Secure Boot is on. Secure boot together with UEFI boot sequence guarantee that only specified OS is allowed to be booted. Problem is that my Latitude E6410 does not support Secure Boot. Incidentally a couple of days after I have created the UEFI only WTG I had a session planned with one of my colleagues to hook up SharePoint 2013 to Exchange 2013. Well once I got to his place in the morning he had a brand new windows 8 tablet from Acer. He was complaining that he was not able to load Windows 8 Enterprise on it using the image on the USB disk. This rang the bell by me, the reason the USB disk is not seen by the boot process is most probably because it is UEFI only so it needs a GPT formatted disk to be able to boot up from it. I told him “I’ll help you install the Enterprise version of Windows 8 on your tablet after you let me boot once from my own Windows to Go”. The boot went really smooth and after booted into the OS I checked whether secure boot is on:
Start elevated Windows Powershell prompt and run the following command:
Confirm-SecureBootUEFI
And ta-dah! Secure boot is on!!! It says TRUE!
Sorry for the quality of the image, but I used my phone to take it!
So in conclusion: My method is supported by Microsoft (since I have consulted a member of the product group). And I am sure my steps can be scripted to automate the tasks.
The only thing we need to figure out how can we filter and check whether a machine is or is not allowed to be joined to the domain.
Thursday, November 22, 2012
SubInACL in Forest Trust and Child Domain situation
This is a nice find by my colleague Arjen Karten, so all credit goes to him of course!
Imagine a situation:
You have 2 forests:
FABRIKAM = Source - single label forest
CHILD.FABRIKAM = Source Child domain
CONTOSO.COM = Target Forest
You need to re-ACL resources (file shares, application directories, etc…) so you call good old friend "SubInACL". A wonderful tool that allows for scripting and is a sort of "swiss army knife" when it comes to re-ACL jobs. So in our situation we are migrating from CHILD.FABRIKAM to COTOSO.COM. There is a forest trust in place, so the trust relation between FABRIKAN and CHILD is inherited by CONTOSO.COM via the Forest trust, and there is no direct trust relationship between CHILD.FABRIKAM and CONTOSO.COM. When you attempt to run the SubInACL with /changedomain=CHILD=CONTOSO, you will get an error stating that domain name cannot be found. Now we checked everything regarding DNS etc. and all is nice and dandy, and still it does not work. We actually cannot even setup a secure channel connection directly from CONTOSO to CHILD or vice versa.
This problem is also described here: http://www.mombu.com/microsoft/windows-server-migration/t-subinacl-610756.html and there is no answer really.
Well there is: = my colleague Arjen Karten
came up with the idea to solve this… Since Arjen does not have a public blog (yet) I volunteered to publish the solution on mine, but all the Kudos go to Arjen of course. Arjen is a Group Manager with Avanade and we are currently staffed on the same project involving AD migration for a large corporate customer.
So here is what he came up with
"When you try to use subinacl /changedomain in a cross forest migration, with the source or target domain being child domain, you get an error 'Could not find domain name'.
C:\TestFolder>subinacl /subdirectories c:\testfolder\*.* /changedomain=CHILD=CONTOSO
The domain controller does not have a direct trust connection with the CHILD domain, which is a child domain in the source forest and fails to resolve. (0x54b is 1355 in decimal)
This seems a specific issue with how subinacl tries to resolve the source domain CHILD)
C:\TestFolder>subinacl /subdirectories c:\testfolder\*.* /replace=child\gs-testgroup1=contoso\gs-testgroup1
This means groups and accounts from the source domain can be migrated, but apparently not with the changedomain option.
But it is rather inconvenient to have to add 10.000 groups to the commandline.
After a few hours of troubleshooting and testing with dumpcachedsids and offlinesam we discovered that the issue with a child domain is that a target domain controller cannot resolve the domain name and provide the sid of the source domain.
The solution is to create a domainsid.txt file that contains a single line with the sid of the domain that cannot be resolved:
Use the Sysinternals psgetsid tool to dump the Source domain sid.
C:\INSTALL\PSTools>PsGetsid.exe child
Create a textfile domainsid.txt and a single line as below:
child=S-1-5-21-2349847776-1970708901-3682075933
Run the subinacl command again with the offlinesam parameter:
C:\TestFolder>subinacl /offlinesam=domainsid.txt /subdirectories c:\testfolder\*.* /changedomain=child=contoso
And subinacl works again!!!!!!
If you try to use dumpcachedsids to create an offlinesam, you will notice that this does not give you the expected result as it prohibits any use of domain controllers to resolve sids and does not contain any domain sids (source nor target).
C:\TestFolder>\install\subinacl /dumpcachedsids=sids.txt /subdirectories c:\testfolder\*.* /display
This result in a sids.txt with the following contents:
If you try to run the migration with the offlinesam=sids.txt option, it fails.
C:\TestFolder>subinacl /offlinesam=sids.txt /subdirectories c:\testfolder\*.* /changedomain=child=contoso
C:\TestFolder>subinacl /offlinesam=sids.txt /subdirectories c:\testfolder\*.* /changedomain=child=contoso
As user and group accounts from the source domain can be resolved by subinacl, as proved by the subinacl /replace=child\testgroup=contoso\testgroup command, all other sids, except for the source domain sid are not necessary."
Imagine a situation:
You have 2 forests:
FABRIKAM = Source - single label forest
CHILD.FABRIKAM = Source Child domain
CONTOSO.COM = Target Forest
You need to re-ACL resources (file shares, application directories, etc…) so you call good old friend "SubInACL". A wonderful tool that allows for scripting and is a sort of "swiss army knife" when it comes to re-ACL jobs. So in our situation we are migrating from CHILD.FABRIKAM to COTOSO.COM. There is a forest trust in place, so the trust relation between FABRIKAN and CHILD is inherited by CONTOSO.COM via the Forest trust, and there is no direct trust relationship between CHILD.FABRIKAM and CONTOSO.COM. When you attempt to run the SubInACL with /changedomain=CHILD=CONTOSO, you will get an error stating that domain name cannot be found. Now we checked everything regarding DNS etc. and all is nice and dandy, and still it does not work. We actually cannot even setup a secure channel connection directly from CONTOSO to CHILD or vice versa.
This problem is also described here: http://www.mombu.com/microsoft/windows-server-migration/t-subinacl-610756.html and there is no answer really.
Well there is: = my colleague Arjen Karten
came up with the idea to solve this… Since Arjen does not have a public blog (yet) I volunteered to publish the solution on mine, but all the Kudos go to Arjen of course. Arjen is a Group Manager with Avanade and we are currently staffed on the same project involving AD migration for a large corporate customer.
So here is what he came up with
"When you try to use subinacl /changedomain in a cross forest migration, with the source or target domain being child domain, you get an error 'Could not find domain name'.
C:\TestFolder>subinacl /subdirectories c:\testfolder\*.* /changedomain=CHILD=CONTOSO
1355 Could not find domain name: child
Error finding domain name: 1355 The specified domain either does not exist or could not be contacted.
Current object c:\testfolder\*.* will not be processed
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /changedomain=child=contoso : Error when checking arguments - c:\testfolder\*.*
From the network trace, you can see that the server that is being migrated (xxx) tries to request the resolve the source domain (CHILD) from its domain controller (yyy).Error finding domain name: 1355 The specified domain either does not exist or could not be contacted.
Current object c:\testfolder\*.* will not be processed
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /changedomain=child=contoso : Error when checking arguments - c:\testfolder\*.*
The domain controller does not have a direct trust connection with the CHILD domain, which is a child domain in the source forest and fails to resolve. (0x54b is 1355 in decimal)
This seems a specific issue with how subinacl tries to resolve the source domain CHILD)
143 1.769676000 192.168.1.xxx 192.168.1.yyy RPC_NETLOGON 272 NetrGetAnyDCName request
Microsoft Network Logon, NetrGetAnyDCName
Operation: NetrGetAnyDCName (13)
Server Handle: \\CONTOSODC01
Domain: CHILD
144 1.770466000 192.168.1.yyy 192.168.1.xxx RPC_NETLOGON 202 NetrGetAnyDCName response, Unknown error 0x0000054b
What does work is:Microsoft Network Logon, NetrGetAnyDCName
Operation: NetrGetAnyDCName (13)
Server Handle: \\CONTOSODC01
Domain: CHILD
144 1.770466000 192.168.1.yyy 192.168.1.xxx RPC_NETLOGON 202 NetrGetAnyDCName response, Unknown error 0x0000054b
C:\TestFolder>subinacl /subdirectories c:\testfolder\*.* /replace=child\gs-testgroup1=contoso\gs-testgroup1
This means groups and accounts from the source domain can be migrated, but apparently not with the changedomain option.
But it is rather inconvenient to have to add 10.000 groups to the commandline.
After a few hours of troubleshooting and testing with dumpcachedsids and offlinesam we discovered that the issue with a child domain is that a target domain controller cannot resolve the domain name and provide the sid of the source domain.
The solution is to create a domainsid.txt file that contains a single line with the sid of the domain that cannot be resolved:
Use the Sysinternals psgetsid tool to dump the Source domain sid.
C:\INSTALL\PSTools>PsGetsid.exe child
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
SID for CHILD\child:S-1-5-21-2349847776-1970708901-3682075933Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
Create a textfile domainsid.txt and a single line as below:
child=S-1-5-21-2349847776-1970708901-3682075933
Run the subinacl command again with the offlinesam parameter:
C:\TestFolder>subinacl /offlinesam=domainsid.txt /subdirectories c:\testfolder\*.* /changedomain=child=contoso
And subinacl works again!!!!!!
If you try to use dumpcachedsids to create an offlinesam, you will notice that this does not give you the expected result as it prohibits any use of domain controllers to resolve sids and does not contain any domain sids (source nor target).
C:\TestFolder>\install\subinacl /dumpcachedsids=sids.txt /subdirectories c:\testfolder\*.* /display
This result in a sids.txt with the following contents:
__cachefileonly__
contoso\domain users=S-1-5-21-4064155377-322177466-2899229887-513
system=S-1-5-18
builtin\administrators=S-1-5-32-544
builtin\users=S-1-5-32-545
child\gs-testgroup1=S-1-5-21-2349847776-1970708901-3682075933-1114
creator owner=S-1-3-0
The __cachefileonly__ value makes sure that only the sids.txt is used to resolve sids and no domain controllers are involved. This is the default dump setting from subinaclcontoso\domain users=S-1-5-21-4064155377-322177466-2899229887-513
system=S-1-5-18
builtin\administrators=S-1-5-32-544
builtin\users=S-1-5-32-545
child\gs-testgroup1=S-1-5-21-2349847776-1970708901-3682075933-1114
creator owner=S-1-3-0
If you try to run the migration with the offlinesam=sids.txt option, it fails.
C:\TestFolder>subinacl /offlinesam=sids.txt /subdirectories c:\testfolder\*.* /changedomain=child=contoso
Could not find domain name in SAM cache file: child
Error finding domain name : 87 The parameter is incorrect.
Current object c:\testfolder\*.* will not be processed
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /changedomain=child=contoso : Error when checking arguments - c:\testfolder\*.*
If you add the source domain sid to the sids.txt file, you find that the target domain (CONTOSO) now cannot be found. But as the target domain is the local domain, this should be resolvable.Error finding domain name : 87 The parameter is incorrect.
Current object c:\testfolder\*.* will not be processed
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /changedomain=child=contoso : Error when checking arguments - c:\testfolder\*.*
C:\TestFolder>subinacl /offlinesam=sids.txt /subdirectories c:\testfolder\*.* /changedomain=child=contoso
Could not find domain name in SAM cache file: contoso
Error finding domain name : 87 The parameter is incorrect.
Current object c:\testfolder\*.* will not be processed
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /changedomain=child=contoso : Error when checking arguments - c:\testfolder\*.*
In order for subinacl to check with the local domain controller again, you need to remove the __cachefileonly__ line from the sids.txtError finding domain name : 87 The parameter is incorrect.
Current object c:\testfolder\*.* will not be processed
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /changedomain=child=contoso : Error when checking arguments - c:\testfolder\*.*
As user and group accounts from the source domain can be resolved by subinacl, as proved by the subinacl /replace=child\testgroup=contoso\testgroup command, all other sids, except for the source domain sid are not necessary."
Tuesday, November 13, 2012
Cross-Forest Free/Busy – the Simple Version
I am currently on a project which involves cross-forest mailbox migration (as part of the AD migration/consolidation). In such cases the migration is a process which can take considerable amount of time, so naturally coexistence is important. So mail routing and GALSync need to be in place, and what offers the most value to the business is the Free/Busy lookups cross-forest. Now we all know that starting with Exchange 2007, but truly it is better implemented in Exchange 2010 and higher, there is what we call Exchange Federation. Exchange Federation allows federating two partner companies to share the Calendar and Contact information cross-forest. While this feature allows for sharing more than just Free/Busy, but also the subject of the appointments, the location, etc. (what I call "Rich" Free/Busy), it requires that both organizations have at least one Exchange 2010 CAS server present, and involvement of Microsoft Federation Gateway.
Now on my project the source environment is Exchange 2007 and implementing an Exchange 2010 is not feasible. So my good friend and colleague Arno Zwegers (who is an Exchange Ranger) has pointed out to me that we could offer a "simple" Free/Busy lookups without deploying Exchange 2010 CAS box in the source. This method also does not require access to the Microsoft Federation Gateway (which means you do not need publicly signed certificates per se, as long as the CAs which issued the certificates are mutually trusted).
So…
It is possible to provide free/busy lookups cross forest between two Exchange 2010 or 2007 or a mix of these, without the need of using the Microsoft Federation Gateway. This will offer only basic free/busy information.
Requirements:
- It only works for Outlook 2007 or more recent clients. Outlook 2003* users will NOT be able to see Free Busy/Availability information from people located in the other side (so between non-migrated and migrated users).
- It will only work for mail enabled objects that exist in the Global Address List. So it will not work when an object is not listed in the Global Address List. So you need to maintain an up-to-date GAL (GALSync, Script, whatever…)
So…
To be able to access Free/Busy information between Contoso Forest and Fabrikam Forest the following needs to be done:
- The host files on ALL CAS servers in both forest need to be adjusted. Entries which will be pointing to respective autodiscover records should be added.
autodiscover.contoso.com & autodiscover.fabrikam.com
- In Contoso Forest create an account "freebusy"(plain user account-CONTOSO\freebusy)
- In Fabrikam Forest create an account "freebusy"(plain user account-FABRIKAM\freebusy)
- In Contoso Forest: Logon to a CAS server and run the following commands:
Add-AvailabilityAddressSpace –Forestname "fabrikam.com" -AccessMethod OrgWideFB –Credential (get-Credential)
When prompted for the credentials use the "FABRIKAM\freebusy" credentials.
Set-AvailabilityConfig –OrgWideAccount freebusy
freebusy here is the local account we created earlier.
- In Fabrikam Forest: Logon to a CAS server and run the following commands:
Add-AvailabilityAddressSpace –Forestname "contoso.com" -AccessMethod OrgWideFB –Credential (get-Credential)
When prompted for the credentials use the "CONTOSO\freebusy" credentials.
Set-AvailabilityConfig –OrgWideAccount freebusy
freebusy here is the local account we created earlier.
Now wait for 15-30 minutes and try scheduling an appointment between 2 users from 2 different forests.
I have successfully tried this in the situation with 2010 and 2007, but I am quite sure it will work for Exchange 2013 as well. (@Arno, Correct me if I am wrong)
* To accommodate Outlook 2003 clients which use Public Folders to retrieve the Availability information exFolders can be used to sync the System and Free/Busy Public Folders between two forests. "exFolders" is the new name for the old IORepl Tool (Inter-Org Replication Tool), which offers the possibility to synchronise Public Folders cross-forest.
Monday, October 22, 2012
Exchange 2013 reaches RTM
The Game is on again
Finally Exchange 2013 reaches RTM (among other products)
http://blogs.technet.com/b/exchange/archive/2012/10/11/the-new-exchange-reaches-rtm.aspx
Finally Exchange 2013 reaches RTM (among other products)
http://blogs.technet.com/b/exchange/archive/2012/10/11/the-new-exchange-reaches-rtm.aspx
Tuesday, August 14, 2012
EHLO: I am Exchange 2013–OWA
Tuesday, August 7, 2012
EHLO: I am Exchange 2013 – OWA on an iPad
Hello everybody, I am back with another article on Exchange 2013. This time I wanted to talk about OWA (Outlook Web App), and specifically about the improvements made to OWA when using a tablet device. In my case it is a 1st generation iPad (this would fall into the category of “keep your friend close, and your enemies even closer 
).
You might all ask why OWA on an iPad when one can use ActiveSync? Well in my case I have been forced to use OWA on my iPad because the rest of the household forces me to.
Let me explain: Avanade requires a pin code for devices that connect with Active Sync, and since the iPad is the family device I was getting complaints that they all need to enter the pin code to use the iPad (all = my wife and 2 kids). Besides this, my 7 year old kept on trying to unlock the iPad using a wrong code which resulted in a remote wipe, which basically grounded their precious iPad for a whole day (until I came home from work and restored it from backup. Good to know the policies do work though 
). As you can understand, any resistance, or claims that the iPad is my device, or that they should just remember the pin code, are all futile here. So I was doomed to using the OWA on my OWN iPad! Which any of you who ever tried it know is a painful experience. The Safari on the iPad only supports the light version of OWA:
Here is what it looks like:
Reading a message is bearable, but composing a new message or replying is quirky. The interface is not touch-friendly at all, and you end up zooming in and out in order to just press a correct button.
I have actually come across 2 cases by now where a customer has decided to block the ActiveSync for the users (because they do not want any mobile devices connecting at all), and they offer OWA for mobile users. Anyone trying to use OWA on their phone (no matter how large the screen is) is a lunatic, but it kind of works for a tablet.
“Here Comes the Sun” - OWA 2013
In their new version of Exchange Microsoft completely redesigned OWA and made it into a true Web App! It has become User Friendly, Touch Friendly and really fast. It also has a subset of features that the OWA 2010 light version did not have at all.
When I logged in for the first time into OWA 2013 on my iPad it took some time and I got a message from iOS stating that the Web App needs more space to work asking me to increase the default 256 MB to 512MB (I guess this is RAM, and I think this is only specific to the first generation iPad). And then you get to see this:
It’s like entering a different dimension. There is a large enough message list and a preview pane which automatically formats the message so you do not need to scroll sideways. As you can see there are Windows Phone like buttons on top for “Unread”, “flagged”, etc… And they are huge, by the way there is no way you can miss even if you have very thick finders. Basically the Metro User experience is all over here.
On the left bottom (to the left of the search button) there is a sort “windows” button, when pressing it you end up here:
Metro all over: from here you can jump quickly to 4 sections depicted in the tiles. Note how the Calendar tile is larger then the rest, just like on the Windows Phone, because it is important!
We go first to the Calendar – day view:
Top row allows you to jump to different day, while the bottom row (middle) allows for switching to week and month view:
Week view: see how the current day is marked with a blue stripe (Sunday in my case)
on the left there is a button that will pop up the current month:
And here is the month view: Note the 22nd is marked to identify the current date
The bottom bar on the right has the “+” sign which will allow you to create a new calendar entry
Simple clear interface, and hitting “more details” gives you even more options, i.e.reminder, attendees, notes, etc…
Now back to the Mail: Every message has inline buttons for reply/forward and mark read/unread. But you can also hit the famous 3 dots button on the right bottom of the dark grey bar which will popup a nice menu.
Pressing the inline Reply/Forward button will show you a menu with Reply, Reply to All and Forward – nice and big for extra fat fingers
The contacts I am skipping for now, but you can do the usual stuff there all touch friendly and all. I do want to show you the settings page though: There are only two sections there, one for setting the automatic replies: Extremely Important!
and the other one for the Time Zone settings:
And the last screenshot to show the parallel with Outlook 2013 – how unread messages get a blue vertical stripe to indicate that the message is unread:
That’s it for now, As you can see the Outlook Web App has become extremely mature and can be used on almost any browser. Bellow is the list of OWA features available per browser
Supported browsers on desktop and laptop computers
In the table below, the following definitions apply:
- Best: All Outlook Web App features are supported.
- Good: Most Outlook Web App features are supported.
- Light: The browser displays the light version of Outlook Web App.
Desktops and laptops: Outlook Web App features available by Windows operating system and browser combination
| Web browser | Windows XP and Windows Server 2003 | Windows Vista and Windows Server 2008 | Windows 7 | Windows 8 Release Preview |
| Internet Explorer 7 | Good | Not available | Not available | Not available |
| Internet Explorer 8 | Good | Good | Good | Not available |
| Internet Explorer 9 | Not available | Best | Best | Not available |
| Internet Explorer 10 | Not available | Not available | Best - plus offline access | Best – plus offline access |
| Firefox 12 or later | Good | Good | Best | Best |
| Safari 5.1 or later | Good – plus offline access | Good – plus offline access | Good – plus offline access | Good – plus offline access |
| Chrome 18 or later | Good – plus offline access | Good – plus offline access | Best – plus offline access | Best – plus offline access |
Note: In previous versions, Outlook Web App had a built-in spell checker. In Exchange Server 2013 Preview, Outlook Web App relies on the web browser for spell checking, which Internet Explorer prior to version 10 doesn’t provide.
Desktops and laptops: Outlook Web App features available by non-Windows operating system and browser combination
| Web browser | Mac OX X v10.5 | Mac OX X v10.6 and v10.7 | Linux |
| Firefox 12 or later | Best | Best | Best |
| Safari 5.0.6 | Best – plus offline access | Best – plus offline access | Not available |
| Safari 5.1 or later | Not available | Best – plus offline access | Not available |
| Chrome 18 or later | Best – plus offline access | Best – plus offline access | Best – plus offline access |
Note: Operating system and browser combinations not listed display the light version of Outlook Web App.
Supported browsers for tablets and smartphones
You can use the web browser on a tablet or smartphone to sign in to Outlook Web App. The available Outlook Web App features depends on the operating system and browser combination in use, as follows:
- Best: All Outlook Web App features for smartphones and tablets are supported.
- Light: The browser displays the light version of Outlook Web App.
Tablets and smartphones: Outlook Web App features available by operating system and browser combination
| Device | Minimum memory | Application | Support |
| Windows 8 Release Preview tablet | 512 MB | Web browser | Best |
| iOS 5 or later for iPhone | 512 MB | Web browser | Best |
| iOS 5 or later for iPad | 512 MB | Web browser | Best |
| Android 4.0 smartphone or later | 512 MB | Web browser | Best |
| Android 4.0 tablet or later | 512 MB | Web browser | Best |
| All other smartphones and tablets | Not applicable | Web browser | Light |
Note: iPad version 1 devices have 256 MB of memory. Outlook Web App requires 512 MB of memory; therefore, it's not supported on version 1 iPads.
I guess I have just proved the last statement wrong 
See you in the next article
Subscribe to:
Posts (Atom)