Active directory users joining from Mac machine
Active Directory
Joining a Mac to the Domain on Mac OS X
Click Users & Group from System preference and click Unlock button
Select the Network Account Server by clicking “Edit” button…this will open the below screen option., then click “Open Directory Utility…”
Unlock the edit button and click the Active Directory to select and bind
When you click the edit button, next screen will open to type
- Active Directory Forest:
- Active Directory Domain:
- Computer ID
after typing all the above values, click “Bind”
Here another screen will appear to enter Domain Administrator and Password for bind process. type the information and click ok
If the details are correct, below screen will appear with the GREEN button, showing that you have successfully bind the AD to your machine.
After the Bind process to the domain, Expand the “Show Advanced Option” and select the “User Experience” and check the following.
Above selection of “Create mobile account at login”, is only for, if the AD user wants to login at offline mode. This can only be done, if the AD user has logged in once at the on-permises time, so that the system can cached it.
Click ok and go back to Users & Group
Click the “Option” button from “Allow network users to log in at login window”
Another screen will pop-up..by default “All network Users” is selected (if you want to keep all the AD users to log into this computer, keep it as it is or select “Only these network users” and then click the “+” button at the bottom. This will open another window with all the AD users list. Select the user that you want to add and click “Done”
Now go back to the Users & Group, click the Login Option and select the “Display login window as”
If you select “List of users” then this will show only all the active users in that machine at the login time.
If you select the “Name and Password” option, then you can type the user name and the password.
To give the AD user, LOCAL ADMIN right, at the Users & Group Login option, Select the user and then check mark the “Allow user to administer this computer”
Now you are good to go…now unlock the “Login Option” to save the settings and prevent from unauthorised mistakes
Restart the Mac machine and login
Enjoy!!!
Add UPN Suffixes to Active Directory users
UPN (User Principal Name) Suffixes: You can use Active Directory Domains and Trusts to add user principal name (UPN) suffixes for the existing user account. The default UPN suffix for a user account is the Domain Name System (DNS) domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is used only within the Active Directory forest, and it is not required to be a valid DNS domain name.
To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. For using the appropriate accounts and group memberships, Click here.
To add UPN suffixes
- To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
- In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
- On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
The procedure forusing the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell.
Sample AD PowerShell command to update UPNs in bulk
Get-ADUser-Filter * -properties homemdb | where {$_.homemdb -ne $null} | ForEach-Object ($_.SamAccountName) {$CompleteUPN = $_.SamAccountName + “@contoso.com”; Set-ADUser -Identity $_.DistinguishedName -UserPrincipalName $CompleteUPN}
The above script:
· Gets all users with something in their homemdb attribute (i.e. mailbox users)
· Creates a temporary variable called $completeUPN which is a combination of every user’s samaccountname plus @contoso.com
· Sets each user to this new upn
Enjoy!!!
Cannot Join Apple OS X Lion to Windows Active Diretory – How to fix it!!!
Action: New Mac OS X Lion to Active Directory binding.
Issue: Everytime I get the following error: authentication server encountered an error while attempting the requested operation.
Findings: Even if I’m connected to the internet, and using the Apple time server, the time on machines is not at all correct, which prevents the machines from binding to Windows Active Directory.
Solutions: Change the date and time to the correct values in your Apple machine and then restart the apple machine. Without a restart, this will not work.
Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
Remote Server Administration Tools for Windows 7 with SP1 enables IT administrators to manage roles and features that are installed on remote computers that are running Windows Server 2008 R2 with SP1 or Windows Server 2008 R2 (and, for some roles and features, Windows Server 2008 or Windows Server 2003) from a remote computer that is running Windows 7 or Windows 7 with SP1. It includes support for remote management of computers that are running either the Server Core or full installation options of Windows Server 2008 R2 with SP1, Windows Server 2008 R2, and for some roles and features, Windows Server 2008. Some roles and features on Windows Server 2003 can be managed remotely by using Remote Server Administration Tools for Windows 7 with SP1, although the Server Core installation option is not available with the Windows Server 2003 operating system.
This feature is comparable in functionality to the Windows Server 2003 Administrative Tools Pack and Remote Server Administration Tools for Windows Vista with Service Pack 1 (SP1).
To download Remote server administration tools for Windows 7 SP1, click here
Installing Remote Server Administration Tools for Windows 7 with SP1
You must be either a member of the Administrators group on the computer on which you want to install the Administration Tools pack, or you must be logged on to the computer by using the built-in Administrator account.
- On a computer that is running Windows 7 or Windows 7 with SP1, download the Remote Server Administration Tools for Windows 7 with SP1 package from the Microsoft Download Center.
- Open the folder into which the package downloaded, double-click the package to unpack it, and then start the Remote Server Administration Tools for Windows 7 with SP1 Setup Wizard. Important: You must accept the License Terms and Limited Warranty to start to install the Administration Tools pack.
- Complete all installation steps in the wizard, and then click Finish to exit the wizard when installation is finished.
- Click Start, click Control Panel, and then click Programs.
- In the Programs and Features area, click Turn Windows features on or off.
- If you are prompted by User Account Control to enable the Windows Features dialog box to open, click Continue.
- In the Windows Features dialog box, expand Remote Server Administration Tools.
- Select the remote management tools that you want to install and click OK.
- Configure the Start menu to display the Administration Tools shortcut, if it is not already there.
- Right-click Start, and then click Properties.
- On the Start Menu tab, click Customize.
- In the Customize Start Menu dialog box, scroll down to System Administrative Tools, and then select Display on the All Programs menu and the Start menu. Click OK.
- Shortcuts for snap-ins installed by Remote Server Administration Tools for Windows 7 with SP1 are added to the Administrative Tools list on the Start menu.
Old public folder – How to remove from Exchange server
It is difficult to delete old public folder from EMC. How to do it, use the ADSIEDIT to clear the old ones.
Right click on the folder you want to delete from CN=Exchange Administrative Group, CN=Databases, and click delete. The go to Active directory Sites and Services and initiate the replication across the domain.
Go to EMC and refresh.
Thats it.
Active Directory – Difference in between SYSVOL and NETLOGON folders
Regarding this topic, Oz Casey Dedeal Virginia, VA, United States had a good article on this topic..Read more Click here
Changing your domain password in OWA
In the previous edition of OWA and Exchange server 2007, there was a problem for users to change their password…because the loss of the IISADMPWD virtual directory as a supported feature in Windows Server 2008/IIS 7.0. This prevented OWA users with expired passwords from being able to change their password and log on. This was a problem for many OWA users ; especially remote/mobile users with non-domain-joined computers..From Exchange Server 2010 Service Pack 1 and Exchange Server 2007 Service Pack 3 (running on Windows Server 2008 or Windows Server 2008 R2) onwards, they have a new feature that will allow users with expired passwords to change their password. This also works for users who have their accounts configured to change password on next logon.
Use this procedure to enable it on Exchange 2007 SP3 and Exchange 2010 SP1 Client Access servers. If you are using a CAS Array, you must perform these steps on each CAS in the array.
- On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
- Right click the MSExchange OWA key and click New > DWord (32-bit).
- The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1.
Note: The values accepted are 1 (or any non-zero value) for “Enabled” or 0 or blank / not present for “Disabled” - After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.
NOTE : User can’t use a User Principal Name (UPN) (eg: myname@domain.com) in the Domain\user name field in the Change Password window like below. It should be domain\myname
Once you done with it, click submit…make sure that your new password should match with the domain password policy.
Exchange Server 2007 Service Pack 3 released
Exchange Server 2007 SP3 supports all Exchange 2007 roles on the Windows Server 2008 R2 operating system.
Exchange 2007 SP3 provides support only for a new installation of Exchange on Windows Server 2008 R2.
Exchange 2007 SP3 is not supported in an upgrade scenario on Windows Server 2008 R2. For example, Exchange 2007 SP3 does not support the following installation scenarios:
- A new Exchange 2007 SP3 installation on a Windows Server 2008 R2-based computer that has been upgraded from Windows Server 2008
- Upgrading Exchange 2007 SP2 to Exchange 2007 SP3 on a Windows Server 2008 R2-based computer that has been upgraded from Windows Server 2008
- Upgrading the operating system from Windows Server 2008 to Windows Server 2008 R2 on a computer that has Exchange 2007 SP3 installed
Exchange Server 2007 SP3 provides
- further flexibility with the addition of Windows Server 2008 R2 support for server roles and Windows 7 support for the Exchange management tools.
- These additions, along with enhancements for the advanced protection options against e-mail security threats, such as spam and viruses and the tools which help manage internal compliance and high availability needs provide Exchange administrators with the tools they need to manage their Exchange 2007 environments efficiently.
- Exchange 2007 SP3 introduces password reset functionality for Internet Information Services (IIS) 7.
- Exchange 2007 SP3 includes updates to the Exchange Search (MSSearch) component.
- MSSearch provides support for creating full text indexes for Exchange stores.
- Exchange 2007 SP3 updates the MSSearch binary files to MSSearch 3.1.
- Exchange 2007 SP3 includes Active Directory schema changes for certain Unified Messaging (UM) mailbox attributes.
- Exchange 2007 SP3 includes support for Right-to-Left text in e-mail message disclaimers in a right-to-left language, such as Arabic.
- In earlier versions of Exchange, when you use a transport rule to create a disclaimer in a right-to-left language on an Exchange 2007 Hub Transport server, the text appears incorrectly when you view it from Outlook 2007.
- Exchange 2007 SP3 adds functionality to the transport rule setting to fully support right-to-left text in disclaimers
Useful Links
- Click here for How to Install the Exchange 2007 Management Tools.
- Click here for How to Enable the Exchange 2007 SP3 Password Reset Tool
- Click here for Active Directory Schema Changes (SP3)
- Click here for Release Notes for Exchange Server 2007 SP3.
- To download Exchange 2007 SP3, see Exchange Server 2007 Downloads.
Other downloads
- Exchange Server 2007 Service Pack 2
- Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
- Microsoft Exchange Server 2007 Management Tools (32-Bit)
- Exchange Server 2007 Service Pack 1
- Windows Small Business Server 2008 Best Practices Analyzer
Issues
- In the recently released Exchange 2007 Service Pack 3, there’s a version mismatch between the Outlook Web Access (OWA) S/MIME Control, an Active X control used to provide S/MIME support in OWA. After you install SP3, users who have the control installed will get prompted to install the latest version of the control. The way this works – the code compares the “Version” property of the client S/MIME control (MIMECTL.DLL) on the user’s computer with the ProductVersion property of the MSI file (OWASMIME.MSI) on the Client Access Server. to know more click Exchange 2007 SP3 and OWA S/MIME Version Mismatch from Microsoft Exchange Team Blog
Configure EWS, Autodiscover, OWA, OAB, ECP on Exchange Server 2010
As you all know that the service connectivity for a mail server is the main concern to all of us. In Exchange server 2010, the connectivity is as same as Exchange server 2007. Once you migrate or install the new version, this should be tested with the proper credentials and certificate..or else, you will end up with your mail server IP going to the blacklist, because of the wrong pointers and configurations. First of all, do the internal test. Go to your computer start bar, right side where Date and time is showing, you will find the Outlook icon, hold Ctrl + right click on the outlook icon and click “Test Email Auto Configuration…”
Select the “Use AutoDiscover” and click Test..
Above one is a success one..If failed, do the below. The Exchange Web Service (EWS) is the web service that allows access to the Out of Office service. If either the internal or external URL for the EWS is missing or incorrect, OOF will fail and other services may not work as expected. Using Exchange Management Shell, check the URLs assigned to the web service virtual directory using the Get-WebServicesVirtualDirectory command
First goto CAS server
Type the following Power Shell command for EWS (Exchange Web Service)
Copy code Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl
You will get the result like below
Identity : ECAS1\EWS (Default Web Site)
InternalUrl : https://mailv.domain.com/EWS/Exchange.asmx
ExternalUrl : https://mailv.domain.com/ews/exchange.asmx
Identity : ECAS2\EWS (Default Web Site)
InternalUrl : https://mailv.domain.com/EWS/Exchange.asmx
ExternalUrl : https://mailv.domain.com/ews/exchange.asmx
If this is not correct, you need to fix it.. This has to be done on Powershell command on the CAS server.
To do that…Copy code
[PS]C:\Windows\system32>Set-WebServicesVirtualDirectory -Identity “ECAS1\EWS (Default Web Site)” -InternalUrl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$true
[PS]C:\Windows\system32>Set-WebServicesVirtualDirectory -Identity “ECAS2\EWS (Default Web Site)” -InternalUrl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$true
[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl
Identity : ECAS1\EWS (Default Web Site)
InternalUrl : https://mail.domain.com/EWS/Exchange.asmx
ExternalUrl : https://mail.domain.com/ews/exchange.asmx
Identity : ECAS2\EWS (Default Web Site)
InternalUrl : https://mail.domain.com/EWS/Exchange.asmx
ExternalUrl : https://mail.domain.com/ews/exchange.asmx
Now you can see that the URL has been fixed. This is for Web Services.
Now for Autodiscovery….
[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory
To see the settings
[PS] C:\Windows\system32>Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
RESULT
[PS] C:\Windows\system32>Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
Identity : ECAS1
AutoDiscoverServiceInternalUri : https://mailv.domain.com/Autodiscover/Autodiscover.xml
Identity : ECAS2
AutoDiscoverServiceInternalUri : https://mailv.domain.com/Autodiscover/Autodiscover.xml
To FIX it..
[PS] C:\Windows\system32>Set-ClientAccessServer -Identity ECAS1 -AutoDiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml
[PS] C:\Windows\system32>Set-ClientAccessServer -Identity ECAS2 -AutoDiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml
Now for the Outlook Web Apps, Exchange Control Panel, Exchange ActiveSync, Offline Address book…you have to go to Exchange Management Console (EMC)
- Goto one of the CAS server
- Open EMC
- Goto Server Configuration
- Select Client Access
- On the Middle top pannel, you can see the CAS server listed.
- Select one, on the bottom pannel, you will see like below.
Select each tab and then right click on the object and change the path as required. Once you done with the first CAS servr, do the same for the second as well.
Thats it…you are good to go for production.