Bitlocker GPO Settings

Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
System/Removable Storage Access
POLICY SETTING COMMENT
Removable Disks: Deny write access Disabled
System/Trusted Platform Module Services
POLICY SETTING COMMENT
Turn on TPM backup to Active Directory Domain Services Enabled
Require TPM backup to AD DS Enabled
If selected, cannot set or change TPM owner password
if backup fails (recommended default).
If not selected, can set or change TPM owner password
even if backup fails. Backup is not automatically retried.
Windows Components/BitLocker Drive Encryption
POLICY SETTING COMMENT
Choose default folder for recovery password Enabled
Configure the default folder path: \your-domain.comdfsusers%USERNAME%
Specify a fully qualified path or include the computer’s environment variables in the path.
For example, enter “\serverbackupfolder”, or “%SecureDriveEnvironmentVariable%backupfolder”
Note: In all cases, the user will be able to select other folders in which to save the recovery password.
POLICY SETTING COMMENT
Choose drive encryption method and cipher strength Enabled
Select the encryption method: AES 256-bit with Diffuser
POLICY SETTING COMMENT
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) Enabled
Important: To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options below, you must enable backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
Configure 48-digit recovery password: Require recovery password (default)
Configure 256-bit recovery key: Require recovery key (default)
Note: If you do not allow the recovery password and require the recovery key, users cannot enable BitLocker without saving to USB.
POLICY SETTING COMMENT
Prevent memory overwrite on restart Disabled
Provide the unique identifiers for your organization Enabled
BitLocker identification field: Your Company Name, Inc.
Allowed BitLocker identification field: Your Shorthand Company Name
POLICY SETTING COMMENT
Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista) Enabled
Require BitLocker backup to AD DS Enabled
If selected, cannot turn on BitLocker if backup fails (recommended default).
If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.
Select BitLocker recovery information to store: Recovery passwords and key packages
A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.
A key package contains a drive’s BitLocker encryption key secured by one or more recovery passwords
Key packages may help perform specialized recovery when the disk is damaged or corrupted.
Windows Components/BitLocker Drive Encryption/Fixed Data Drives
POLICY SETTING COMMENT
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows Enabled
Do not install BitLocker To Go Reader on FAT formatted fixed drives Disabled
POLICY SETTING COMMENT
Choose how BitLocker-protected fixed drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for fixed data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Enabled
POLICY SETTING COMMENT
Configure use of passwords for fixed data drives Enabled
Require password for fixed data drive Enabled
Configure password complexity for fixed data drives: Allow password complexity
Minimum password length for fixed data drive: 8
Note: You must enable the “Password must meet complexity requirements” policy setting for the password complexity setting to take effect.
POLICY SETTING COMMENT
Deny write access to fixed drives not protected by BitLocker Enabled
Windows Components/BitLocker Drive Encryption/Operating System Drives
POLICY SETTING COMMENT
Allow enhanced PINs for startup Enabled
Choose how BitLocker-protected operating system drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for operating system drives Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled
POLICY SETTING COMMENT
Configure minimum PIN length for startup Enabled
Minimum characters: 4
POLICY SETTING COMMENT
Require additional authentication at startup Enabled
Allow BitLocker without a compatible TPM Enabled
(requires a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup: Allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
POLICY SETTING COMMENT
Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM Enabled
(requires a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.
If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.
Windows Components/BitLocker Drive Encryption/Removable Data Drives
POLICY SETTING COMMENT
Allow access to BitLocker-protected removable data drives from earlier versions of Windows Enabled
Do not install BitLocker To Go Reader on FAT formatted removable drives Disabled
POLICY SETTING COMMENT
Choose how BitLocker-protected removable drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for removable data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for removable data drives Enabled
POLICY SETTING COMMENT
Configure use of passwords for removable data drives Enabled
Require password for removable data drive Enabled
Configure password complexity for removable data drives: Allow password complexity
Minimum password length for removable data drive: 8
Note: You must enable the “Password must meet complexity requirements” policy setting for the password complexity setting to take effect.
POLICY SETTING COMMENT
Control use of BitLocker on removable drives Enabled
Allow users to apply BitLocker protection on removable data drives Enabled
Allow users to suspend and decrypt BitLocker protection on removable data drives Enabled
POLICY SETTING COMMENT
Deny write access to removable drives not protected by BitLocker Disabled

Determining which replica disk is used for a linked clone virtual machine

Purpose

This article provides information to determine which linked clones are associated to a replica virtual machine.

Resolution

To determine which linked clones are associated to a replica virtual machine:
From the ESX console:
  1. Log into the ESX host as root. In ESXi connect to the console, press Alt + F1 and type unsupported.
  2. Run the command:
    find /vmfs/volumes/ ( -size -1500c ) -name *.vmdk -exec grep replica {} -H ; | grep ‘parentFileNameHint=’ > replicalist.txt
  3. Run the command:sed s/:/’–>>’/ < replicalist.txt >replicalist2.txt
  4. Run the command:less replicalist2.txtThe output is similar to:/vmfs/volumes/4cceb02c-6fba721c-a0ff-001e0b1f4ca2/test-2/test-2.vmdk–>>parentFileNameHint=”/vmfs/volumes/4cceb02c-6
    fba721c-a0ff-001e0b1f4ca2/replica-8581f32c-a851-448e-8ea8-/replica-8581f32c-a851-448e-8ea8-.vmdk”
    /vmfs/volumes/4cceb02c-6fba721c-a0ff-001e0b1f4ca2/test-1/test-1.vmdk–>>parentFileNameHint=”/vmfs/volumes/4cceb02c-6
    fba721c-a0ff-001e0b1f4ca2/replica-8581f32c-a851-448e-8ea8-/replica-8581f32c-a851-448e-8ea8-.vmdk”

    The Linked Clone virtual machines and the replicas are separated by –>>. The Linked Clone desktops are to the left and the replica is to the right. In addition to Pool Desktops, other virtual machines are also listed.

    The replica name shown in vCenter Server is longer than the folder name and .vmdk name in the datastore.

    For example:

    • vCenter Server name – replica-ae5923a9-4991-41e7-ba03-07c61429d839
    • vmdk name – replica-ae5923a9-4991-41e7-ba03-.vmdk

Use LAN Only When Connected to Wired and Wireless

This step assumes Windows 2003/2008 is your DHCP server for your Wireless network. Raising the wireless gateway metric to a value greater than your LAN metric will force traffic to use the lower metric.

a) Right click Scope Options on your wireless scope and choose “Configure Options”.
b) Click “Advanced” tab.
c) For Vendor Class, choose “Microsoft Windows 2000 Options”
d) Put a check in “003 Microsoft Default Router Metric Base”
e) Set a value fit for your situation. I use 0x1f4 which gives it a metric of 525, which is higher than all other network metrics we use.

You can repeat the above steps for all your WIRED scopes, giving them a value of 0 for the metric. This is the BASE VALUE of 10. This is only needed IF your base value is greater than 10 (you can see the value by running “route print” from the command line).

For more information, see http://technet.microsoft.com/en-us/library/cc782411%28WS.10%29.aspx, do a search on page for “default router metric base”.

PPTP VPN aka GRE Not Working After VMware 5.5 Upgrade

One would think that updating VMware would be a pretty transparent task, I mean VMware is supposed to be absolutely transparent to the VM’s operating system…. right? – Not so with VMware vSphere 5.5; It broke my VPN, and here’s the story of how I fixed it:

Basically I have a Sophos UTM 9 Firewall system running as a VM Appliance (in VMware 5.5) It works great, but if you want to use the PPTP VPN feature, you have to make some modifications to the Virtual Machine Properties.

Change VMP, Guest Operating System from “Other Linux”:

other64

to “Red Hat Enterprise Linux 6”:

rhel64b

This will allow you to add virtual network adapters other than the E1000 NIC:

e1k

Remove all existing NICS:

removed NICS

And finally, re-add your virtual networks card and use the VMXNET 3 device:

vmxnet3

Like so:

added NICS

Equallogic Fun

Well I got some new hardware in. This has allowed me to play with some various configuration settings – settings that I wish I had known about some years earlier.

Above, you can see where I’ve got two members, ONR1, and ONR2 in differing RAID formats, connected (below) the same storage pool,

Below you can see the volumes setup on the storage pool.

After some time, you’ll see that the volumes redistributed across the two sans.

Pretty sweet eh?

When Comments Suck…

The Quick Way,
If you’ve got a bunch of Pages or Posts that you want comments disabled on, you can view all your Pages or Posts list by clicking Pages or Posts respectively. 1.) Click the “Quick Edit” link and 2.) check/uncheck “Allow Comments” then 3.) click “Update” to save the settings.

SharePoint 2010 Setup Incoming Emails

Today we continue down our journey in setting up our SharePoint 2010 farm, with the focus on configuring incoming email for SharePoint 2010. When SharePoint 2007 was released, there was a lot of discussion and rumors around Exchange 2007 being the last version of Exchange to provide Public Folder support, and that SharePoint 2007 was going to be its alternative. Microsoft quickly changed its stance and continues to support Public folders in Exchange 2010. However, there still might be a number of compelling reasons why you would want to consider storing incoming email messages in SharePoint 2010 document libraries, instead of public folders.

In today’s post, I will provide you with a comprehensive step by step guide in configuring your SharePoint 2010 server in conjunction with Exchange 2010, to provide successful delivery of incoming email directly to your SharePoint Web Applications.

The environment

It consists of the following servers which would form a common basis in most large organizations.

  • Windows 2008 R2 server running Active Directory Domain Services
  • Windows 2008 R2 server running SQL 2008R2
  • Windows 2008 R2 server running SharePoint 2010 RTM
  • Windows 2008 R2 server running Exchange 2010 RTM
  • Windows 7 client running Office 2010 RTM

The SMTP service

SharePoint 2010 is reliant on the SMTP service which is a Windows 2008 feature and we must install this on our SharePoint 2010 front-end web server.

Navigate to your Start Menu / Administrative Tools / Server Manager. Click on the Features node and select Add Feature. Scroll down and select SMTP Server and click on Add Required Role Services.

image_thumb1

Click Next, Next and Install.

image_thumb2

Click Close

We now need to install the II 6.0 Management Tools on our Windows 2008 R2 server in order to configure our SMTP service. If IIS 6.0 Manager is not already installed you must do so via, Start / Administrative Tools / Server Manager. Click on the Roles node and select Role / Add Role Services. Then select Management Tools and IIS 6 Management compatibility. Click Install.

We can now launch the IIS 6 Manager via Start / Administrative Tools.

image_thumb3

Right click on SMTP Virtual Server #1 and select properties.

Under the General tab, I have enabled logging and encourage doing so at the start in the event we need to do some troubleshooting. You can turn logging off after successful testing.

image_thumb4

Click on the next tab, “Access”.

Click on “Authentication” and ensure that Anonymous access is selected.

image_thumb5

Next, click on “Connection” and ensure “All except the list below” is selected.

image_thumb6

Finally, click on “Relay”, and ensure that “Only the list below” is selected and that “Allow all computers which successfully authenticate to relay, regardless of the list above” is also checked.

image_thumb7

Now click on the Messages Tab and make any necessary adjustments that you see fit, such as potentially increasing the message size to allow for the delivery of larger emails with attachments into your SharePoint Libraries and Lists.

image_thumb8

Next click on the Delivery Tab in which I normally leave all the defaults in place.

image_thumb9

We can skip the LDAP routing tab as there are no settings required to be configured in this area.

Lastly, the Security tab should list the default permissions as per the below. No changes are necessary in this area.

image_thumb10

We next journey into the “Domains” are within IIS 6 Manager and a domain name should be listed, which by default is the fully qualified domain name of the machine.

Right click on the Domain Name and select properties and take note of the Drop directory.

image_thumb11

Finally, we now just need to confirm that our SMTP service is set to start automatically in the event the server is restarted. I can tell you now that the service is by default set to Manual.

Venture into Start / Administrative Tools / Services.

Scroll down your list of services and ensure that the Simple Mail Transfer Protocol (SMTP) is set to Start-up type, Automatic.

image_thumb12

We have now completed the configuration of our SMTP service on our SharePoint Server.

Exchange 2007/2010 Connectors

Part two of the implementation of configuring incoming email in SharePoint is to configure our connectors in Microsoft Exchange. Now even though this is not a requirement, most organizations running SharePoint 2010 or 2007 will also be running a recent version of Microsoft Exchange, hopefully either 2007 or 2010. Exchange 2010 or 2007 will provide you with that extra layer of protection ensuring that all the necessary message hygiene has been performed via its inbuilt Anti Spam Agents on the Edge or Hub Transport Server in conjunction with some form of email antivirus such as Microsoft’s Forefront for Exchange, before the message is delivered to the SharePoint 2010 List or Library.

My instructions and screen captures below are from an Exchange 2010 server which are pretty much identical and applicable to Exchange 2007.

Let’s begin by launching the Exchange Management Console / Organization Configuration / Hub Transport.

Click on Send Connectors / Actions / New Send Connector.

Type in a descriptive name for your Send Connector and then select Internal as the type.

image_thumb13

Click Add and enter the Address space as the fully qualified domain name of the server where the SMTP service is installed (i.e. your SharePoint Server)

image_thumb14

Click Next

Enter the IP address of the server which also hosts the SMTP service.

image_thumb15

Click Next

Select “None” as your smart host authentication settings

image_thumb16

Click Next

Ensure your Hub Transport Server has been added.

image_thumb17

Click Next

image_thumb18

Click New and then click Finish

The end result will be that the Send connector will route email to the SMTP service sitting on our SharePoint Server.

image_thumb19

The Directory Management Service

SharePoint 2010 allows you to leverage Active Directory Domain Services (AD DS) so that contacts that are created when you email enable document libraries or lists are stored in a designated Organizational Unit within your AD DS infrastructure. So why would you want to enable Directory Management Service? Purely for the fact that by storing these contacts in AD, you are allowing your users to locate email enabled libraries and lists easily from within their Outlook Address book.

Let’s begin by creating an Organizational Unit in Active Directory.

From your Active Directory server, click Start / Administrative Tools / Active Directory Users and Computers.

Right click on your domain object and select New / Organizational Unit

Type in a descriptive name

image_thumb20

Click Ok.

The next step is imperative and very important that we get this right. I have seen on many occasions where incorrect permissions were applied and all sorts of problems were encountered when libraries or list were email enabled.

In summary, we need to provide our Central Administration Application pool identity account specific permissions to our recently created Organizational Unit to be used for creating and deleting contacts for our SharePoint 2010 libraries and lists when they are either email enabled or email disabled.

Right click on the recently created Organizational Unit and click on Delegate Control. This will invoke the Delegation of Control Wizard.

image_thumb21

Click Next.

We will now add the Central Administration application pool account which you can confirm from IIS Manager as per the below screen capture.

image_thumb22

Add the necessary Account.

image_thumb23

Click Next.

Click Create a custom task to delegate.

image_thumb24

Click Next

Click “This folder, existing objects in this folder, and creation of new objects in this folder’.

image_thumb25

Click Next

Click on Create All Child Objects and Delete All Child Objects.

image_thumb26

Click Finish.

Before we finish off our configuration of AD DS and the Directory Management Service we need to provide our Central Administration application pool account with Delete Subtree permissions.

We need to ensure that “Advanced Features” from within Active Directory Users and Computers (ADUC) is active before we venture into the security tab of our SharePoint organizational unit. If you do not enable Advanced Features, the security tab will not be visible.

From within ADUC, click on View and select Advanced Features.

Right click on our SharePoint 2010 Organizational Unit and select Properties.

Click on the Security Tab / Advanced /and Edit the CA Application Pool Identity Account.

image_thumb27

Select Allow for “Delete Subtree”

image_thumb28

Click on OK and Apply.

After assigning these permissions, you must run IISRESET on your SharePoint server.

Configuring Incoming e-mail settings in Central Administration

Navigate to Central Administration / System Settings / Configure incoming e-mail settings.

image_thumb29

Select Yes to “Enable site on this server to receive e-mail”

Select “Automatic” for Setting mode.

Select “Yes” to use the SharePoint Directory Management Service to create distributions groups and contacts.

Enter your Active Directory container details, i.e. the Organizational Unit container that we created specifically for our SharePoint 2010 contacts.

Ensure that your SMTP server details are correct, this should be the fully qualified domain name of your SMTP service that was installed on your SharePoint Server.

image_thumb30

Finally, ensure “Accept mail from all e-mail servers” is selected.

image_thumb31

Click OK.

Please note that this process will configure the necessary permissions on the email drop folder listed in IIS 6 Manager. In summary, the following permissions are added;

WSS_Admin_WPG – Full Control and

WSS_WPG – Read & Execute / List folder Contents / Read

image_thumb32

Ensure that these accounts are added successfully and on the rare occasion in which it isn’t, you will need to add them manually.

Testing the configuration

From within any document library or list, click on Library / Library Settings.

image_thumb33

Click on Incoming e-mail settings.

Select “Yes” to allow this document library to receive e-mail.

Select your email attachment options and ensure that Save original e-mail is set to Yes.

Lastly, ensure that you Accept e-mail messages from any sender is selected.

image_thumb34

Click OK.

This is your first step to ensure that all of the above configuration is in place. If you do receive an error, it’s most likely going to be permissions related against your Organizational Unit, i.e. SharePoint may not have the privilege to add the contact in Active Directory.

Let’s navigate back to ADUC and confirm that our “testing” contact is created under the SharePoint 2010 Contacts Organizational Unit.

image_thumb35

Let’s next navigate to our Exchange 2010 server and ensure it is also listed there with an SMTP address against it.

Launch your Microsoft Exchange Management console and navigate to Recipient Configuration / Mail contact.

image_thumb36

Right click on the Contact and select Properties / E-Mail Addresses.

Ensure that both an internal and external routable email address is listed.

image_thumb37

From your favorite email client, send a test email to the document libraries’ external SMTP address.

Navigate to your recently email enabled document library and hopefully after a couple of minutes (SharePoint Job timer service delay) you should have received your test email.

image_thumb38

Well! That’s all that is to it, from start to finish. Apart from sending a test email, there are a couple of other scenarios that you should test to ensure complete seamless integration with the SharePoint 2010 Directory Management Service. Within the same document library, modify the email address to something different and ensure that this change also flows through to Active Directory. You should also try disabling incoming email from that same library and ensure that the contact is completely removed from Active Directory. If you pass all of these tests scenarios, then we are comfortable in knowing that the correct delegation was provided to our Central Administration Pool Account against our SharePoint Contacts Organizational Unit.

Helpful Group Policy Entries : Paging File Reduction

I run a ton of VMs and since I operate on a thin budget and utilize thin provisioning, one thing I hate is wasted drive space. Therfore, I employ this registry entry in my “Server Optimization” GPO:

Computer Configuration (Enabled)
Policies
Preferences
Windows Settings
Registry
Collection: Registry Wizard Values/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager/Memory Management
Common
Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Registry item: PagingFiles
General
Action Update

Properties

Hive HKEY_LOCAL_MACHINE
Key path SYSTEMCurrentControlSetControlSession ManagerMemory Management
Value name PagingFiles
Value type REG_MULTI_SZ

Lines

LINE VALUE
1 c:pagefile.sys 1000 1000
Common
Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

Slap that sucker in there…

Helpful Group Policy Entries : Login Security

Another one I’ve implemented is Interactive Logon: Do not display last user name – Enabled. I mean, you’re giving them half the equation of the problem otherwise, right?

Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Local Policies/Security Options
Interactive Logon
POLICY SETTING
Interactive logon: Do not display last user name Enabled

Troubleshooting Exchange Server 2010 Event ID 1020

For Exchange Server 2010 users the following error message is a commonplace:

“The account ‘DomainAdministrator’ provided valid credentials, but is not authorized to use the server; failing authentication.

Event ID: 1020”

Elucidation:

The aformentioned error event is an indication of missing permissions on the receive connector. If the user account does not have MS-Exch-SMTP-Submit permissions then it is not authorized. This error occues when the user account does not have the authority to use Microsoft Exchange Server 2010 Hub Transport Server or Edge Transport Server that contains Receive connector, though the same account possesses the authority to use the Receive connector for inbound messages.

Pre-defined permission groups are assigned to Receive connectors. These permission groups contain pre-defined set of permissions granted to security principals that include users, computers and security groups. Using these permission groups the Receive connectors define the entities that can submit messages to it and the permissions assigned to those entities. In order to submit messages using the Receive connector a user account must possess MS-Exch-SMTP-Submit permissions.

Microsoft Exchange Server 2010 has pre-defined permission groups that can not be modified. Moreover, additional permission groups can not be created.

Resolve:

Being a MS Exchange user, if you are bugged down by the above stated error you need to verify that the user account has MS-Exch-SMTP-Submit permissions assigned on the appropriate Receive connectors on the Hub Transport Server or Edge Transport Server.

To grant the required permissions follow these steps:

  • Go to Exchange Management Shell
  • Run Get-ReceiveConnector
  • Note down the identity of the Receive connector on the server
  • See the current permissions owned by the user by:

Get-ReceiveConnector -Identity “SERVERNAMEDefault SERVERNAME” | Get-AdPermission -User UsernameHere | Format-Table -View User

  • Run this command to add permissions for the user:

Add-AdPermission -Identity “Default SERVERNAME” -User Username -ExtendedRights MS-Exch-SMTP-Submit

If the above resolve does not solve the problem, then you can turn to Microsoft Exchange tools to troubleshoot this problematic event warning. These tools can be run from the Exchange Management Console.