How to configure library shares to mount ISOs from a network share in System Center Virtual Machine Manager 2008.

1. Open ADUC, locate the Hyper-V host, and right click for properties, configure the HV host for constrained delegation by adding the SCVMM server so it can access the share where the ISO’s are stored:
   
2. Add read permissions for the HV host computer account, and “NETWORK SERVICE” (we add the network service acct so you can mount ISOs from library shares on the HV host as the VM) from the HV host machine to the share permissions on the SCVMM Library share:
   

3. That should do it, you should now be able to check the “Share image instead of copying it” inside the properties of your VM. </li>

   • If you receive an error like:

     Error (12700) 
     VMM cannot complete the Hyper-V operation on the HV-SERVER1.domain.com server because of the error: 'NewServerHost' failed to add device 'Microsoft Virtual CD/DVD Disk'. (Virtual machine ID 119730D6-8939-4CB9-8456-7941F6925279)
     
     

‘HVSERVERYO’: The Machine Account ‘DOMAIN\HV-SERVER1$’ does not have read access to file share ‘\HVSERVER1.domain.com\iso\some.random.file.iso’. Please add this computer account to the security group of file share. Error: ‘General access denied error’ (0x80070005). (Virtual machine ID 119230D6-7929-4EB9-9456-6946F6925279) (Unknown error (0x8001))

Recommended Action Resolve the issue in Hyper-V and then try the operation again.</pre>

    Make sure you added the &#8220;Network Service&#8221; account.</li> </ol>

Things to check when you receive this error:

• The account you are using in the target domain to run ADMT needs to be in the source domain “Administrators” group.
• The {SOURCEDOMAIN}$$$ group exists in the source domain, if you have to create it, don’t add any members to it or it will fail.
• Ensure you have enabled auditing of account management in the source domain:
  • Open domain controllers security policy
  • Expand Local Policies -> Audit Policies
  • Double-click “Audit account managment”, put a check in “Define these policy settings”, “Success”, & “Failure” </ul>

Enable Mailbox Sharing and Delegation using the Add-MSOnlineMailPermission powershell cmdlet. I went over configuring powershell for BPOS in my BPOS in my Email forwarding in Exchange Online BPOS post.

This command grants [email protected] (TrustedUser) full access and send as permissions on [email protected]’s (Identity) mailbox using the $cred credentials to perform the action.

$cred will be your BPOS administration user credentials

$cred = get-credential
Add-MSOnlineMailPermission -Identity [email protected] -Credential $cred -TrustedUser [email protected] –GrantFullAccess True –GrantSendAs True

You can use the “Restricted Groups” GPO feature to add domain accounts/groups to the local administrator group on your client machines.

1. Open Group Policy Managment Editor
2. Expand Computer Configuration -> Windows Settings -> Security Settings
3. Right click on “Restricted Groups” and select “Add Group”
4. Browse for your desired domain account/group and click OK
5. Under “This group is a member of:” DO NOT ADD TO THE TOP BOX or you will reset the local administrators group, click “Add”
6. Enter “Administrators”, click OK, click OK

To install roles & features in Windows Server 2008 R2 we use a tool called DISM (Deployment Image Servicing and Management).

To get a list of available features or roles:

dism /online /get-features /format:table

To install a feature or a role, in this case the WINS Server Role:

dism /online /enable-feature /featurename:WINS-SC

This is a setup guide for ADMT cross-forest migrations with password migration support. We’ll need 5 things for this, SQL Server Express, ADMT (Active Directory Migration Tool), & PES (Password Export Server). Two domain controllers, one in the target forest, and one in source forest). Core installs & read-only DCs will not work.

DC in target domain:

• Download/Install SQL Express 2005 SP3 (chose integrated windows authentication) – http://bit.ly/my5LaD
• Download/Install ADMT 3.2, specify .\SQLEXPRESS, did not import db – http://bit.ly/jsW2CE
• Open ADUC and add “Everyone” to the “Pre-Windows 2000 Compatible Access Group”
• Create encryption key for PES

  admt key /option:create /sourcedomain:contoso.local /keyfile:c:\tmp\pes-key /keypassword:SOMEPASSWORDGOESHERE

DC in source domain:

• Download PES 3.1 (x64 links in related downloads) – http://bit.ly/iFof53
• Copy over pes-key.pes from the target DC
• Run the PES 3.1 Installer
• Browse for the key & confirm the pw used to create it one the target DC
• Choose “Local System Account”
• Reboot the DC
• Log back in and start the “Password Export Server Service” service

Testing User Migration:

• Create test user in source domain, set pw, uncheck “User must change password at next logon”
• Open ADMT MMC on DC in target domain
• Right-click on tree root, select “User Account Migration Wizard”
• Select source/target domains & domain controllers
• Check “Select Users from domain”
• Add -> Find the user you created
• Browse for target OU in target domain
• Check “Migration Passwords”
• Select password migration source DC (the one we just installed PES on)
• Under “Target Account State” select “Target same as source”
• Under “Source Account Disabling Options” select “Days until source account expires” and input 90
• Put a check in “Migrate user SIDs to target domain”
• You will may receive a message stating “Auditing is currently not enabled on the target domain. Would you like to enable auditing?” if so, click “Yes” and input credentials in the source domain to enable it.
• Put a check in “Update user rights”
• Leave a check in “Fix users group permissions”
• Don’t exclude any objects, just click next
• Leave a check in “Do not migrate source object if a conflict is detected in the target domain”
• Cross fingers and click “Finish”
• Watch the presented window for verification the migration was successful, “View Log” to see the gritty details.
• Open ADUC mmc in the target domain to double check the user account migration was successful

Notes:

• ADMT does not check all settings of the target domain password policy, users need to explicitly set their password after migration unless the Password never expires or Smartcard is required for interactive logon flags are set.
• The PES service doesn’t startup automatically. This is because it should only be running when only when you are migrating accounts.

I’ve come across several situations were granting anonymous relay on a Exchange 2010 receive connector can be beneficial. In my environment we use a connector of this type for our multi-function printers/scanners that scan to email. This way we don’t have to setup mailboxes just for printers/scanners.

Create your connector:

New-ReceiveConnector -Name "Anon Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings your.exchange.ip.address:25 -RemoteIpRanges allow.from.ip.address

Grant anonymous relay on the new connector:

Get-ReceiveConnector "Anon Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Add single additional IP to connector:

$rec = Get-ReceiveConnector "Anon Relay"
$rec.RemoteIPRanges += "new.ip.address"
Set-ReceiveConnector "Anon Relay" -RemoteIPRanges $rec.RemoteIPRanges

Add multiple IP addresses to the connector:

$rec = Get-ReceiveConnector "Anon Relay"
$rec.RemoteIPRanges += "ip.address", "ip.address", "ip.address"
Set-ReceiveConnector "Anon Relay" -RemoteIPRanges $rec.RemoteIPRanges

Add multiple IP addresses from a text file (one per line) to the connector:

$rec = Get-ReceiveConnector "Anon Relay"
Get-Content .\ip.txt | foreach { $rec.RemoteIPRanges += "$_" }
Set-ReceiveConnector "Anon Relay" -RemoteIPRanges $rec.RemoteIPRanges

You can add additional IP addresses via the Exchange Management Console. The console accepts CIDR addresses, so a single IP would be /32 eg: 192.168.1.25/32. If you are using this for Printers, you won’t need to specify SMTP credentials, however you still need to specify a “send from” address otherwise Exchange will deny the relay.

Smartview 11, user complains that Hyperion tab in Excel 2003, 2007, or 2010 has disappeared.

1. Check that the plug is not disabled in Excel.
2. Close Excel
3. Create %APPDATA%\Microsoft\Addins
4. Copy HsAddIn.dll, HsSpread.dll, HyperionSmartTag.dll and HsTbar.xla from c:\Hyperion\SmartView\bin over to %APPDATA%\Microsoft\Addins
5. Unregister each of the existing DLLs by running <pre>regsvr32 /u c:\Hyperion\Smartview\bin\NAMEOF.dll</pre>

Run this command once for each of the copied DLLs.</li> 

  * Register each of the copied DLLs by running 
    <pre>regsvr32 %APPDATA%\Microsoft\Addins\NAMEOF.dll</pre>

  * Re-Open Excel and the Hyperion tab should be visible again</ol>

• Install 2008 R2 Core
• Run sconfig: set network settings, enable remote desktop, rename computer, & reboot
• Run sconfig: join to yourdomain.com, & reboot
• Create c:\unattend.txt, modify as necessary <pre class="brush: plain; title: ; notranslate" title="">[DCINSTALL] InstallDNS=yes ConfirmGC=yes RebootOnCompletion=yes ReplicaDomainDNSName=domain.com ReplicationSourceDC=somedc.domain.com UserName=administrator UserDomain=domainhere Password=adminpasswordhere ReplicaOrNewDomain=replica DNSDelegationUserName=administrator DNSDelegationPassword= DatabasePath=”C:\windows\NTDS” LogPath=C:\windows\NTDS” SYSVOLPath=”C:\windows\SYSVOL” SafeModeAdminPassword=putADRestorePasswordHere

</pre>

• Run the follwing from the command prompt:
  c:\>dcpromo /unattend:c:\unattend.txt
• Server will install AD, DNS, become a replica, and reboot.