DirectAccess with UAG

DirectAccess (a remote access solution for Windows 7 and Windows 2008 R2)

It extends the corporate network to the client sitting on the Internet.

It creates two tunnels

The first is pre logon that communicates with the infrastructure server(Patch management, health check and GPOs) in the Corporate network

The second tunnel is established when you login. It is for Network level computer/user authetication and encryption

Forefront UAG is a single entry-point for all remote access

  

It also extends Windows DirectAccess capabilities to IPv4 only servers

You can publish applications and reverse proxy with UAG

UAG Array

• We can bulid up to 8 array members (NLB)
• One server acts as the Array Manager Server (AMS)
  • It propagates configuration to the other members

 

UAG DirectAccess Functions

• Runs DirectAccess Wizard
• Provides IPSec tunnel gateway to/from DirectAccess clients
• Routes IPv6 traffic between clients and server on the corporate network
• Provides IPv6 over IPv4 tunnel end-points for internet clients
• Can provide ISATAP router to support IPv6 over IPv4 for intranet
• Can provide DNS64 and NAT64
  • Support IPv6 to IPv4 translation for IPv4 only internal resources

 

Planning is Essential

• Identify DirectAccess clients
• Identify server to be available via infrastructure tunnel
  • DCs, DNS, Management server, NAP servers etc
• Identify servers to be available to user via intranet tunnel
• Identify server requiring end-point authentication/encryption
• Choose name resolution options (anything for internal servers goes to internal DNS)
• Design the network location server
• Choose authentication enhancements
  • Smart card, NAP health certificates
• Design PKI and issue require certificates
  • Must include design for CRL distribution points
• Design the internal IPv6 network connectivity
• Design Active Directory subnets
• Design UAG server array and placement requirements

Microsoft Exchange Server 2010: High Availability Deep Dive (including changes introduced by SP1)

Important in Exchange HA is Quorum so we will start here:

Quorum

Dual Usage of Quorum:

• Data shared between the voters representing configuration, etc.
  • Physical data located on DAG servers.
• Number of voters required for the solution to stay running (majority).

Exchange 2010 uses only two of four available cluster quorums

• Node majority
• Node and file share Majority

It is essential for function in the DAG.

Witness

A witness is a file share on a server (witness server).

Needed for quorum decisions

                             One of the nodes will lock witness.log referred as the locking node.

Only used by DAGs that have a even number of members (node and file share majority quorum mode)

Witness server

No pre-configuration typically necessary

• Exchange Trusted Subsystem must be member of local Administrators group on Witness Server if Witness Server is not running Exchange 2010

Must be in the same Active Directory forest as DAG

Can be Windows Server 2003 or later

• File and Printer sharing for Microsoft Networks must be enabled

Replicating witness directory/share with DFS not supported

Not necessary to cluster Witness Server

• If you do cluster witness server, you must use Windows 2008

Single witness server can be used for multiple DAGs

• Each DAG requires its own unique directory/share

 DAG networks

Used for multi Subnet DAG

A DAG network is a collection of subnets

There a two types of DAG Networks:

• MAPI Network – Connects DAG members to network resources (Active Directory, other Exchange server, DNS) Default GW will be configured here
• Replication Network – Used for/by continuous replication only (log shipping and seeding)

DAG Networks automatically created when Mailbox server is added to DAG

DAG Networks include built-in encryption and compression

• Encryption: Kerberos SSP EncrypsMEssage/DecryptMessage APIs
• Compression: Microsoft XPRESS, based on LZ77algoritm

(30% less on the wire when doing compressions)

Active Manager (the brain of Exchange HA)

• New in 2010
• Manages *overs
• Runs on every server in the DAG
• Selects best available copy on failovers

 Active manager is code that runs in cluster service (not a service)

• Active manager client runs on CAS and HUB
  • Failover can be performed in 30 seconds or less, that why it it not stored in AD. AD could have 15 min between replication.                
• PAM holds the default cluster group

Best copy selection

• Active Manager selects the “best” copy to become the new active copy when the existing active copy fails
• Behavior difference between RTM and SP1
  • List of potential passive copies is sorted diff when AutoDatabaseMountDial is set to Lossless

 

Improvements in Service pack (replication and copy)

Continues replication changes

• Block mode (shipping blocks during replications)
  • Enhanced to reduce data loss
  • Eliminates log drive as single point of failure
  • Automatically switched between modes
    • File mode
    • Block mode

Relocate and distribute load Scripts

                             RedistribureAtivedatabases.ps1

DAG Maintenance Scripts

                             StartSAGServerMaintenance.ps1

Exchange Management Console enhancement in SP1

                             Manage DAG IP addresses

                             Manage witness/directory and

Deployment and Migration Scenarios with Microsoft Lync Server 2010

Lync will be released in the end of the year

There is a public announcement the 17^th of Nov.

Some whitepapers and guides could be presented that date but that is not confirmed.

Upgrade migration from LCS

If you want to upgrade a LCS environment to Lync, you need to first do an upgrade on server and client to OCS 2007 and then upgrade to Lync.

If you don´t need a migration you can just uninstall LCS and than do a new installation of Lync.

Support of OS

• Only Windows 2008 R2 is supported on server with Lync.

Support for virtualization

• Fully support virtual servers on all roles

Difference between Standard (SE) and Enterprise Edition (EE)

• SE                5000 client concurrent users
• EE                10000 concurrent users

Installation procedure

1. Schema upgrade and domain upgrade
2. Topology  setup
   1. Need SQL server. Standard Edition can use SQL express

                                                               i.      It is the holder of the topology XML

1. Install Standard Edition or a Enterprise pool
2. Mediation server if connection to PBX

PBX Interoperability

• List on vendors on Microsoft.com
• Contact the vendors and explain what you want to do

Bandwidth management= CAC

• Group sites with subnets
• Region based configuration
• You may setup how much bandwidth it uses per feature
• Rules can be setup between sites (links)
• CAC is static and doesn´t learn how the network is.
• Single central server (CAC)

Migrate mediation server

• Lync server support för PBX
• Lync client can use both ocs and Lync
• Migrate users first than the mediation

Datacenter management

• A new site in i each

—————————————————————————————

Enable Secure Access using Forefront UAG Service Pack 1

New in SP1

• Simplified DA Deployment
• One-time-Password support for DA (must have a dedicated CA. Could be a sub-ordinate CA in present CA infrastructure)
  • Integrated securID agent into DA scenario
  • 3rd party supports using nRadius (OATH compliant)
  • Comprehensive policy management
  • Integrated NAP
  • Use a dedicated CA
    • Best practice
    • Use present Root CA and have seperate subordinate CAs for NAP and OTP
• Monitoring Direct Access out of the box
  • Integrated into UAG web Monitor
  • Integrated SCOM style
  • Storage is SQL based

 

ADFSv2 integration

Not able to use both ADFSv2 and ADFSv2 with UAG in the same environment.

So you need to remove present ADFS if you have before you install UAG with integrated ADFS

Deployment Multi Entry points

Included in release 2011 H1 (UAG SPI UP1)

——————————————————————————————-

Failover clustering and Hyper-V: Planning your Highly-Available virtualization environment

Host clustering

• Cluster service runs inside physical host
• Live migration
• Quick migration

Guest clustering

• Cluster runs inside a VM
• Is application aware
• Only iSCSI

Guest and host clustering can be at the same time. It is the optimal solution that offers the most flexibility and protection.

If you have question of the impact of virtualized SQL server on Hyper-V., the SQL team have published a Whitepaper of the result and impact. Read it!

This is all supported on Windows server 2008 R2

Powershell support

• Improved Manageability
• Hyper-V integration
• Replaces cluster.exe as the CLI tool

You can use Powershell to create a entire cluster

Don´t do an image after you installed the cluster feature. It will not work. There are some dependencies of Mac address that is created when installing the feature.

Do the image before and script the installation of clustering feature.

Cluster share volumes

• Live migration with CSV. No dismounted and remounting
• ARP redirects client to new node (sends an arp to the router)

AD consideration

• Nodes in the same domain
• Need accessible writeable DC
• DCs can be run on nodes, but use 2+ nodes
• Don´t install DC on parent partition or no other features
• Do not put all your DCs on clustered VMs
  • DC i needed for the cluster service

 Network considerations

Minimum of two networks:

•     Internal and live migration
•     Public and Guest Management

Use network prioritizing to configure your network

Best solution: 5 NIC

AntiAffinityClassNames

• Enabled VM Distribution
• Failover behavior on large clusters: KB299631

Root Memory reserve(d)

Difference between 2008 R2 RTM and 2008 R2 SP1

In Sp1 you don´t need to configure.

Dynamic memory SP1

Memory Priority Value is configurable per VM

Where to changes

Always use Failover Cluster manager or SCVMM when doing changes

Hyper-V Manager is not cluster aware

Storage Migrations

SCVMM enabled Quick Storage Migration. Not live migration. You will have some downtime.

Today (Tuesday) is the first (real) day on Teched Europe in Berlin. We will continue to post information from a lot of sessions throughout the week. We will focus on Forefront, Active Directory, Virtualization, Lync and some bits and pieces of other topics.

Explore Secure Collaboration Using Identity Federation in Forefront UAG Service pack 1

Service Pack 1 for Forefront UAG RTM is going to be released in December 2010.

Examples of features that is included in Sp1:

• ADFS v2 Integration
• Enhanced Direct access deployment and Operation
  • One-time-password support
  • Integrated NAP for simplified Endpoint policy enforcement
  • RMS server publishing
  • Exchange 2007 and Exchange 2010 are supported in coexistence with UAG
  • UAG and ADFS 2.0
    • UAG as AD FS proxy
    • Single Sign on even for legacy applications
    • Health policies are applied to partner users
    • Claims-based Authentication and Authorization

A legacy application in this session means applications that are not Claims-aware.

With AD FS and UAG you don´t need to reengineer old applications to get it to work, that for example uses Kerberos.

You can publish and use Claims to the UAG, UAG then uses a shadow user with Kerberos in for example the internal network. The ticket is sent between UAG and DC if you use Active Directory. The framework is configured in AD FS.

There are monitoring and auditing capabilities.

A couple of these features are enabled with only AD FS 2.0 but UAG publishes a nice portal in front of it.

UAG supports only passive clients like web browser or applications that simulate passive clients.

Question:

Do you need a separate firewall in front of the UAG?

Answer:

It´s Microsoft best practice to have a separate firewall although UAG have TMG.

Impact of cloning and Virtualization on Active Directory Domain Services

Scenario 1:

Clone a domain joined computer (VHD).

Can the cloned (copied) computer co-exist with the new computer?

It will work at first, but because of password requirements (computer objects also got passwords in a domain), when the first of the computers changes the password. Then the other one will be in trouble because it has the old password. The time to failure is based on the policies applied.

Always use sysprep when you are deploying a new computer.

Scenario 2:

You cannot clone from the same VHD as you have cloned to a DC. When you do DCPromo the domain SID is based on the original computer SID.

Do not, domain join a VHD that you have created a DC with. Local SID will have the same SID as the domain.

Scenario 3:

You will not be able to configure a trust between two domains that has the same SID. If you had cloned DC in domainA and cloned DC in domainB of the same VHD.

So always use sysprep when deploying computers. Do not just copy a VHD.

Same problem is on all virtualization platforms.

Best practice from Microsoft when using virtual DCs. Always keep 1-2 physical DC´s.

Advanced Group Policy Management 4.0 (AGPM 4.0)

Features:

• Offline editing of GPO
• Compare settings between GPOs (Difference report).
  • What was added, changed or removed.
  • Delegation of roles
    • Editor, Approver, Reviewer, Full control
    • Workflow:
      • Create a workflow for your changes in GPOs like:
      • (Offline) Control-> Checked out-> edit->Check in->Request->reporting->(Production) Deployment
    • Recycle bin:
    • You may restore deleted GPOs
    • Search filtering:
      • What is does
      • What it doesn´t do
    • Multi Forest Support
      • You can export and import the GPO

To setup AGPM you need to set it up on a separate server than the DC. It will than hold a copy of all GPOs.

The license is included in MDOP (Microsoft Desktop Optimization Pack) and cannot be purchased separately.

When you have deployed AGPM. Always use AGPM when editing GPOs. Because if you change it on the DC directly it will be overwritten the next time you publish it from AGPM.

Deep Dive on Designing a BranchCache Infrastructure

BranchCache have two different types of configurations:

• Distributed Cache
  • Uses clients in the branch office
  • Hosted Cache
    • Uses a dedicated server in the branch office

If you want to prelude the cache you can do that by scripting.

NLB (or physical load balancing) works also. Be sure you configure the load balanced server the same way. They must have the same Server Secret key.

The data that is transferred from the central site is divided into 64 bit blocks. This will ease your network on the WAN.

Cached data is stored in the clear, but it can be protected with Bitlocker or EFS.

Protocols:

SMB and HTTP is enabled out of the box. Even HTTPS is available because of the layer in the stack the BranchCache is operating.

If you are a developer you need to check out Peer Distribution on MSDN. It is a public API that you can build your application with so you can use the BranchCache features.

If you want to deploy this you should use GPO and link them to Sites in Active Directory. This will solve potential problems when users travel with their laptops. They will get the GPO that applies on the site they are logging in from.

Mixed mode:

You cannot have both configurations (Distributed and Hosted) on the same branch office.

Disaster Recovery by Stretching Hyper-V Clusters Across Sites

Regarding Multi Site Clustering, Microsoft said that they have a fully automated solutions and that the competitors doesn´t.

The biggest concern in a Disaster Recovery scenario is the dependence on people.

Windows 2008 R2 added support for Multiple Subnet clustering.

This is highly dependent on DNS. To enable faster failover you can use:

• RegisterallprovidersIP
• HostRecordTTL

Solution 1:

 Local failover First

• Configure local failover first high availability.
• Cross site failover for disaster recovery.
• Minimum of two servers.

 Solution 2:

Stretch VLANs

• Deploying a VLAN minimizes time for fail over. No new IP is applied, so therefore no change in DNS. No need for DNS to update and replicate.

Sol3: Abstraction in Networking Device

A network device that uses 3rd IP address. The client uses the device to connect to the services on the VM.

Live migration and CSV are not dependant but complimentary.

Cross subnet failover

• Use DHCP
• Static- can be solved by script
  • Example: look for errors in the cluster logs to the see if a fail over has occurred. Then update the IP settings and DNS.

Best practice to use DHCP

Quorum

There are four different setups of Quorum.

• Disk only (not recommended)
• Node and disk majority
• node majority
• node and file share majority

 Node majority must be uneven.

If you have 2 servers in SiteA and 3 servers in SiteB. If the entire Site B is unavailable you can force Quorum by command in Powershell (R2)

Start-clusternode -fixquorum or fq

once majority achieved, it drops out of forced quorum.

multi-site with file share witness

A 3rd site is the best setup.

Complete resiliency and automatic recovery from the loss of one site.

It uses file lock on the file share on 3rd site and the cluster will still work, if connection between SiteA and SiteB breaks.

For more info take a look these documents at Microsoft.com:

• Design guide deployment guide/checklist
• Multi-site Clustering Content