george khalil's everything IT

This Blog has moved to a new home …sharepointgeorge.com

noreply@blogger.com (George Khalil) — Fri, 04 Sep 2009 07:51:00 +0000

Hi everyone!

A goal of mine earlier this year was to begin blogging and sharing with the IT Pro community my experiences, implementations and designs as an IT Infrastructure Manager who has a distinct passion for Microsoft Technologies. So my first blog came about with the name of Everything IT and Everything Not which was soon changed to George Khalil’s everything IT. During the last 6 months of blogging I have definitely learnt a lot about using various web blogging platforms, social media and a lot about the content that I was providing my readers with.

As you are already aware my passion is working with Microsoft Technologies with a very keen interest in Microsoft SharePoint, Exchange and of course Windows. In order to serve you better and provide a greater range of coverage I have moved to a new blogging home http://sharepointgeorge.com

So to all my readers :), please ensure you update your RSS feed links to http://feeds.feedburner.com/sharepointgeorge

So this is my last post here so please look to my new site for all content moving forward. You can reach it here at: http://sharepointgeorge.com

See you there!!

P.S

In addition to moving from http://www.gk.id.au to http://sharepointgeorge.com I have created a second blog which delivers general ramblings on social media, social networking, home users of PC and Mac and everything in between which you can access via http://socialtechgeek.com Target audience is EVERYONE :) Social Tech Geek came about from all the advice I have provided friends and family along the way and though what better way to share the love other than through the world wide web.

Slipstream Office 2007 Service Packs & working with the Office Customization Tool

noreply@blogger.com (George Khalil) — Mon, 31 Aug 2009 08:36:00 +0000

I am currently in the process of creating my first Windows 7 Enterprise Image for Light Touch Deployment via Windows Automated Installation Kit (WAIK) and Windows Deployment Services (more on this at a later date) and am currently at the stage of organising my client applications for deployment. Office 2007 is on the top of my list and in today’s post I will show you how you can incorporate Service Pack 2 for Office 2007 in the single installation also referred to as slipstreaming and in the second part of this post discuss how you can further customize an installation of Office 2007 via the Office Customization Tool (OCT).

In Office 2007, Microsoft has provided you with the ability to slip stream service packs and updates via the “Updates” folder located in the installation media or the distribution point that you create. That means that the installation will always look in the updates folder and automatically install these automatically as part of the initial installation process. This is useful in situations like the one above where you are creating a new Windows Image for deployment and you want to expedite the installation process removing the need to rely on Microsoft Updates for service pack installations.

So let’s begin by creating a folder in a shared location (your distribution point) and copy the contents of the Office 2007 media to this location. In my case I will create a folder called Office2007.

\\SERVER\SHARE\Office2007 In my case I have mapped this file share to the letter M for later reference.

We now need to download the latest service pack available for Office. At the time of this post, Service Pack 2 for Office 2007 is the latest and can be downloaded from the Microsoft Download Centre via the following link. http://www.microsoft.com/downloads/details.aspx?FamilyID=b444bf18-79ea-46c6-8a81-9db49b4ab6e5&displaylang=en

You will notice that the file downloaded is an exe file “office2007sp2-kb953195-fullfile-en-us.exe” which we will need to extract in order to retrieve the msp files that are needed for the “Updates” folder that is located in our distribution point.

In order to extract the files, run the following command from command prompt; In my example I have saved the executable to the root of M.

M:\office2007sp2-kb953195-fullfile-en-us.exe /extract:”M:\Office2007\Updates”

The following screen will appear. Accept the Microsoft Software License Terms and then click on Continue.

File extraction will now proceed.

Once the file have been extracted, you will receive the below completion notice. Click OK to acknowledge.

Upon completion the msp files will be listed below as follows.

Now that our distribution share contains the latest updates, let’s now shift our focus to the Office Customization Tool which is available to IT Professionals and Volume Licensing customers providing you with the ability to further customize the installation of Office 2007 by creating a custom msp file that can be deployed as part of the initial deployment, or at a later date if making minor modifications to an existing installation.

The OCT is invoked by typing the following command from the Office 2007 media;

setup.exe /admin

The following window will be displayed as follows;

We will create a new setup customization file so select the first option and then click OK.

You will now proceed and make any modifications that are necessary for your deployment. Such modifications may include but are not limited to;

Entering your Organization name under “Install location and organization name”

Entering your Volume License Key under “Licensing and user Interface”

Creating a default Outlook profile for your user under “Outlook profile”

e.g. Modifying the “Install location and organization name” parameter

Once you have entered your modifications, you will need to save the MSP file that you will then copy across to include in the updates folder which also includes the service pack 2 msp’s that we extracted earlier.

More details on the OCT for Office 2007 can be found in the following Microsoft TechNet Link; http://technet.microsoft.com/en-us/library/cc179097.aspx

We are almost done. We are now ready to deploy Office 2007 to all our computers from our single distribution point that includes the latest service packs, updates and modifications.

My preferred method in deploying Office 2007 is through Group Policy computer start-up scripts which is explained in quite a bit of detail in the following Microsoft TechNet Link; http://technet.microsoft.com/en-us/library/cc179134.aspx There are notable advantages in deploying Office 2007 via start-up scripts as opposed to the tradition Group Policy Software Installation method with the main advantage in being able to utilise the updates folder that we created and slip stream all updates and modifications in the single installation. This cannot be done via Group Policy Software Installation as noted in the following Microsoft TechNet Link; http://technet.microsoft.com/en-us/library/cc179214.aspx

Microsoft provides you with the following example script for deploying Office 2007 which you will then assign to Group Policy start-up scripts within your specific Group Policy Object.

setlocal

REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************

REM Get ProductName from the Office product's core Setup.xml file.
set ProductName=Enterprise

REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=\\server\share\Office12

REM Set ConfigFile to the configuration file to be used for deployment REM (required)
set ConfigFile=\\server\share\Office12\Enterprise.WW\config.xml

REM Set LogLocation to a central directory to collect log files.
set LogLocation=\\server\share\Office12Logs

REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************

IF NOT "%ProgramFiles(x86)%"=="" SET WOW6432NODE=WOW6432NODE\

reg query HKEY_LOCAL_MACHINE\SOFTWARE\%WOW6432NODE%Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
if %errorlevel%==1 (goto DeployOffice) else (goto End)

REM If 1 returned, the product was not found. Run setup here.
:DeployOffice
start /wait %DeployServer%\setup.exe /config %ConfigFile%
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt

REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End

Endlocal

I am now ready to deploy Microsoft Office 2007 to my Windows 7 Image.

Introducing your first Windows 2008 R2 Domain Controller

noreply@blogger.com (George Khalil) — Wed, 26 Aug 2009 10:37:00 +0000

Windows 2008 R2 has only been out for over a week however I have decided to introduce my first Windows 2008 R2 domain controller (DC) almost immediately into an existing Windows 2008 Active Directory (AD) Domain to eventually have a complete R2 forest functional level to benefit from some of the new R2 features. For a seasoned IT Pro, introducing new domain controllers is fairly straightforward, however I have decided to provide you with a step by step guide on doing so and the pre-work that is required, so let’s begin!

Now before we delve into the step by step guide I thought I would begin by listing the notable enhancements that come with R2 when it comes to Active Directory. These are;

AD Recycle Bin – For me this is a long awaited feature providing you with the ability to recover deleted objects. (Note there are already 3rd party products that have been providing this capability for many years). In order to activate the AD Recycle Bin, you will require the AD functional level raised to R2, i.e all your domain controllers will need to be R2 providing you with the ability to raise the functional level.

AD Administrative Center – Ease of management for domain(s) providing you with task oriented user interface. Screen capture located at the end of this post.

Powershell Cmdlets – There are approximately 85 Active Directory related PowerShell cmdlets that replace current Active Directory command line tools. Whether we like it or not, Microsoft is really pushing Powershell and is a skill that is now required by system administrators.

Service Account Management – Forget about managing service account passwords as these are now automatically updated for all services when an administrator changes the password. This is also a welcome enhancement for most administrators.

Active Directory Best Practices Analyser – Know the health of AD based on best practices. This is similar to “other notable” best practices Analysers that we have come accustomed to from other Microsoft products notably Exchange. Screen capture located at the end of this post.

So let's begin by analysing the pre-work that is required before we introduce a Windows 2008 R2 DC. Because this is the first Windows 2008 R2 DC that is being introduced into an existing domain you will need to run adprep /forestprep command on the server that is holding the schema master operations master. Note that you will need to do this regardless of whether you are running a Windows 2003 or Windows 2008 domain as the schema database version has changed in R2. The following KB article from Microsoft http://support.microsoft.com/kb/324801 outlines how to view the Flexible Single Master Operations (FSMO) roles to determine which of your AD servers is holding the schema master operations master.

You will need to run adprep command line utility from the Windows 2008 R2 media which is located under the support\adprep folder. The below message is what you will receive when trying to run adprep from a DC that is not a schema master operations master.

Once you have located the schema master operations master domain controller, open a command prompt, navigate to the Windows 2008 R2 media support\adprep folder and run the following command;

adprep /forestprep (Word of note, you will notice adprep32.exe is also available to you under the adprep folder if your current schema master operations master DC is a 32 Bit server)

Type C and then press ENTER to continue.

You will notice below that the schema version number for Windows 2008 R2 is 47.

After running forestprep you will need to run the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master.

Once these two commands have been issued you will be ready to deploy your first Windows 2008 R2 domain controller.

We can now invoke the Active Directory Domain Services Installation Wizard by running dcpromo from either command line or Start / Run.

Click Next. The below Operating system compatibility warning is displayed.

Click Next. We are introducing an additional domain controller into an existing domain as per the below screen capture.

Click Next. It will detect the current forest and current logged on credentials.

A list of domains in the forest will be listed as per the below screen shot. Select the domain that you will introduce the new DC into and then click next.

You will receive the below warning “You will not be able to install a read-only domain controller in this domain…”.

You must first run "adprep /rodcprep" from a command window on any computer in this forest. The Adprep utility is available on the Windows Server 2008 R2 installation media in the \support\adprep folder.

Click Yes to acknowledge the warning as we are not installing a read-only domain controller at this time.

Select your site for the new domain controller.

Click Next. The wizard will begin to examine your current DNS configuration.

You will be presented with additional Domain Controller Options that you can select or deselect. Again we are notified that a domain controller running Windows Server 2008 or Windows Server 2008 R2 could not be located in this domain. To install a read-only domain controller, the domain must have a domain controller running Windows Server 2008 or Windows Server 2008 R2. I admire Microsoft’s thoroughness and rigorous checks and warnings but they can sometimes be annoying.

Select a location for your database, log files and SYSVOL. It is best practice here to specify a separate disk for your logs and database.

Now specify your Directory Services Restore Mode Administrator Password.

Click Next. The installation and configuration process now begins.

The below screen appears upon completion. That’s it! Reboot your machine and your new Windows 2008 R2 server will have transformed into a domain controller.

At the beginning of this post, I outlined some of the features and enhancements provided by R2 and as promised, below are screen captures of the Best Practices Analyser in action for Windows Active Directory and the new Active Directory Administrative Center.

I will leave you with a link to the TechNet Webcast: Active Directory Domain Services in Windows Server 2008 R2 Technical Overview (Level 300) which is worth watching.

My goal now will be to update the remaining two Active Domain controllers and raise the forest functional level opening the door to the new R2 Active Directory features that I will blog about in future posts.

So what is your favourite or sought after R2 feature when it comes to Active Directory? I would be more than happy to hear your thoughts.

Forefront Server Security engines retiring soon

noreply@blogger.com (George Khalil) — Mon, 03 Aug 2009 10:20:00 +0000

If you aren’t already aware, or haven’t been notified for that matter through Forefront’s diagnostic notification system, Microsoft’s Forefront Server Security for Exchange and SharePoint is retiring 3 of it’s 9 engines on 1 December 2009. Forefront server security products has been renowned for its multiple scanning engine technology that allows you to scan items using up to 5 of its 9 engines at any one time, but that is about to change. So which engines are being deprecated and why?

If you are running any of the Forefront Server security products such as Forefront Security for Exchange Server or Forefront Security for SharePoint and you have diagnostics email alerts setup you should have received 3 emails in your mailbox recently notifying you of the deprecation similar to the below;

Sophos Virus Detection Engine has been deprecated as of 1/07/2009 and will be available only until 1/12/2009. Updates for this engine will stop after 1/12/2009. For more information, see http://go.microsoft.com/fwlink/?LinkId=152864

The other engines that are also retiring are CA and AhnLab. Microsoft makes the following statement in their Forefront Server Security Engines Revisions FAQ document.

“The set of five engines available in Forefront server security products as of Dec. 1, 2009 includes Microsoft AV, Kaspersky, Norman, VirusBuster and Authentium. However, these engines may change over time as we seek to improve overall protection metrics and to maintain our detection advantage relative to our competition and in support of our customer needs”

It is noted that Forefront Server Security customers should update to the latest service packs before the 1 December 2009 in order to take advantage of the five engines that Microsoft are retaining.

More details and the full “Engine Revision Overview and FAQ” document can be found on the Microsoft TechNet Site.

Let’s first begin to ensure that Forefront Diagnostics has been setup. The Forefront Server Security Administrator console is similar for both Exchange 2007 and SharePoint so let’s begin by launching the console and navigating to Settings and General Options. Under the Diagnostics heading, ensure that the following options are ticked as follows.

Let’s now de-select the engines that are being retired and select alternatives as replacements. This is achieved by navigating to Settings / Antivirus and deselecting the File Scanners for each of your listed Jobs.

After ensuring that none of the retiring scanners are selected, we can proceed to disable the automatic signature downloads for those scanners. We do this by navigating to Settings / Scanner Updates and clicking on Disable against each respective retiring engine.

That’s it for now! So what’s next? We will just have to wait and see but hopefully Microsoft’s next generation of Forefront products codename “Stirling” which is now in beta 2 is just around the corner. You can read more about Stirling on the Microsoft TechNet Site.

Integrating Exchange 2007 Messaging Records Management with SharePoint Document Libraries – Part 2

noreply@blogger.com (George Khalil) — Wed, 22 Jul 2009 12:34:00 +0000

Welcome back to the final post in this 2 part series, Integrating Exchange 2007 MRM with SharePoint Document Libraries. Today’s post will wrap things up by going through the process of mail enabling an existing SharePoint document library and creating a new managed content setting in Exchange 2007 providing us with the ability to journal a copy of all messages moved into our “Project XYZ” managed folder located in Outlook, into our Shared collaborative Document Library under our Project Team Site.

Recall from part 1, that the objective of integrating Exchange MRM with SharePoint is to provide us with the ability to store and centralise all emails pertaining to a specific project from multiple users into a single SharePoint document library, that can be easily accessed by the Project Team. If you missed the initial setup of Exchange MRM, you can access part 1 of this series here.

We finished off our last post by having our Project XYZ Managed Folder automatically pre-created for our specified Exchange users as per the below screen shot.

This has provided all users from the Project XYZ Team site the capability of moving all email records in relation to Project XYZ into this so called “dumping ground”. At the moment, it’s fairly static and the information “dumped” into this folder isn’t going anywhere any time soon. But this will now change by creating a new “Managed Content Settings” policy in Exchange 2007. But just before we go ahead, we need to ensure we have our SharePoint Document Library ready to receive incoming emails.

To mail enable a SharePoint Document Library, navigate to the Project XYZ Document Library in question and click Settings / Document Library Settings / and click on Incoming e-mail settings under Communications.

We will then fill out the details as per the below screen shot.

This will go ahead and create the corresponding Contact address in Exchange 2007. Please note this article is assuming that your SharePoint farm has been correctly setup to receive Incoming mail. Click on the following TechNet article for further instructions on how this can be achieved; http://technet.microsoft.com/en-us/library/cc262947.aspx

We can now proceed with the creation of the Exchange Managed Content Setting for our Managed Folder.

To so, navigate to Mailbox / Managed Custom Folders / click on the newly created custom folder, in our case Project XYZ and then click on New Managed Content Settings.

The below wizard is invoked and we will specify the following details as per the below screen shot.

Your goal here should be defined to meet the business requirements and in this example we will want to keep items that are moved into the Project XYZ managed folder for 30 days. After the 30 day period ,the items are permanently deleted to empty the user’s Project XYZ custom folder.

Do not fear however!! In the next screen we will specify our Journaling options providing us with the capability to auto forward a copy to our SharePoint Email Enabled Document Library that we had created earlier. One of the advantages of using Managed Content Settings and Journaling with SharePoint enabled Libraries, is that you can specify the format of the email message and hence I have selected Outlook Message Format to ensure greatest compatibility.

Click New to Finish.

You will now notice that our Managed Content Settings has been applied against our Managed Custom Folder as per the below screen shot.

That’s it! Based on your Managed Folder Assistant Schedule that we configured in part 1, all email records that are moved into the Project XYZ Managed Folder in Outlook will be copied to the Project XYZ Document Library as well. In order to expedite the process and to ensure that it is all working, you can run the following Exchange Management Shell command;

Start-ManagedFolderAssistant

Once the Managed Folder Assistant has been initiated, it should only be a matter of a couple of minutes until you see your SharePoint Document Library populated as follows.

The Folder Assistant is intelligent enough to only copy the emails that are stored under the Managed Folder in Outlook once, avoiding any duplication. It there are emails with the exact same subject line, SharePoint is also intelligent enough to follow our settings that we configured earlier for our email enabled SharePoint Library. In my setup we set it to not overwrite and hence will append the subject with a unique number as per the below screen shot.

In summary, Exchange 2007 MRM and SharePoint Document Libraries has enabled us to control the lifespan of items that are moved into our Project XYZ Managed Folder that we have created in Exchange and the capability to journal a copy of all records that are moved into this folder to our SharePoint document library for collaborative and archival reasons.

Hope you enjoyed this two part series and am sure you will find use with integrating these two technologies together to meet your business requirements.

Integrating Exchange 2007 Messaging Records Management with SharePoint Document Libraries – Part 1/2

noreply@blogger.com (George Khalil) — Thu, 16 Jul 2009 13:29:00 +0000

There are two technologies in my IT Pro life that I am very passionate about, SharePoint and Exchange, so why not incorporate both passions in a single blog post. In this two part series I will be discussing how we can manage email records from our Exchange mailboxes and archive them in SharePoint Document Libraries for compliance or collaboration reasons. Exchange 2007 introduced a great new feature set in the name of “Messaging Records Management” or commonly referred to as MRM. Managed Default Folders is a key component of MRM which will assist us in achieving our archiving strategy. Exchange 2007’s MRM functionality provides organisations with the ability to set email-retention policies, the ability to manage content residing in mailboxes and to establish an archiving strategy to SharePoint Document Libraries.

This is a great feature when you want to combine email records from various users working on a particular project and have them reside under the Team SharePoint Site Document Library. In this 2 part post I will provide step by step instructions on how this can be achieved with today’s post focusing on Exchange and the creation of our managed “project” folder .

So let’s begin by firing up the Exchange Management Console and navigating to Organization Configuration / Mailbox and then click on the Managed Default Folders Tab. You will notice the system default folders listed as per the below screen shot.

In our case we will create a new Managed Custom Folder for a specific project that we will later integrate with a specific document library located under our project team site.

In order to create our Managed Custom Folder, navigate to Actions and select New Managed Custom Folder..to invoke the wizard.

Enter the Name, Display Name and Description similar to the below screen shot.

Please take note of the Exchange Enterprise CAL requirement.

After filling the details click New. Your managed folder has now been created and listed under the Managed Custom Folders Tab per the below screenshot.

If you are an Exchange Management Shell person and would like to create a managed custom folder that way, all you need to do is simply type in the below command.

New-ManagedFolder -Name Project XYZ -FolderName "Project XYZ"

Now that our Managed Custom Folder has been created, we need to create a Managed Folder Mailbox policy. Also located under Actions, Select New Managed Folder Mailbox Policy …

Creating a managed folder mailbox policy setting is great when grouping together a set of managed folders that you can then assign to a user mailbox in the one step.

Type in your managed folder mailbox policy name and then select Add to select the Managed Custom folder that we had just created earlier.

Your newly created policy will now be listed under the Managed Folder Mailbox Policies Tab as per the below screen shot.

We now have the capability to assign this policy to our users. So let’s now do so by navigating to Recipient Configuration / Mailbox. Right click on your user and select Properties / Mailbox Settings.

Select Messaging Records Management and then click on properties. From here, click on browse and select the Policy that we have just created.

When applying the settings you will receive a warning regarding compatibility with different Outlook versions, but we can ignore this warning as we are all running Outlook 2007/10 right?

Now that we have created our custom managed folder and policy we need to ensure that our Managed Folder Assistant Schedule has been setup. To so, navigate to Server Configuration / Mailbox and right click on the top pane on your server name and select properties. Then click on the Messaging Records Management tab.

By default it will be set to “Never Run”. We will click on Customize and set a schedule for it to run during non business office hours.

Now rather than waiting for the next scheduled time we can force the process via the Exchange Management Shell by running the following command.

Start-ManagedFolderAssistant

The below entry should appear in your Windows Application Event Log when the Managed Folder Assistant routine is run.

Event Type: Information

Event Source: MSExchange Assistants

Event Category: Assistants

Event ID: 9022

Date: 16/07/2009

Time: 11:01:18 AM

User: N/A

Computer: EXCHANGESERVER

Description:

Service MSExchangeMailboxAssistants. Managed Folder Mailbox Assistant for database Users Mailbox Database/Users Mailbox Database (ed6raqeq29db3-7301-4443-8917-a3b6e7857dd1) has finished an on-demand request. 1002 out of 1002 mailboxes were successfully processed. 0 mailboxes were skipped due to errors.

I can now open up Outlook for the user we applied the policy to and see that the Project XYZ managed folder has been created and listed under Managed Folders. Remember, this is the folder that our user can now drag emails into for compliance or archive reasons.

Now that we have successfully created and deployed our Managed Folder Project XYZ we will continue our journey in Part 2 where we will mail enable a SharePoint Document Library providing it with an SMTP address and creating a Managed Content Setting that will be applied to our manage custom folder “Project XYZ”. This will enable us to control the lifespan of items that are moved into our Project XYZ Managed Folder that we have created and to also enable journaling on that folder to forward a copy to an alternative address, in our case the SharePoint Document Library SMTP address for archive.

If you would like to notified of future articles via email click here or subscribe via RSS.

SharePoint, My Site & Managing User Profile Properties – Part 2/2

noreply@blogger.com (George Khalil) — Thu, 09 Jul 2009 13:15:00 +0000

Welcome to part 2 of My Site & Managing User Profile Properties. In Part 1 we introduced User Profile Properties and how these can be automatically populated via Windows Active Directory (AD). We also went into some detail regarding the Organization Hierarchy Web part. You can access part 1 here if you missed it. In today’s post our focus is around creating additional profile properties either by mapping to existing fields in Active Directory such as Company or creating a field which may not necessarily be mapped to Active Directory but is required to be entered by the user manually. We will also delve into how users can populate other existing properties such Interests, Skills and Past Projects. This is equally important for organisations of all sizes as this is where the power of social and knowledge networking come into play. By allowing users to populate this information we are creating synergy and building a people’s database that is fully text searchable.

One of the main driving factors for implementing My Site is the ability of connecting information seekers with information repositories. It is usually particular skills that an end user might possess that is usually not documented that may be of business value, such as being fluent in a particular language for translation services. By encouraging end users to profile their skills and interests you are building an effective knowledge and transfer network through social networking, automatic discovery and sharing of undocumented knowledge.

Let’s begin our first task of creating an additional profile field that we will map to the existing Active Directory “Company” field. This is useful for organisations that may contain multiple subsidiaries as the information entered into the “Company” Active Directory field will automatically synchronise based on your Active Directory Import Schedule, profiling your newly created SharePoint profile property for each user.

We first need to navigate to the Shared Services Provider (SSP) home page / User Profiles and Properties.

Then click on Add profile property.

A list of the existing SharePoint user profile properties are listed with their corresponding mapped attribute. Please note that some of the SharePoint user profile properties are not mapped and hence allow end users to populate these manually, such as “About me”.

Click on New Property and fill out the details as per the below screen shots. Here you will have the ability to specify Name, Type, Policy Settings and Privacy Settings (i.e. who do you want this attribute to be visible to on your My Profile “public page”, more on this later). Here you will also have the opportunity to promote the field on My Profile page of each user and provide notifications to the colleague tracker if the information for that particular user changes. More information on tracking colleagues through SharePoint can be found in my previous article here.

I have specified that this attribute should be indexed for faster searches and then specified the Source Data Connection, in my case the Master Connection is Windows Active Directory, and then selected the company as the Active Directory field in question.

You will now notice that the newly added Company profile property field is added under the Custom Properties section within View Profile Properties.

I will now launch Active Directory Users and Computers MMC snap in, and fill out the Company field under Organization tab for my users.

After the next incremental Import your Company field will automatically be profiled based on the company name entered for each Active Directory User. Notice that this information cannot be edited and is published to everyone as per our initial configuration.

Let’s now focus our attention on how user’s can configure some of the “other” user profile properties on their My Site such as Interests, Skills and Past Projects. Part of this process is to target the information to one of the five pre-set groups (Everyone, Only Me, My Workgroup, My Colleagues, My Manager).

* Everyone - self explanatory,
* Only Me - (not sure why you would publish information that is only visible to yourself, and is usually not mentioned in my training, but feel free to put your suggestions forward on this one)
* My Workgroup - are those users that form part of your Organization Hierarchy which is automatically populated as part of the reporting hierarchy in Active Directory – as explained in Part 1 of this series.
* My Colleagues - those users that form part of your Workgroup plus those users you add manually that are not directly part of your Workgroup. More information of colleagues can be found in my previous article here.
* My Manager – This is automatically picked up by what is placed in Active Directory Under Organization / Manager A.D Attribute. This was also discussed in Part 1 of this series.

Now that we have explained the different groups that can be targeted, let’s explain how users can profile their own Interests etc and target this information.

From the individual’s My Site Page, navigate to My Profile and click on Details.

The edit details form displayed below will show you both Active directory mapped fields that we discussed in part 1 and user defined fields such as About me, Responsibilities, Skills etc. Recall our discussion regarding My Site and it’s huge potential in becoming not only a social network for the enterprise but a comprehensive people’s database that can be searched against. A large chunk of your end user training should be around My Site and the importance of profiling your information as much as possible and as accurate as possible.

From here, end users have the ability to freely type information or can use the browse field beside some of the user profile properties to select information that is already in the database which is picked up from other users. Your end user training should focus on best practices around profiling My Site encouraging users to browse first before typing to keep as much consistency as possible.

As previously mentioned, end users also have the ability with non system defined user profile properties to target privacy information to specific groups, this is accomplished in the Show To area.

You might for instance want to publish your Home Number to your Manager only and your Mobile Number to your Colleagues. My Site and My Profile in SharePoint provides you with this flexibility.

The rest of the form is pretty self explanatory and most users succeed in filling it out correctly the first time.

Upon successful completion of an Active Directory metadata Import and User’s having the ability to manually profile other properties, we have successfully built a framework that is beneficial for any organisation. The example below is of a completed User Profile with most of the user profile attributes being displayed under the user’s My Profile “Public” page.

This comes to the conclusion of our 2 part series on My Site and managing user profiles. Through careful planning and thorough end user training you will be successful in building a centralised framework where users can store and share their information. Users will also feel more in control with the new privacy controls introduced in SharePoint 2007 providing them with the ability to target their personal information.

SharePoint, My Site & Managing User Profile Properties – Part 1/2

noreply@blogger.com (George Khalil) — Tue, 30 Jun 2009 13:18:00 +0000

A couple of months ago I posted an article introducing My Site and social enterprise networking with SharePoint, and focused the discussion around tracking colleagues via the colleague tracker web part. If you missed that article, you can access it here. I also promised that I would provide future articles discussing other My Site features so here is a two part series on My Site and Managing user profile properties with today’s discussion around populating Windows Active Directory (AD). Some of the common question’s asked are what fields should be populated in AD and how does one populate the Organizational Hierarchy web part? I will be providing answers to these questions in today’s post.

A lot of the information or metadata that a SharePoint user inherits comes from Windows Active Directory. Depending on how much information is populated, this can be a little or a lot. SharePoint by default includes 46 user profile properties, in which 21 of these are mapped to Windows Active Directory. In most cases, it’s best practice when setting up a new user in Active Directory to try and populate as much of these 21 attributes as possible which is then automatically imported into the SharePoint User profile properties. This should be relayed to your AD guys. You also have the ability to create custom mapped properties in your SharePoint profile property store which can also be mapped to Active Directory. I will expand on this in part 2 of this series which will also discuss how users can configure other user profile details such as interests, skills and responsibilities.

So let’s begin by creating a new user in Active Directory in which we will then begin populating the relevant AD fields.

Under the General Tab, Populate First Name, Last Name, Display Name, Office, Telephone Number and Email (this should be populated via Microsoft Exchange). Please note that Web page is automatically populated when a user creates their My Site for the first time and clicks on “Set as default My Site”

Navigate to the Telephones Tab and populate the Fax Number.

Under the Organization Tab, populate Job Title, Department and specify the Manager. This field is important as it build’s the organizational hierarchy which is displayed via the Organization Hierarchy web part.

In order to specify the Manager, Click on Change and enter the Manager’s name as per the below screen shot.

The result is the below.

The Direct reports field in Active Directory is the reciprocal of the Manager, i.e. If I navigate to Manager : George Khalil, my Test SharePoint User will be listed under Direct reports as per the below screen shot.

The Organization Hierarchy Web Part will be automatically populated as per the below example based on Manager and Direct reports information from AD.

The SharePoint User profile details that are mapped to Active Directory are also populated automatically based on your Active Directory Import Schedule. As you can see below, Name and Title are non-editable fields and can only be changed in Active Directory. More on SharePoint User profile details will be discussed in Part 2 of this series.

You will also notice that some of these mapped fields are also displayed as part of your public user site referred to as My Profile such as Job Title, Department, Office and Phone Number.

We have learnt that by populating Active Directory you are inadvertently populating SharePoint user profiles with meaningful information which is also made public to other users via My Profile. The My Profile page also contains the organization hierarchy web part which also draws it’s information from the Manager field in Active Directory.

In the next part of this series I will delve into creating and mapping custom fields with Active Directory and how users can contribute other personal information outside of Active Directory such as Interests and Skills and control how this information is being displayed through privacy controls.

If you would like to subscribe via email to be notified of future articles you can do so from here or via RSS here.

Outlook Web Access redirection via Microsoft ISA 2006

noreply@blogger.com (George Khalil) — Tue, 23 Jun 2009 14:13:00 +0000

We all know from experience that advising end users to browse to https://mail.yourdomain.com/OWA if you are running Exchange 2007 or /exchange if you are running Exchange 2003 is usually problematic . Oh! and did I forget to mention that it’s HTTPS and not http! We must admit that not all end users are likely going to remember this URL and at times even struggle to distinguish the difference between secure and non secure sites. Well if you are running ISA 2006 as an edge or secondary application layer firewall then we can easily simplify the URL that we will publish to our end users by creating a deny rule which will then automatically redirect them to the correct address. By the end of this post, your end users will only need to remember a simple URL in the form of mail.yourdomain.com (notice that http or https is not required). This post is assuming that you already have an existing Exchange Publishing Rule in ISA 2006. Note, that this technique can also be used for other websites that ISA may already be protecting such as SharePoint and Terminal Server Web Access.

Let’s begin by launching the ISA Management Console, and navigate to create a new web site publishing rule. The New Access Rule Wizard will launch in which you will begin by specifying a name for your rule.

Select Deny as your Rule Action

Select Publish a single web site or load balancer.

Select Use SSL to connect to the published Web server or server farm.

Enter your Internal Publishing Details which should be identical to the original Exchange Publishing rule.

Click Next and then Next again skipping the Path details.

Enter the Public Name details as per your original Exchange Publishing rule.

Select the existing Exchange Web listener that you already have created for your Exchange Publishing Rule.

Select, No delegation, and client cannot authenticate directly.

Remove Authenticated Users if present and select All Users instead.

You will then receive the below warning as we have selected All Users. Ignore this warning and click on OK to continue.

Now that the rule has been created, we need to specify the redirect page. Right Click on the newly created rule and select properties. Navigate to the Action tab and click on the check box beside “Redirect HTTP requests to this Web page:” and enter the full Outlook Web Access URL.

We are now complete. You will need to ensure that the deny rule is place immediately below the original Exchange Publishing Rule as per the below screen shot. When a user now enters the url mail.yourdomain.com it will hit the redirection rule that we have just created which will then redirect to https://mail.yourdomain.com/owa and authenticate against your original Exchange OWA rule.

In summary we have removed the all so common confusion that end users may encounter when browsing to the Outlook Web Access site. This methodology provided above with the deny rule can also be used against any other web site publishing rule including SharePoint Sites and Terminal Server Web Access.

Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 2/2

noreply@blogger.com (George Khalil) — Fri, 19 Jun 2009 12:24:00 +0000

In the second and last part of this series we will be focusing our efforts in securing our SharePoint Site through setting up a publishing rule in ISA 2006. If you recall in the first article, we began our setup by extending the default SharePoint site into the Internet Zone, created a certificate request via IIS to be sent to a 3rd Party Certificate Authority and applied the certificate to our newly created extended site. If you missed it, you can access part 1 here.

So let’s begin the second part of our setup! The first item we need to address is the newly created certificate that has been applied to our site in IIS. ISA also needs to be aware of this certificate so we need to export it from IIS and then import it to the certificate store on the ISA server. This certificate will be required when creating the web listener in the ISA rule later below.

To export the certificate, select it in IIS and select Export under Actions.

Specify the export path and enter a password.

After exporting the certificate, copy it to your ISA server and then launch the Certificate MMC snap-in from the ISA Server.

Right click on the Personal Folder and select All Tasks / Import. This will invoke the Import Certificate Wizard.

Click Next. Browse for the certificate file that we exported and copied earlier.

Click Next. Enter the password that we supplied to the exported certificate.

Click Next and ensure that the certificate is placed in the Personal Certificate Store.

Now that we have done the pre-work for ISA, it’s time to launch the ISA Server Management Console in order to create our SharePoint Publishing Rule.

· Right click on Firewall Policy and select New / SharePoint Site Publishing Rule
· Specify a SharePoint publishing rule name
· Select your Publishing Type, in my case I selected Publish a single Web site or load balancer.
· Click on Use SSL to connect to the published Web server or server farm

Type the Internal site name: The warning here states that the site name must match the common name or subject alternative name on the certificate. This should be the World Wide Web Address.

Then click on Use a computer name or IP address to connect to the published server and enter the correct details. This could potentially be a single server IP or the IP address of your Network Load Balanced Cluster.

Specify the Public domain name.

We will now create a New Web Listener by clicking New. This will invoke the New Web Listener Wizard

· Provide your web listener with a friendly name. e.g SharePoint FBA
· Select Require SSL secured connections with clients in the Client Connection Security Window

- Specify the Web Listener Internal IP address. If you recall from part 1, this is a domain joined ISA server sitting in the internal network in between an existing edge firewall and your SharePoint Site.

The next step requires you to select your SSL certificate. Depending on the number of certificates your ISA server is storing you will either select Single certificate (in the event you are using a SAN or wild card certificate) or assign a certificate for each IP address. In my case I am using singular certificates for my SharePoint Sites so I will assign a specific certificate against a unique IP address.

You now need to select your Authentication Settings for the web listener. We are providing Forms based Authentication for our SharePoint Sites so I will select HTML Form Authentication and then select how ISA server will validate these. I am selecting Windows (Active Directory in my instance).

· Specify your Single Sign On Settings, Click Finish.
· Select your Authentication Delegation. In my case I am selecting NTLM

· Select “SharePoint AAM is already configured on the SharePoint server. We completed this step after extending our site in Part 1 of this series.

· Select your User Sets

· Then Click Finish to complete the Wizard.

One of the great enhancements to ISA 2006 Service Pack 1, is the ability to test your rules automatically within the ISA Management console. This will do the hard work for you and ensure that your rule is correctly setup and that your certificates are correctly in place. All you need to do is right click on the rule that we have just created and select properties.

Under the General tab, click on the Test Rule button.

You should get green ticks as per below.

We are done! Our internal users can now navigate to the external published URL and get directed to ISA’s Forms Based Authentication screen as per below. After successfully authenticating with Active Directory via the ISA server the users will be automatically redirected to the SharePoint site.

Some important points to emphasise;

Ensure your Alternate Access Mappings (AAM) are setup correctly for the correct zone.
Ensure your certificate common name matches the fully qualified external domain name which in turn matches the AAM in SharePoint.
Ensure that you have successfully exported the certificate from IIS Manager and Imported it to your Certificate store on the ISA Server.
Use the Test Rule Button in ISA 2006 SP1 to test your rule, so ensure you are running the latest Service Pack for your ISA server.

If you missed part 1 of this series, you can access the article from here.

Securing your SharePoint Sites with ISA 2006 using Forms Based Authentication – Part 1/2

noreply@blogger.com (George Khalil) — Fri, 12 Jun 2009 11:23:00 +0000

Do you want to provide your information workers access to your SharePoint Site whilst out of the office easily from any internet connection without compromising security? Do you want to accomplish this without complicated client-site VPN setups. In this 2 part series I will be providing you with step by step instructions explaining how you can leverage Microsoft’s Internet Security and Acceleration Server (ISA) 2006 and the out of the box SharePoint publishing rule to provide secure access for your corporate users using SSL. YES! That’s right! Whether you like it or not, Microsoft ISA is a great reverse web proxy application firewall in which HTTP/HTTPS traffic from the internet is inspected first before it is forwarded onto the destination server, in our case our SharePoint web servers. Microsoft ISA is also more than capable in providing you with a secure edge firewall as well.

Providing reverse web proxy is something that most major firewall vendors cannot accomplish out of the box including some of the big players like Checkpoint and Cisco. ISA is an ideal choice of reverse proxy to place in between your existing edge firewall and your SharePoint server due to the application layer inspection filtering that is also provided. Our ISA 2006 server should be domain joined in this instance as it will be acting as a dedicated reverse proxy and there are a lot of articles at isaserver.org supporting my case.

The below diagram is an example of how ISA can be strategically placed within your network. In our example, all servers are running Windows Server 2008, SharePoint 2007 and ISA 2006 with the latest Service Packs applied at the time of this writing.

Our goal at the end of this 2 part series is to setup Forms-Based Authentication (FBA) (screen capture below) where users are forced to authenticate successfully with Active Directory first before being passed on to the SharePoint Server.

So let’s begin. This post is assuming that you already have your current SharePoint Site setup correctly in IIS and Central Administration assigned to the Default Zone with Windows being our assigned Membership Provider. Our goal is to now be able to access the same SharePoint site outside of the corporate LAN via the World Wide Web using the same authentication method, i.e. via <DOMAIN>\<Password> . In order to do so, we need to extend the current site, ensure that the Alternate Access Mapping (AAM) is setup correctly and secure the extended site using SSL via a 3^rd party root certificate.

Extend your existing SharePoint Site

Browse to Central Administration / Application Management and under SharePoint Web Application Management, select

· Create or extend Web application
· Click on Extend an existing Web application
· Select an existing Web application to Extend
· Create a new IIS web site and type in your description
· Port should be set to 443 (SSL)
· Specify a Host Header : yousite.externalfullyqualifieddomain.com
· Select Yes Use Secure Sockets Layer (SSL)
· Select Internet for your Zone as requests are coming from world wide web
· Click OK

Alternate Access Mappings (AAM)

The Alternate access mappings for the zone should have been created for you and you can confirm this via Central Administration / Operations / Global Configuration / Alternate access mappings.

More detailed information on Alternate Access Mappings (which I highly recommend) can be found at this TechNet Article http://technet.microsoft.com/en-us/library/cc288609.aspx (Plan alternate access mappings)

By default your Alternate access mappings for all 5 zones (Default, Intranet, Internet, Custom, Extranet) are set to use Windows as your Membership Provider Name which is what is required in this example. Recall that we want our users to authenticate using their Active Directory credentials. You can confirm the Membership provider for your zones via Central Administration / Application Management / Authentication Providers. Ensure the correct Web Application in question is selected first.

Please also note that the extended Website will have been automatically created and listed in IIS Manager (Windows 2008)

SSL and Certificate Creation

We now need to create a certificate request that we will pass on to our preferred Certificate Authority (CA). Please note that it is best practice to use an external CA to avoid SSL warnings and errors for your users when browsing to the site. My preference is Godaddy.com who provide decently priced certificates, and no I am not a Godaddy reseller :)

In IIS 7 Windows 2008 this is done via Server Certificates located under the properties page of the IIS Server.

· Click on Server Certificates, under the IIS heading
· Under Actions, Click on Create Certificate Request
· Fill in the details; please note the Common name is important and should be the fully qualified domain name that is being accessed from the World Wide Web.

· Select your Cryptographic Service Provider Properties.
· Specify the filename and location to output the certificate request (The contents of this file (MODIFIED EXAMPLE BELOW) is important as it will be required by your Certificate Authority. In my case I am using a 3^rd Party Certificate Authority that will issue the certificate.

· Once you have been issued with your certificate file from your Certificate Authority, go back into IIS Manager and re-launch Server Certificates and this time under Actions select Complete Certificate Request
· Browse for the File Name and specify a Friendly name

Upon completion of the wizard your certificate will appear beside the already self signed machine certificate in IIS7.

You will now need to apply the new certificate against the recently extended website.

· Click on the Site you wish to apply the certificate and then click on SSL Settings.

· Select Require SSL and Require 128-bit SSL for your SSL settings and click on Apply

We now need to apply our newly imported certificate to the extended site by clicking again on the extended site, and under Actions select Bindings and then click on Edit.

Select the newly added SSL certificate from the drop down and ensure the port and IP address settings are correct.

Our site is now secure and ready to be accessed via the World Wide Web, well almost! Stay tuned for next week for part 2 of this article, in which we will be focusing on the configuration of ISA 2006 and how we can leverage the inbuilt SharePoint Publishing Wizard to allow external access to our SharePoint site via SSL and Windows Forms Based Authentication.

You can subscribe to future articles by clicking here

SharePoint Meeting Workspace Sites, How and Why?

noreply@blogger.com (George Khalil) — Fri, 05 Jun 2009 11:28:00 +0000

SharePoint is all about collaboration right? As much as we enjoy sending emails, there are limitations and shortcomings around collaboration when relying on good old trusty port 25. Don’t get me wrong, Microsoft Outlook and Exchange are great communications tools but fail miserably when it comes to sharing information and working together in achieving a common goal. Have you ever tried to organise and plan a meeting by sending emails to attendees with multiple attachments and re-sending those when modifications are made. As a recipient this can become quite overwhelming and at times confusing, especially when you end up with 3 different versions of the same attachment. Welcome SharePoint Meeting Workspace Sites! In today’s post I will be promoting the use of Meeting Workspace Sites in SharePoint and how it will provide you with the framework to organise, capture and manage a meeting from start to finish without those annoying emails.

Meeting workspaces sites are out of the box templates within SharePoint and are great for structured meetings. These include but are not restricted to your standard regularly scheduled Team or Departmental meetings, or it maybe for a specific project group meeting. You can create a Meeting Workspace from any site within SharePoint but as best practice and to keep matters simple let’s begin by creating a separate blank site to store these meetings within our existing Team Site.

Click on Site Actions / Create Site and fill in the details as below. I am selecting a Blank Collaboration Site to house my Meeting Workspaces.

I will now create my first Meeting Workspace for a meeting that is being held in a couple of weeks. As the Site Administrator I will click on Site Actions / Create / Sites and Workspaces.

I will then enter a title and a description if required and then select a template from the “Meetings” tab. The description of each template and usage requirements are highlighted in the template selection area which I have replicated below for your convenience and I have also listed the web parts that are included by default for each.

Basic Meeting Workspace

A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda, meeting attendees, and documents. The following web parts are included by default;

Objectives
Attendees
Agenda
Document Library

Blank Meeting Workspace

Name says it all. No web parts are included by default

Decision Meeting Workspace

A site for meetings that track status or make decisions. It provides lists for creating tasks, storing documents, and recording decisions. The following web parts are included by default;

Objectives
Attendees
Agenda
Document Library
Tasks
Decisions

Social Meeting Workspace

A site to plan social occasions. It provides lists for tracking attendees, providing directions, and storing pictures of the event. The following web parts are included by default;

Attendees
Directors
Things to Bring
Discussion Board
Picture Library

Multipage Meeting Workspace

A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda and meeting attendees in addition to two blank pages for you to customize based on your requirements. The following web parts are included by default;

Objectives
Attendees
Agenda
2 Blank Pages

In this meeting I would like to have the ability to allocate tasks that arise from the meeting itself so I have selected the Decision Meeting Workspace template.

After clicking on the Create button your Meeting workspace will be setup in a matter of seconds with the pre-defined web parts based on the template selected. Please note that you can easily add other web parts to the Meeting Workspace and then save it as a custom template to be reused.

In my case, I am going to add the “Things to Bring” web part into this meeting workspace via Site Actions / Create / Custom Lists. This is then added automatically added to my Meeting Workspace Site below.

Great, that’s too easy! Where to now? As the meeting coordinator I am now going to add the agenda items, upload any documents that are required to be discussed during the meeting and add items that need to be brought into the meeting.

We are all running Microsoft Exchange and Outlook right? I am sensing the “better together” theme that Microsoft always seem to market and hey, I am not disagreeing they do have a valid point. I am now going to launch my Outlook client and add the meeting to my calendar and at the same time formally invite the attendees and link the meeting workspace that we have just created for our monthly admin meeting into the body of the calendar meeting request all in one step.

Let’s create a meeting request in Outlook, specify the subject, location, start and end times (this is all important as this information gets appended to the details section of the Meeting Workspace SharePoint Site) . Then click on Invite Attendees and add them to your meeting. You will notice the Meeting Workspace icon in the Office Ribbon which you will now click on.

The meeting workspace tool bar then appears on the right. Click on Change Settings as we are not creating a Meeting Workspace as this has already been created. Click on Select a location and click on Other …

Copy and paste the address of the Meeting Workspace Site that we created earlier minus the default.aspx.

Click on OK and then click on Link to an existing workspace and select the relevant meeting workspace.

Click OK

Then Click on Link to insert the Meeting workspace site link directly into the body of the meeting request.

You will end up with the summary below.

Click on Send to invite the users to the meeting. If the selected users do not have the rights to access the site you will be notified and provided with a popup in the Outlook notification bar that will link you to the Add Users permissions area to that site.

If I now navigate back to the site you will notice that the attendees are added and their responses are also captured. The additional details from the calendar request such as subject, date/time, location are also prefilled automatically.

During the meeting, you would ideally have this site open on your projector screen and discuss the agenda items, open documents to discuss from the document library, potentially add new documents as the meeting progresses such as the minutes of meeting and because I had selected the decision meeting workspace template you could as the meeting coordinator also allocate tasks on the fly which could potentially be sent via an automatic email. How? Navigate to the List Setting within the Tasks Library, Click on Advanced Settings and click Yes to Send email when ownership is assigned.

As you can see, through Meeting Workspaces and Outlook we have been able to collect and organise the documents needed for the meeting, create an agenda, track and manage attendee lists and responses. During the meeting we have also been able to easily gain access to the materials being presented, log any decisions being made and assign tasks to be completed against individuals. Finally after the meeting, we have created a single site that contains all the relevant information including post follow up materials, the ability to tack the progress of assigned tasks and everything in between.

SharePoint and Information Management Policies

noreply@blogger.com (George Khalil) — Fri, 29 May 2009 10:45:00 +0000

Did you know you can create policies within SharePoint that will dictate how long a document will reside in a library before it’s automatically disposed of? Did you know you can enable barcodes on documents for physical asset recording? Did you know you can achieve all of this without writing a single piece code? Information Management Policies within SharePoint is a key and usually under utilised SharePoint feature that will assist any organisation with the lifecycle management of document libraries, plus a whole lot more. These policies can be created at the document library level and even set for each unique content type or you can create site collection level templates that can then be re-used throughout your SharePoint sites. I will go through each of the components that can be configured within Information Management Policies below.

Firstly, to create a site collection policy, navigate to your top level site and select Site Actions / Site Settings / Modify All Site Settings / Site Collection Administration and click on Site collection policies.

The below screen will then appear allowing you to create or import an information management policy. In our case we will click on Create.

To create a policy at the document library level, click on Settings / Document Library Settings, within the document library itself and then click on Information management policy settings.

Click on Define a policy …

Regardless of where you create your information management policy, the following screen will then appear after clicking on the OK button which allows us to name our policy and also provide a thorough explanation to our end users explaining and making them aware of the policy that is being applied to the content via the Policy Statement . The Administrative Description area is specifically for administrators or policy writers in the event that a policy is required to be altered.

You will notice that SharePoint includes four information management policy features to help you manage your content. They are; Expiration, Auditing, Document Labels and Document Bar Codes. I will go through each of these below with examples to assist in determining when and why you should use information management policy within SharePoint.

Enable Expiration

Enabling expiration on a document library provides you with a basic Information Life Cycle Management (ILM) strategy for your documents and or emails with email enabled document libraries. Expiration options provided allow you to create a consistent retention period for your documents based on create or modified date. In my case I have specified that items located in the document library that are older than 6 months are automatically deleted. You also have the option to control how the information is routed, such as creating a workflow that would archive rather than delete the item.

By implementing expiration policies in your document libraries you will reduce unnecessary redundant content and reduce noise in search results.

Enable Labels

This option or feature allows us to uniform the creation of labels in documents ensuring that document properties such as file name, author creation dates etc can be included in the label when a document is printed.

In my example I have created two additional columns in my Document Library, “Project Name” and “Manager” which can now be used in the label format.

Project {Project Name}\n Managed By: {Manager}

(Please note that “\n” creates a new line)

Enable Barcodes

This allows you to generate Code 39 standard barcodes and apply them to your document properties that can also be displayed in the header area of your document. This is useful when managing physical records such as computer equipment. By enabling barcodes you are primarily using this feature to track hard copies of documents, i.e. documents that are outside your SharePoint Site.

Enable Auditing

This option allows your to create specific audit trails for specific document libraries. Please note that you can also enable Site Collection Audit Settings that applies to all items within a site collection. This can be achieved via, Site Actions / Site Settings / Modify All Site Settings / Site Collection Administration, Site collection audit settings.

In summary, auditing provides you with the ability to track specific events (listed in the screen capture below) with regards to the life cycle of a document.

This information can be accessed via the Excel based Audit Log reports that are also located under Site Settings. Reports showing the audit trail can be run by site collection administrators.

Exemption from Policy

You also have the ability to exempt an individual item from a policy that is being applied to a document library. Simply navigate to the item that you want to exempt from the policy being applied and click on View Properties. The below screen will then appear providing you with the ability to click on Exempt from policy …

A warning will then appear in which you will have the option to click on Exempt to continue or cancel to go back.

If I now view the properties of the same item, you will notice that the exemption has been applied and also providing you with the ability to reverse the exemption.

As you can see, setting up Information Management Polices is an easy task and I would be interested to know how many SharePoint Implementations out there are actually using this feature and why?

Stream media from your SharePoint Site with Windows 2008 Media Services

noreply@blogger.com (George Khalil) — Fri, 22 May 2009 11:25:00 +0000

Wouldn’t it be great if you could deliver digital media content including Windows Media Audio (WMA) and Windows Media Video (WMV) from your SharePoint site without buffering issues and poor viewing experience. We must admit that SharePoint itself isn’t great in handling and storing digital media in particular large Video files and we can blame SQL for that! Even though you can host WMV’s in document libraries just like any other file, features such as fast streaming capabilities effectively eliminating buffering time, and reducing the likelihood of playback interruptions due to network conditions is non existent. However, this is where Windows 2008 Media Services complements SharePoint well, when in need of delivering rich video and audio content.

Some of the notable features of Window Media Services include;

* Cache/Proxy Management providing a better viewing experience for users by conserving network bandwidth.
* Advanced Fast Start delivers instant on playback, again eliminating buffering time
* Advanced Fast forward and rewind functionality
* Broadcast AutoStart in the event of power failure or other interruptions.

More details on Windows Media Services 2008 can be found on the Microsoft Site here

I have setup a dedicated server core installation of Windows 2008 (you got to love server core for these type of roles) and have installed the Media Services component. Detailed instructions in setting up Server core can be found on the Microsoft TechNet Site.

After installing server core you will need to then install the Streaming Media Services role. For some reason the Media services role isn’t on the Windows 2008 DVD and you will need to download it first from the Microsoft download site here

After downloading the file from another machine, copy it your Server Core installation and run the downloaded msu file. At the command prompt, type the following commands in order;

start /w wusa /quiet Windows6.0-KB934518-x86-ServerCore.msu (32 bit editions)

start /w wusa /quiet Windows6.0-KB934518-x64-ServerCore.msu (64 bit editions)

start /w ocsetup MediaServer

net start wmserver

Once the installation is complete, you will need to use the Streaming Media Services MMC snap-in to remotely configure Streaming Media Services. You can install Remote Server Administration Tools (RSAT) for the Streaming Media Services role on a computer that is running Windows Vista. You can download the installation for the MMC Snap in from here.

To start the snap-in, click Start, click Run, and then type wmsadmin. If you run into any issues when connecting to the media server check out Microsoft’s release notes for known issues.

The following Windows Media Services console launches;

Right click on Window Media Services node and select Add Server and type the Server name or IP address of your Media Services Server Core machine. The following screen will then appear in which you can then add a publishing point to store your media files.

Right clicking on Publishing Point will provide you with 2 options, a wizard option and an advanced option. Let’s keep it simple and select Wizard. The following welcome screen will then appear.

Click Next.

Enter a descriptive Publishing Point Name.

Click Next.

Select your Content Type. In our case we only need an area for storage of media files to be played back effortlessly from our SharePoint server so we are selecting Files as our option.

Click Next.

Select your Publishing Point Type. In our case, we want each user to be able to control the stream for each individual video that we publish on SharePoint so we will select On-demand publishing point.

Click Next.

Specify your directory location where you will be storing the video files (Note, you will need to create this folder in advance). Your video and audio files will also need to be copied into this location manually, i.e. via Windows Explorer.

Click Next.

Specify your content playback settings.

Click Next.

Specify whether to enable or disable logging.

You are then displayed with a summary screen outlining the settings chosen. Click Next and then click on finish. Specify whether you want to publish an announcement, in our case it’s not necessary as we will be creating links from our SharePoint server to the video files located on our Media Server.

You will now notice our newly created Publishing Point “Georges Videos” listed in the MMC snap in. Clicking on the source tab will list the videos that are located under the directory that we specified earlier. In my case, I have copied a video file titled “Movie Stars.wmv”.

You can right click on the file and click on test. This will run a test on the file uploaded to the media server and provide you with some statistics with regards to network performance. The URL to the media file is also displayed. This is the URL that is required to create your links in SharePoint.

I took a graphical fancy option and designed a web page in SharePoint Designer with thumbnail pictures that once clicked on will launch the file in Windows Media Player (assuming that is your default player for WMV and WMA files). Reminder, these are not http:// links but mms:// links.

That’s all that is to it! Hopefully you can now enjoy many hours of enjoyable video and audio streaming, minus the buffering issues!

Exchange 2010 Beta, So what’s new? – Part 3/3

noreply@blogger.com (George Khalil) — Mon, 18 May 2009 10:03:00 +0000

We have arrived at the final article of this series on Exchange 2010 Beta, with this post focusing on the new features and technology enhancements. Today is all about the reasons why we are all going to migrate to this latest product offering when released to the public, right?

Okay, so let’s begin with everyone’s favourite, Outlook Web Access (OWA) and focus on some of it’s new features. OWA has come along way since the days I first used it as an end user in Exchange 5.5. From the outset you will notice that Exchange 2010 OWA adopts the Windows Live theme, see below screenshots, and by default displays your messages in conversation view. The OWA premium client experience can now be accessed from Firefox and Safari and not limited to Internet Explorer, a welcome by all who don’t necessarily run Internet Explorer as their primary browser or don’t run a PC for that matter and because I run OS X at home it was the first enhancement I tried out. Check out the screen shots below of OWA premium running through Firefox. Some of the notable features and enhancements of OWA in 2010 are captured in the below screenshots.

Outlook Web Access Features

OWA Premium running on Mozilla Firefox.

Messages are arranged by conversation view by default.

You now have the ability to view Calendars side by side just like you can in Outlook 2007.

Here’s another enhancement with OWA displaying user’s mailbox usage and quota limit imposed.

Also a nice touch is the ability to open up other user’s mailboxes and have them displayed in the same window as your own.

Other notable enhancements with regards to OWA are listed in the following TechNet article and include;

*Favourites in the Navigation Pane
*Search folders
*Message filtering
*The ability to set categories in the message list
*Options in the Web management interface for Outlook Web Access
*The ability to attach messages to messages
*Expanded right-click capabilities
*Integration with Office Communicator, including presence, chat, and a contact list
*The ability to send and receive text (SMS) messages from Outlook Web Access

The trend with OWA throughout the years is to try and get closer and closer to its fully fledged desktop client Microsoft Outlook, and with the advances of web technology over recent years the gap is closing with each new version released and Exchange 2010’s OWA offering is no exception.

Next on the list of changes are the enhancements made to the Exchange 2010 Management Console (EMC). Some of these are listed as follows.

Organisational Health Tab

This tab provides you with a quick view of how Exchange is operating in your environment. We touched upon this in the first article of this series and can be located by clicking on the Microsoft Exchange On-Premises node and running the Gather Organizational Information utility under Actions. Upon completion you will be provided with the below summary screen;

Community and Feedback Tab

The Community and Feedback tab provides links to Exchange-related topics on Microsoft TechNet and new postings from the Exchange team blogs.

Exchange Help Client (EHC) and PowerShell

This small enhancement provides you with help information directly from TechNet by clicking F1. A PowerShell command log also records the PowerShell command when you perform a task through the EMC. A Property dialog box command exposure is also a new feature that displays PowerShell commands including parameters when changing properties of an object.

Role Based Access Control and Exchange Control Panel

For large Exchange Organisations with multiple messaging administrators, Role Based Access Control (RBAC) and Exchange Control Panel (ECP) are a welcome addition to Exchange 2010. RBAC allows you to associate permissions against various roles which is also mapped to various tasks in Exchange such as adding mailboxes etc. The ECP console is an administrative web based tool for delegated administrators such as department administrators and help desk personnel. The ECP console enables these administrators to perform tasks that are delegated to them. These tasks include creating and managing users and groups, defining Unified Messaging and retention policies, changing passwords, and modifying encryption settings. You can access ECP by browsing to the following URL https://server/ecp and is part of the Client Access role.

With the latest Exchange 2010 Management Architecture, you can now use a single machine and management console to manage multiple 2010 organisations both online and on premises.

Exchange 2010 Storage Architecture

Microsoft continues to improve Exchange’s performance marketing it as an enterprise messaging solution that can easily scale out. Exchange 2007 went a long way in providing us with enterprise scalability with the introduction of 64 bit only computing breaking the 4GB memory barrier and lowering disk I/O by increasing the page size from 4KB to 8KB. It also introduced Exchange roles (Hub/Mailbox/CAS/Unified Messaging and Edge) all which could run on separate machines with multiple instances for redundancy and load balancing depending on the role. So how has Exchange 2010 improved on what Exchange 2007 has to offer? Below are some of the notable enhancements with regards to Exchange 2010 architecture;

*Increased page size from 8KB to 32KB
*The Store compresses attachments
*Header data for all mailbox items is stored in a single database table making it more efficient
*The Store updates Outlook Client views (indexes) only when they're accessed reducing constant background processing

The other notable change with regards to Exchange’s architecture is the removal of storage groups!? What do you mean? No more storage groups? Yep! and without going into too much detail, below are some of the changes around Exchange 2010, storage and clustering.

*The concept of storage groups is eliminated
* Single copy clusters and Local Continuous Replication are eliminated and not supported in Exchange 2010
* Exchange 2010 introduces Database Availability Groups (DAGs), which are groupings of up to 16 servers in which some or all of the databases are marked for replication to one or more other servers.

More detailed technical information can be found in the following TechNet article http://technet.microsoft.com/en-us/library/dd335211%28EXCHG.140%29.aspx.

As you can see there are a plethora of changes and enhancements to Exchange 2010, bringing some valuable functionality to any organisation who chooses to adopt it. Exchange 2010 improves on Exchange 2007 when it comes to providing resiliency, cheaper storage solutions, high availability, improvement in mailbox sizes and increase in performance which will assist any organisation in reducing cost, a welcome in these tough economic times.

Finally, TechNet has some great pre-release documentation that outlines What’s new which can be accessed from here (http://technet.microsoft.com/en-us/library/dd298136(EXCHG.140).aspx).

Microsoft is also providing a free one year subscription to a number of Exchange 2010 clinics that is invaluable to any Messaging Administrator who wants to learn more about the upcoming release. You can access these from the Microsoft eLearning Site. https://www.microsoftelearning.com.

Hope you have enjoyed the 3 part series introducing Exchange 2010. So what are you waiting for? Get your hands on the beta which can be downloaded from the Microsoft Download Site and happy testing! http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=1898ED2C-2F88-48AC-824E-D3D20FAD77D7&displaylang=en

Exchange 2010 Beta, Configuration – Part 2/3

noreply@blogger.com (George Khalil) — Wed, 13 May 2009 11:19:00 +0000

In our previous post we successfully completed our first Exchange 2010 Install, and after looking back the most difficult part was ensuring all the prerequisites were met for a new Exchange environment . In today’s post we will continue with our installation with a focus on basic configuration to get mail flowing for internal and external clients, configuring our Anti-Spam agents on the Hub Transport Server (remember we are not utilising the Edge Role in our dev environment) and testing all of this using the brand spanking new Outlook Web Access (OWA). Just a reminder, the next and last article in this series will scrutinise some of the new features of Exchange 2010 with OWA being one of them, so stay tuned!

You will notice when you launch Exchange Management Console that Exchange 2010 has an organizational summary screen which will need to get refreshed when changes are made. To do so, Right Click on Microsoft Exchange On-Premises and select "Gather Organizational Information", this will go ahead and run a couple of scripts and then provide you with an updated summary screen.

The quickest method in verifying a successful install (apart from checking the installation logs) is to navigate to the various nodes and ensure that your Mailbox Database is mounted, your OWA site is setup (navigate to the site via /OWA">https://<servername>/OWA) and finally check your Hub Transport Server configuration. You should notice that the Client and Default Receive connectors have been setup by default.

(Default Mailbox Database in a “Mounted” Status)

(Default OWA Web Site)

(Hub Transport Server Configuration with client and default receive connectors)

Let’s now proceed by creating a second Active Directory Account so we can test mail flow between two user accounts (note that the Administrator user has already been created). To do so, you can create the Active Directory account first in Active Directory Users and Computers and then run the “New Mailbox” wizard or you could create the Active Directory User and Mailbox in the one step using the same “New Mailbox” Wizard. The "New Mailbox" Wizard is located under Recipient Configuration / Mailbox.

Upon completing the wizard you will be presented with 2 users listed under Recipient Configuration / Mailbox.

Login using your newly created User Account and Mailbox through OWA and send a test message to the administrator account and CC yourself (this will test the Hub Transport internal routing)

Okay! We have now confirmed that internal traffic is being routed successfully, now for external. We need to ensure that we have setup our External Domain as an Accepted Domain. To do so, navigate to the "Organization Configuration / Hub Transport node and click on the Accepted Domains Tab. Run the New Accepted Domain Wizard under Actions.

Your Exchange Server is now authoritative for that domain and you should now be able to receive external emails to that domain.

Let’s now setup an Email Address Policy for our external domain. Note that a Default Policy is already setup for your internal domain.

Under Organization Configuration / Hub Transport / Email Address Policies Tab, click on New E-Mail Address Policy under Actions.

Click Next and specify any conditions, in my case I left the default for all recipient types, click Next, then select Add SMTP, and fill out your Email address naming convention and the specified accepted domain we just created earlier.

Click Next to apply the policy immediately, and then click New.

Our newly created Email Address Policy is now listed with a higher priority.

We are now making some good progress and should soon be able to send email to the outside world. Because we have not setup an Edge Server to handle smtp routing externally, we will need to manually setup a send connector to send directly to the Internet. Obviously this isn't best practice and one should always setup a separate Edge Server with its notable advantages such as dedicated messaging hygiene especially when run in conjunction with a compatible Virus Scanning API (VSAPI) such as Forefront for Exchange, but for our dev environment this will suffice. In order to setup a send connector, navigate to, Organization configuration / Hub Transport / Send Connectors and click on New Send Connector under Actions. Type in a Name and select Internet as the intended use for this send connector and then click Next.

Specify your address space, Select Add SMTP Address Space and type * to be able to send to all external domains.

Select your preferred Network Settings, Click Next.

Your source server should then automatically populate, click Next.

That's it, you should now be able to send to external remote domains. Now I mentioned earlier that we were not going to setup an Edge Role in our dev environment but having said that we can still utilise the Anti-Spam functionality on our multi-role virtual machine, specifically on the Hub Transport Server Role. TechNet has a great article on enabling this functionality and can be found here. In summary, the process is as follows;

Launch the Exchange Management Shell and browse to where the Install-AntispamAgents.ps1 is located which by default is under

%system drive%/Program Files\Microsoft\Exchange Server\v14\Scripts folder

Type the following command ./install-AntispamAgents.ps1

After the command has successfully run you will need to restart the Microsoft Exchange Transport Service by running the following command;

Restart-Service MSExchangeTransport

You will now notice that there is an Anti-spam tab located under Organization Configuration / Hub Transport with the Anti-spam features listed and enabled.

Well, that’s all that is to it. Basic configuration for an Exchange 2010 server is pretty much identical to Exchange 2007 which is great for Messaging Administrators who have already adopted Exchange 2007. The last article in this series will outline some of the new Exchange 2010 features with nice pretty pictures outlining these, so stay tuned.

Bring a web application closer to the desktop via Prism

noreply@blogger.com (George Khalil) — Mon, 11 May 2009 09:28:00 +0000

Although not necessarily a blog topic of choice I couldn’t resist myself to not introduce Mozilla's Firefox latest extension for “Prism”. This little add-on allows you to convert a website to a desktop application in a matter of a couple of clicks. The web applications that immediately came to mind included Google Apps, Facebook and YouTube.

So I went ahead, downloaded the add-on from here and installed it on my Firefox browser (currently running Firefox 3.5b4 on my MAC OS X). From here it’s pretty straight forward, you browse to the site you want to convert as a desktop application, click on Tools and click on convert website to application.

The only trick here is by default, Firefox will detect the favicon icon from the website which in most cases is very small, so it’s worth doing a google search for a larger icon and changing it to that through settings.

You can then specify where you want the shortcut to appear and whalla! That’s all that is needed to convert a web site to a desktop application that you can launch, minimize, maximise and close like any application running on your desktop.

The addon supports the following as per Mozilla’s website;

* Auto-update support
* Preferences for fonts, colors and proxy settings
* Clear private data
* Submenu support for tray icon and dock menus
* Improvements to OS X 10.4 (Tiger) support
* Support for SSL exceptions

Prism will run wherever Firefox is supported including Windows, Linux and MAC OS X.

Below is a screen capture of my Gmail Account running as a separate app on my MAC. Notice the MAC Toolbar application buttons on the top left corner.

I have already converted Facebook and Gmail as desktop applications, YouTube is next. Below are the icons listed in my OS X Dock. I now wonder how well it will work with the latest Exchange 2010 Beta Outlook Web Access where the premium client is now supported in Firefox.

Exchange 2010 Beta, First Look – Part 1/3

noreply@blogger.com (George Khalil) — Fri, 08 May 2009 08:44:00 +0000

I have been blogging a lot about SharePoint lately and thought I'd post a 3 part series about my other favourite topic of interest, Exchange. Exchange is one of those technologies that once you spend the time designing, beta testing, dev testing and finally implementing in your production environment, there's not too much development later in its lifecycle, so when Exchange 2010 was released as a public beta I couldn't wait to get my hands on it and set it up in my dev environment. I implemented my first Exchange server back in the days of 5.5 and progressively kept up to date through the versions, 2000, 2003 and 2007. I must admit the learning curve between 5.5 and 2000 was steep and again between 2003 and 2007, but it's still one of those technologies that continues to excite me!

So here it is, I have documented below a step by step installation guide with links to TechNet articles for reference. This will be a 3 part series with part 1 focusing on meeting the prerequisites for an Exchange 2010 Beta installation and going through the process in its entirety step by step. Part 2 will focus on some basic Exchange configuration to get your environment up and running and we’ll finish off with investigating and discussing some of the latest features on offer.

My dev environment for simplicity consisted of a single Virtual Machine running Windows 2008 Enterprise Server with Active Directory and DNS configured in a single forest/domain setup. This will also be the same server that we will install Exchange 2010 Beta on, definitely not best practice but sufficient for the purpose of this article.

History tells us that since the introduction of Active Directory we have always been required to prepare Active Directory and update the necessary schema. Exchange 2010 Beta is no different and TechNet has a great article on that which you can access here explaining the process. http://technet.microsoft.com/en-us/library/bb125224(EXCHG.140).aspx

Word of warning, Microsoft highly advises against installing Exchange 2010 in an existing production domain being still in Beta and is not supported with this build, purely due to the fact that schema changes will be made to Active Directory and may be destructive and irreversible.

The first command you need to run is setup /p or setup /PrepareAD

Second command is setup /pad or setup /PrepareAllDomains (I only had one domain in this forest)

Now that we have Active Directory at the right schema level, we can now begin with the Exchange 2010 installation. Run the downloaded executable and extract the installation files and then run setup.exe to launch the wizard.

Run Step 1. Install .NET Framework 3.5. This will open a link in Internet Explorer (or your preferred default browser) to the Microsoft Download Center.

Run Step 2. Install Windows Remote Management 2.0. Again, this will open a link in Internet Explorer, this time directing you to the Microsoft Connect Site. This is still in Community Technology Preview 3 (CTP3) and uses the Microsoft File Transfer Manager to download the file so please ensure you have Active X enabled. This installation may request a reboot once complete.

Run Step 3. Install Windows PowerShell v2. Again, this link will direct you to the Microsoft Download Center.

We are now ready to install Exchange and you will notice the first 3 steps are now dimmed, i.e. they have successfully been installed.

You will then receive the Language Pack confirmation screen advising that all subsequent screens will be in English. Click Next.

Accept the License Agreement screen, click Next

The Error Reporting Screen then appears. Let’s help the guys at Microsoft and click yes.

The installation type screen appears and because I want to install the Unified Messaging Role as well I will select the custom Exchange Server Installation, remember you cannot install the Edge Transport Role on the same box as the other Exchange Roles, this restriction has not changed since Exchange 2007.

Select your roles. You will notice as soon as you select one of the top roles that the Edge Transport Server role becomes dimmed and vice versa.

Specify the Exchange Organization name.

Select your client settings option. In my case I don't use Public Folders (that’s why we have SharePoint right?) and don't run earlier Outlook or MAC OS X Entourage clients.

The next screen is a first for me, I have not seen this before with any Microsoft installation wizard specifically the part where you can choose the industry that best represents your organization. Select your industry and again, let's help the guys at Microsoft and click Join the Exchange Customer Experience Improvement Program.

Like Exchange 2007, the wizard then performs a readiness check for the different roles that you have selected.

In my instance, I failed miserably, so I followed the instructions outlined in order to get myself up to scratch and downloaded the necessary missing components and hot fixes!

They were notably;

KB951725
KB950888
IIS via Server Manager (always seem to miss that one)
2007 Office System Converter Microsoft Filter Pack (This download will install and register iFilters with the Windows Indexing Service)
Windows Media Encoder Desktop Experience Component (Unified Messaging Role)

Later I found the complete pre-requisites from the Microsoft TechNet Site READ THIS FIRST!http://technet.microsoft.com/en-us/library/bb691354(EXCHG.140).aspx

Once you have ensured all prerequisites are met, restart your server and re-run the installation. Hopefully this time round your readiness checks succeeds for all items. Click Next.

The Installation will now continue, so take a seat back, make a coffee as this may take a while, in my case approximately 20 minutes.

The new Exchange Management Console launches upon completion and you will notice that there are similarities with Exchange 2007, notably the Nodes on the left hand side haven't changed that much with configuration options segregated between Organization, Server and Recipient just as it was laid out in Exchange 2007 however you will notice some new tabs within these nodes. Note that Exchange 2010 is the first version of Exchange that provides both an in house "On Premises" solution and a hosted cloud "On-Line" solution for customers who don't want to manage and maintain an in house messaging system.

Let's now just verify that our installation has completed successfully. If you did receive an error during installation you can locate the Exchange Setup Logs via this TechNet article.

http://technet.microsoft.com/en-us/library/bb125254(EXCHG.140).aspx

I would quickly skim through the various nodes and ensure your Mailbox Database is mounted. This usually indicates that most things are in order.

Well, that’s it for now but stay tuned for Part II where we will dive into some of the configuration options in getting a basic Exchange environment up and running with mail flow.

AD LDS, SharePoint and Forms Based Authentication

noreply@blogger.com (George Khalil) — Thu, 30 Apr 2009 20:15:00 +0000

Ever wanted to provide clients or other external parties such as vendors, affiliates etc access to your SharePoint Sites without having to provide them with a Windows Active Directory Account? Luckily, SharePoint provides you with the ability to setup multiple authentication providers and in today’s post I will provide you with step by step instructions on how this can be easily achieved utilising Windows 2008 Active Directory Lightweight Directory Services (AD LDS) formerly known as Active Directory Application Mode (ADAM).

Previously, the most common method of providing Forms Authentication was to utilise the SQL Server membership provider which entailed running the ASP.NET SQL Server Setup wizard to configure your SQL server for application services, in our case SharePoint. My preferred method for extra security and flexibility is to utilise AD LDS, so let’s get to it.

1) Add the AD LDS Role to any Windows 2008 server
Click on Start / Administrative Tools / Server Manager. Click on Roles and then elect Add Roles on the right navigation pane. Check the box beside Active Directory Lightweight Directory Services then follow the wizard until the end. AD LDS is now installed and ready to be configured with your first data store.
In order to do so, click on Start / Administrative Tools / Active Directory Lightweight Directory Services Setup. The following setup wizard welcome screen appears. Click Next.

Select A unique instance and then click on Next.

Type in a friendly Instance Name. This will make it easier to distinguish down the track in the event you need to setup multiple instances for various applications.

Specify your LDAP port numbers and then click Next. Note that these numbers cannot be in use by any other application on your system. In my case I have specified 6000 and 6001 for SSL.

Select Yes, create an application directory partition. Specify your Partition Name (keep this handy as you will need it at the end to connect the partition through ADSI Edit. Click Next.

Select your File Locations. Click Next.

Select Network service account. This should be sufficient in most cases. Select Next.

Select your administrator account. Click Next.

Click on the below options. This will be needed for your Extranet users accounts. Click Next

Summary selections screen. Review and then click Next.

Click Finish.

You will notice that your newly created Instance (and other AD LDS instances for that matter) will now be listed under Programs and Features. This is where you will need to go in the event you want to remove that AD LDS instance at a later date.

Now that our instance is complete, we are required to connect to this instance via ADSI Edit MMC snap in. Click on Start / Administrative Tools / ADSI Edit. Once the MMC is loaded, right click on the ADSI Edit Note and select Connect to…
Fill in the Connection Settings.
Name: Enter a friendly name
Connection Point: Click on Select or type a Distinguished Name and type in your Partition Name that you entered in earlier when creating the application directory partition (your wrote that part down like I told you, didn’t you?)
Computer: The machine that AD LDS is installed and the port number you specified earlier on.
Then click OK.

Your User Store should now look similar to the screen below.

We now need to create a container to store our users. This is equivalent to an Organizational Unit in Active Directory. Right Click on your CN entry and select New / Object and select your class as container. Click Next.

Type Users as your value, Next and Finish

We can now create our users in the “Users” container that we have just created.
Right Click on CN=Users and select New / Object, and select your class as user.

Type in a user name.

Right Click on your newly created user object and select properties. Scroll down and locate the msDS-UserAccountDisabled attribute and set it to False.

Please note that if you have setup ADLDS on an existing domain, the password complexity requirements will be inherited from the Default Domain Policy and you may receive the following error after trying to apply any settings to that user account.
“Operation failed: Error code: 0x52d Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.”

You will need to set the password by right clicking on the user object and selecting reset password. You will be prompted to enter and confirm the new password.

2) Grant your SharePoint service account permission in the AD LDS store
Expand your AD LDS connection within ADSI Edit and click on the CN=Roles container. Right Click on CN=Readers listed on the right Navigation Pane and select properties.

Locate the member attribute and select edit.

Then select Add Windows Account and browse for your SharePoint Service Account and click OK.

Wow, are we almost there yet? Well, for AD LDS we are. Now it’s time to focus more on the SharePoint side of things and Extend the existing web application to the Extranet Zone and set it to use Forms Based Authentication.

3) Extending your Web Application
Click on Start / Administrative Tools / SharePoint 3.0 Central Administration / Application Management.
Under SharePoint Web Application Management, click on "Create or extend Web application" Then Click on "Extend an existing Web application"

Select the Web application you would like to extend, and create a new IIS web site.
Enter port 443 and a host header which you can resolve via DNS, select SSL (you want to secure and encrypt your extranet zone for external access) and ensure your zone is set to Extranet.

4) Authentication Providers
Again, under Central Administration / Application Management / Application Security, Select Authentication Providers.
Make sure the correct Web Application is selected and then click on the Extranet Zone
Select Forms as your Authentication Type and type in a Membership Provider Name (this can be set to anything) but will be required to be changed/match what you place in your web.config file. In my case I have set it to ADLDSMembership. Once you have made your changes, click Save.

5) Modifying the web.config file for your Extranet Zone Site and your Default Zone Site
Here we need to browse to the location where our web.config file is located for the Web Site that we extended in step 2. By default, Internet Information Services (IIS) stores these files under
C:\inetpub\wwwroot\wss\VirtualDirectories\<Web Site Directory>
If you followed my example and specified a fully qualified domain name for your Host Header and a port number (443) the web site virtual directory will look something like this;
extranet.georgekhaliltesting.com443
The root of this directory will include the web.config file which you will now edit in your favourite editor (my case notepad) and insert the following entry just after your <system.web> node.
I have highlighted the variables in Red.
<membership defaultProvider="ADLDSMembership">
<providers>
    <add
    name="ADLDSMembership"
    type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
    server="<servernamehostingADLDS>"
    port="60000"
    useSSL="false"
    userDNAttribute="distinguishedName"
    userNameAttribute="cn"
    userContainer= "CN=Users,CN=SPFBAStore,DC=georgekhaliltesting,DC=COM"
    userObjectClass="user"
    userFilter="(ObjectClass=user)"
    scope="Subtree"
    otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
You will also need to add the below code for your People Picker to correctly pick up your AD LDS users. Kudo’s to Matt Morse on this one. You can read more about it here
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="ADLDSMembership" value="*" />
</PeoplePickerWildcards>
Save your web.config file (oh did I mention take a backup copy first before editing) and then run IISRESET to ensure all new settings have been applied.

I accidently omitted this step from my original post, however you will also need to modify the web.config file for your Default Zone (Windows Authentication) to allow you to add the ADLDS users to your SharePoint groups later in the process.

That’s it! Finally we got there. When an external partner browses to the extended website in the Extranet Zone they will receive the following SharePoint Forms Login Screen which will authenticate them against the AD LDS store that we have created specifically for this Web Site. When an internal user browses to the default site (Windows Authentication) they will not receive a login screen and will access the SharePoint site via windows integrated authentication.

If for some reason you don’t receive the above login screen but the dreaded SharePoint “Error… Troubleshoot issues with Windows SharePoint Services” something has gone pear shaped along the way.

Don’t forget, you still need to provide your AD LDS users access to your SharePoint site via Site Actions / Site Settings / People and Groups. It is easier to add your AD LDS users via the default Windows Authentication Zone. You will notice in the below screen shot that the people picker will display both Domain User Accounts and AD LDS Membership Accounts.

Now that our Forms Based Authentication model is now working for our External Partners to access our SharePoint site, are we able to customize the login page so it’s not so generic? Of course you can! But that will have to wait for another post…. Below is a little teaser of a FBA login screen that I have customised using SharePoint Designer (and I’m no graphics artist either :))

In Summary, AD LDS gives organisations flexible support for directory enabled applications and as you can see we are able to successfully implement and integrate AD LDS with SharePoint. Lastly, AD LDS can also provide us with the same functionality as a full blown Active Directory setup without the requirement to deploy separate domains or domain controllers.

Exchange.. Thou shall not forward

noreply@blogger.com (George Khalil) — Tue, 21 Apr 2009 07:46:00 +0000

I came across a minor situation today when setting up a forwarding rule against an Exchange Public folder. Having done this many times in the past, I knew I would get this accomplished in a matter of minutes. So I began by creating the Public Folder, mail enabling it and then when into the properties of the public folder itself to create a rule which would forward the items as they arrive to multiple recipients both internal and external to the organisation.

The forwarding was behaving as expected for internal recipients but none of the external recipients were receiving the emails that were being auto forwarded. Scratching my head, I delved straight into the Exchange Management Console, and launched the Exchange Message Tracking toolbox which showed zero results for emails sent to those external recipients. Scratching my head again, this time for a briefer moment, it clicked to me that this is the first time I had setup auto forwarding for external recipients and was aware of some settings under the Hub Transport Server (Organisation Configuration) that may prevent this. Alas, by default Exchange 2007 prevents “Automatic Forward”, so I checked the box to allow, and the auto forward rule behaved expectedly for external recipients as well!

SharePoint, Exchange and Office 14 becomes 2010

noreply@blogger.com (George Khalil) — Wed, 15 Apr 2009 22:11:00 +0000

Microsoft has announced the official names of the next release of 3 major products, Exchange, SharePoint and Office. Initially labelled version 14 for all 3 I can sense “the better together” marketing theme that Microsoft have used in the past when it came to releasing the same 3 products in 2007. I will discuss some of the highlights below for each product.

Exchange 2010 now available in beta can actually be downloaded from the Microsoft TechNet Site. Some of the features noted include enhancements to the “anywhere experience” providing enhanced universal inbox experience and an integrated archiving functionality which I will be interested to compare against common 3rd party products that have been in the market for many years such as Symantec’s Enterprise Vault and Quest’s Archive Manager. Other notable mentions include enhancements to the Unified Messaging role that was introduced with Exchange 2007 which includes a new feature called “Voice Mail Preview” which will allow the user to read the contents of an audio recording, just like reading a normal email! Safari and Firefox users will enjoy the same premium Outlook Web Access experience (OWA) that was normally reserved for Microsoft’s Internet Explorer only. This will further extend the OWA experience to more users who are not necessarily running a Windows Operating System or prefer to use alternative browsers. Another biggie for organisations that highly rely on shared calendars is the ability to view those also in OWA, particularly useful when booking meetings and resources. More information can be found at the Exchange 2010 Microsoft Site.

SharePoint 2010 is predicted to be released in beta form in the third quarter of this year and released to manufacturing in the first half of 2010. At the moment there isn’t much insight in what to expect but a number of predictions are being made. We will just have to wait and see until more information is released by the SharePoint Product Team. The Microsoft SharePoint Product Team have just placed a blog post detailing the official details with regards to the official naming of SharePoint 14.

Office 2010 is expected to show subtle external UI differences to Office 2007 with most changes and enhancements done under the hood and with integration with other products notably SharePoint 2010. Office 2010 will also include a suite of web applications a.k.a “Office Web” to compete with existing cloud computing offerings such as Google Apps. We also know that this will be first Office release that will be available in 64 bit. I’d expect the full release to coincide with the release of SharePoint 2010, being from the same family of products.

For me, it’s time to get my hands dirty on Exchange 2010 beta and potentially coexist it with my current Exchange 2007 infrastructure. Details of coexisting with Exchange 2010 can be found on TechNet. I’ll let you know how I go :)

Virtualising your SharePoint Environment

noreply@blogger.com (George Khalil) — Tue, 14 Apr 2009 14:58:00 +0000

To virtualise or not to virtualise? I thought I would provide you with some insight into my SharePoint infrastructure setup and hopefully place some minds at ease when it comes to virtualisation and SharePoint.

First and foremost, all of my servers are running in a virtual environment and have been for quite some time. Virtualisation is handled by VMware Infrastructure v3.5 across 3 beefy ESX Hosts running dual Quad Core Xeon processors with 32GB RAM each connected to a Fibre Channel Storage Area Network with 15K Disks. The ESX hosts are also housing other virtual machines outside of the SharePoint farm. VMware Infrastructure is providing native High Availability to my entire infrastructure.

My SharePoint 2007 farm was born almost 18 months ago and initially comprised of only 2 servers. The farm was servicing approximately 100 users with the following specifications/roles;

Role: SharePoint Server 2007 Applications Server and Web Front End 64 Bit
Windows 2008 Enterprise Edition x64
Single vCPU
6GB RAM

Role: SQL 2008 Standard Edition 64 Bit
Windows 2008 Enterprise Edition x64
Single vCPU
8GB RAM

Within 12 months of running in the above configuration we very quickly expanded our SharePoint setup to a “Medium” Farm configuration to incorporate an additional 250 users.

We simply added two additional Windows 2008 Enterprise x64 servers which were configured utilising Windows 2008 Network Load Balancing. These 2 servers were easily incorporated into the existing SharePoint farm and have become dedicated Web Front End and Query Servers servicing user requests.

Specification is as follows;

Role: 2 x SharePoint Server 2007 64 Bit Web Front End
Windows 2008 Enterprise x64
Single vCPU
4GB RAM

My initial lone SharePoint Server has now become a dedicated Indexing Server with more frequent crawls scheduled and a dedicated Applications Server for Excel Services. My farm now consists of 4 servers and is servicing over 350 users.

A rule of thumb with VMware ESX vCPU allocation is to always begin with a single vCPU. A physical machine gets a different experience than what multi-cpu does under ESX, because of the way ESX handles multi processors and how these are scheduled. The simple reason is that when you assign multiple vCPU you are trying to split the CPU time between those virtual CPUs which in most cases will add more overhead.

Memory is a different kettle of fish and I have found that more is better in a virtual or physical environment for that matter, especially when running 64 Bit Applications and Operating System. I would allocate as much as you can within reason.

For storage and Disk I/O consideration, RAID 10 works best, especially for your SQL databases.

I have found that the above resource allocations and configuration works well and is a great benchmark to begin with when configuring your Small or Medium SharePoint farm in a virtualised ESX environment. We definitely have not experienced any bottlenecks with our setup.

SQL 2008 Service Pack 1 released .. Did it break my SharePoint Farm?

noreply@blogger.com (George Khalil) — Fri, 10 Apr 2009 06:05:00 +0000

Microsoft has recently released Service Pack 1 for SQL 2008 which you can download from here.

Being the brave person that I am, I decided to update my SQL instance housing my SharePoint databases as soon as I could. Even though it doesn't contain any new features but mainly bug fixes and a rollup of cumulative updates 1-3, I have a habit of being up to date!

So, today was the day! After successfully updating my VMware ESX hosts to update 4, I decided I would continue with the theme of “updating” and upgrade one of my SQL 2008 boxes which is dedicated to housing my SharePoint databases. However, on first attempt in applying the service pack the installer failed whilst doing its prerequisite check with the following error

A failure was detected for a previous installation, patch, or repair for instance 'MSSQLSERVER' during configuration for features [sql_powershell_tools_ans,]. In order to apply this patch package (KB959337), you must resolve any issues with the previous operation that failed. View the summary.txt log to determine why the previous operation failed.

Please note that the feature(s) mentioned above could be some other component of SQL 2008 and not necessarily the power shell tools listed in my case. All you need to do is run a repair on SQL 2008 and re-run the installer for Service Pack 1. You should be back in business and the update will be applied successfully.

BTW, my SharePoint farm is still up and running with nothing broken.... yet :)

More details on the Service Pack release can be found at the Microsoft SQL News Blog.

SharePoint, My Site and Tracking Colleagues

noreply@blogger.com (George Khalil) — Tue, 07 Apr 2009 10:14:00 +0000

Social Networking meets SharePoint! My Site is SharePoint’s answer to Web 2.0 social networking public sites like Facebook and LinkedIn specifically tailored for the corporate workplace. For any organisation especially those located across disparate locations it provides the ability to create synergy between those offices and users within offices. Today’s focus is on colleagues and the colleague tracker web part. Colleagues are those users that are part of your Workgroup plus those users you add manually that are not directly part of your Workgroup. Your Workgroup is automatically populated as part of the reporting hierarchy that can be set in each user’s Active Directory Profile which is then dynamically populated in the colleague tacker web part located under the My Home tab in My Site and the Organisation Hierarchy section under the My Profile tab in My Site.

Other colleagues can be manually added and grouped by each user individually. The role of the colleague tracker web part is to alert you of changes that have been made to your colleagues profiles and changes in user memberships. Other alerts include displaying your colleagues upcoming birthdays (if the colleague birth date profile field has been populated), when new blog posts have been added by your colleagues, out of office messages and upcoming anniversaries. You can modify what you want to be alerted on by modifying the properties of the web part. As you can see the colleague tracker web part located on the left is displaying new documents added across the SharePoint site from a particular colleague of mine and also an upcoming birthday for another colleague.

The below colleagues web part which is located by default under My Profile displays My Colleagues that are part of my Workgroup/Organisation Hierarchy from Active Directory and other colleagues that I have allocated against specific groups that have been created by me. Please note that after your My Site has been created you can choose as a user to remove the default colleagues.

As you can see, the colleague tracker web part becomes an invaluable tool in connecting colleagues highlighting any changes made by your peers. It assists in bringing people together throughout an organisation, and let’s face it we are living in a world surrounded by many social networking sites like those mentioned above. I will continue to delve further into My Site and how organisation’s of any size can really benefit from it in future posts.

People Picker, SharePoint and Forest Trusts …

noreply@blogger.com (George Khalil) — Thu, 02 Apr 2009 04:45:00 +0000

Everything in my SharePoint Farm was working well until ….. I decided to install the recent February 2009 Uber packages from Microsoft, don’t ask me why but I have a habit of trying to keep up to date, even though Microsoft explicitly states when you download the hefty packages that you should only install them if you are experiencing one of the issues listed in the KB article and should wait till the next service pack. Have you ever sat down and read one of these Cumulative Update KB’s, they go on for pages and how am I suppose to know if I am actually a recipient of one of the hundred’s of known issues? So I decided to go ahead and install both WSS and MOSS packages a couple of weekends ago… Well, the result was it broke one of my workflow’s that I had designed in SharePoint Designer and I also wasn’t able to apply permissions to users outside the resource domain using the People Picker. I was scratching my head with regards to the latter, I recall I needed to do something special initially to get SharePoint to enumerate users from other forests so after a quick scavenge I realised I needed to re-run a couple of stsadm commands that I will share with you today.

In way of background, my SharePoint farm is serving users from the local resource domain and 2 other domains that are connected to our network through a one-way selective Active Directory Trust. Sounds complicated, but not too difficult once you get past the hurdles of connecting multi-vendor firewalls to create the tunnel. Once the tunnel has been established, all is needed is the setting up of DNS conditional forwarders and then the Forest Trust. Too easy, my Active Directory Admin can do that with his eyes closed, in my case I was the A.D man! Once you have the Forest Trust in place it’s a piece of cake to then import the A.D users from the other sites into SharePoint to pre-create the user profiles in SharePoint, Done! Here comes the tricky part, especially when you are trying to do this for the first time. You will need to run a couple of stsadm.exe commands in order to allow the people picker to search for users in other forests. Please note that users in the forest that the server is in (that is, a resource forest) are displayed automatically.

Okay, so let’s begin with the commands. By default, the People Picker will user the User Credentials against your Web Application Pool and in a one way trust this won’t work so we will need to run the following setapppassword command on each Web Front End Server in the farm.

Command 1 – To be run on each WFE.

stsadm.exe -o setapppassword -password <yourpassword>

<yourpassword> This could be any string to heart’s desire but must be identically run on each WFE.

Command 2 – To be run on one WFE.

stsadm -o setproperty -url http://SharePointSite:85 -pn peoplepicker-searchadforests –pv “domain1.com”,<loginname1>,<password1>;”domain2.com”,<loginname2>,<password2>

Now the trick with this command is to ensure you include all your forests in the one command. Running the command twice in my case for connecting 2 other forests did not work, you will need to include them in the single command.

Please also ensure you run command 2 for each Web Application in your farm including My Site.

Below are some reference links to Microsoft’s TechNet site and Joel Oleson’s Blog – SharePoint Land explaining the above commands and usage in a lot more detail. Until then, Happy People Picking!!

Peoplepicker-searchadforests: Stsadm property (Office SharePoint Server)

Cross Forest, Multi Forest Configuration and Additional Info