November 20 2009

Change Chrome proxy settings

I was recently in a situation where the Internet Explorer proxy settings were enforced via GPO, however I wanted to use seperate proxy settings for my Google Chrome browsing sessions.

Google Chrome doesn’t provide an user interface to change or disable proxy server settings, it uses the proxy settings (amongst other settings) from Internet Explorer.

So how can you change the settings for Chrome and not IE?

Answer:

Add the ‘–proxy-server=’ parameter to the shortcut you are using to start Chrome. Eg to use the proxy server named proxyname.company.com on port 8080 your shortcut would be:

"C:Documents and SettingsusernameLocal SettingsApplication DataGoogleChromeApplicationchrome.exe" --proxy-server=proxyname.company.com:8080

Note – there are 2 ‘-‘ symbols before the proxy-server above

Category: Tools | LEAVE A COMMENT
November 18 2009

Migrating email to Google Apps

I recently made the choice to move my email hosting to Google Apps after having several bad experiences with my previous email hosting provider.

I decided to use the ‘free’ Standard Edition which seemed to meet my requirements. It was a surprising easy transition which involved the following steps:

  • Verify domain ownership – this required me to upload a small file to my www.danovich.com.au website to provide that I had ownership of the domain
  • Create accounts – using the Google Apps web interface, I created new accounts for all users using danovich.com.au
  • Google Email Uploader – I used this fantastic tool to upload all of my email from my existing Outlook PST file. It was a very easy to use tool and can be stopped and started as  needed. My Outlook emails then started to appear in the Google Apps web interface. It also preserved information such as sent dates and sender/recipient data, as well as the folder structure used by Outlook.
  • Change MX DNS records – I updated the domain MX records to point to the Google servers, which also provided many more entries than previous hosting company, giving an added level of comfort
  • Imported my Outlook calendar into Google Apps

So far I’ve found Google Apps to have a fantastic web interface and I’ve also configured an IMAP connection so that I can still use the feature of Outlook if required. I’m really enjoying the powerful search within Google Apps as well as the web-based Offline mode provided by Gears.  I still have access to all of my old emails throught a single interface and not a single email was lost for any users during the transition.

The only negative thing I have found so far is that with the web-based version of Google Apps, you cannot set a default font for when you compose an email, which can be quite frustrating.

I now gain the benefits of hosting email for free with a company like Google, which give me many connectivity options and allows for almost unlimited customization. Overall, this was a very painless experience and I would highly recommend it as a solution to anyone having issues with email hosting.

November 5 2009

Improving the SIDMap.wsf script for OCS attribute synchronization

Microsoft’s definition of SIDMap.wsf is : It uses the same disabled user account in the resource forest to enable users for Office Communications Server. To provide single sign-in, the primary user account must also be mapped to the disabled user account in the resource forest for Office Communications Server. This tool performs the mapping.

This script is part of the Office Communications Server 2007 Resource Kit and basically will syncronize the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute on the  SIP-enabled disabled user account.

I’ve made some improvements to the script to add a log file and also provide some feedback to the user so they know it has worked. I’ve create a batch file that can be put on a server and run by the support team. This is outlined in attribute_sync.bat below and then the modified SIDMap.wsf is included too.

attribute_sync.bat

REM **   This script copies the value in the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute
REM **   for every disabled user that is SIP enabled in the 'Testing' OU
REM **   www.danovich.com.au
for /f "tokens=1* delims= " %%a in ('date/t') do set dayname=%%a
for /f "tokens=1* delims= " %%a in ('date/t') do set mmddyyyy=%%a
for /f "tokens=1* delims=/" %%a in ('echo %mmddyyyy%') do set day=%%a
for /f "tokens=2* delims=/" %%a in ('echo %mmddyyyy%') do set month=%%a
for /f "tokens=3* delims=/" %%a in ('echo %mmddyyyy%') do set year=%%a
for /f "tokens=1* delims=:" %%a in ('echo %time%') do set hour=%%a
for /f "tokens=2* delims=:" %%a in ('echo %time%') do set mins=%%a
for /f "tokens=3* delims=:" %%a in ('echo %time%') do set sec=%%a
for /f "tokens=1* delims=." %%a in ('echo %sec%') do set secs=%%a
for /f "tokens=2* delims=." %%a in ('echo %sec%') do set mili=%%a
wscript //h:cscript //B
c:
cd "C:Program FilesMicrosoft Office Communications Server 2007 R2ResKitLcsSync"
SIDMap.wsf /OU:OU=OU=Testing,DC=danovich,DC=com /logfile:C:LogsOCS-%username%-%day%-%month%-%year%-%hour%.%mins%.%secs%.log

SIDMap.wsf

<?xml version="1.0" ?>
<package>
<job id="Main" prompt="no">
<?job debug="true" error="true" ?>
<runtime>
<named
name="OU"
helpstring="The Active Directory DN of the organizational unit to search under"
many="false"
type="string"
required="false"
/>
<named
name="query"
helpstring="Generates a list of disabled users that are mailbox and SIP enabled and associated with an external account"
type="simple"
required="false"
/>
<named
name="logfile"
helpstring="Text file used to log the output."
type="string"
required="false"
/>
</runtime>
<script id="VBScript_Block" language="VBScript">
<![CDATA[
' Initialize variables
Set WshShell = CreateObject("WScript.Shell")
const ForWriting = 2
intCount = 0
bQuery = False
On Error Resume Next 'Force continuation on errors when initializing globals
' Retrieve command-line arguments
' Check whether an OU is provided.
if WScript.Arguments.Named.Exists("OU") then
strNamingContext = "LDAP://" & WScript.Arguments.Named("OU")
else
Set objRootDSE = GetObject("LDAP://rootDSE")
strNamingContext = "LDAP://" & objRootDSE.Get("defaultNamingContext")
end if
' Check whether the user only wants to query the AD.
if WScript.Arguments.Named.Exists("query") then
' Query only all disabled users that are mailbox and SIP enabled.
' set.
bQuery = True
end if
' Check whether logging to a file is required.
if WScript.Arguments.Named.Exists("logfile") then
strLogFile = WScript.Arguments.Named("logfile")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogFile = fso.OpenTextFile(strLogFile, ForWriting, True)
objLogFile.WriteLine("List of disabled users associated with an external account and SIP enabled:")
end if
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open
' Create connection to AD.
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
' Define AD query.
' Search for disabled user accounts that are SIP enabled and mailbox enabled.
objCommand.CommandText = _
"<" & strNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(msRTCSIP-UserEnabled=TRUE)(msExchMasterAccountSid=*)(userAccountControl:1.2.840.113556.1.4.803:=2));" & _
"ADsPath,cn,msRTCSIP-PrimaryUserAddress,msExchMasterAccountSid,msRTCSIP-OriginatorSid;subtree"
' Disable caching to reduce memory consumption for very large result sets.
objCommand.Properties("Cache Results") = FALSE
' Define the maximum page size.
objCommand.Properties("Page Size") = 1000
' Execute query.
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
WScript.Echo("Failed to query Active Directory " & strNamingContext)
WshShell.Popup "Failed to query Active Directory", ," Attribute sync failed ",  16
WScript.Quit(Err.Number)
end if
While Not objRecordset.EOF
intCount = intCount + 1
if IsObject(objLogFile) then
objLogFile.WriteLine(objRecordset.Fields("cn").Value)
else
WScript.Echo(objRecordset.Fields("cn").Value)
end if
if bQuery = False then
' Set the msRTCSIP-OriginatorSid attribute.
Set objContact = GetObject(objRecordset.Fields("ADsPath"))
strExchSid = objRecordset.Fields("msExchMasterAccountSid").Value
objContact.Put "msRTCSIP-OriginatorSid", strExchSid
objContact.SetInfo
If Err.Number <> 0 Then
if IsObject(objLogFile) then
objLogFile.WriteLine("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
else
WScript.Echo("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
WshShell.Popup "Failed to set msRTCSIP-OriginatorSid attribute", ," Attribute sync failed ",  16
end if
end if
end if
WScript.Echo()
objRecordSet.MoveNext
Wend
WshShell.Popup "Attribute sync has been successful for " & intCount & " users in the following OU:" & vbCrLf & vbCrLf & strNamingContext & vbCrLf & vbCrLf & "Log file is located at " & strLogFile, ," Attribute sync successful ", 64
WScript.Echo "Attribute sync has been successful for " & intCount & " users in the " & strNamingContext & " OU "
if IsObject(objLogFile) then
objLogFile.WriteLine(vbNewLine & intCount & " disabled users.")
objLogFile.Close
end if
objConnection.Close
]]>
</script>
</job>
</package>

November 4 2009

Office Communicator error – Cannot synchronize address book

We’d rolled out Office Communicator 2007 R2 across the environment, however a handful of machines were getting the ‘Cannot synchronize address book’ error and when expanded the entire error message was ‘Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book.’

So after doing some extensive Googling, I did some troubleshooting and found that the situtation was:

– There was no issue with the proxy server. I could manually enter the name of one of the address book files (eg https://ocs.domain.com/Abs/Ext/F-0918.lsabs) and download it manually through the browser.

– There is no GalContacts.db file in the ‘C:Documents and Settings%UserName%Local SettingsApplication DataMicrosoftCommunicator’ folder meaning that there was no locally cached copy of the address book.

– In the registry under ‘HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS’ if I set the CertificateRevocation DWORD and to 0, I can successfully sign in and retrieve the address book (below)

Registry setting
Registry setting

This pointed to an issue with the certificate we were using and specifically the Certificate Revocation List (CRL). From here we need to check the certificate we were using for OCS, look at the details tab and check the CRL Distribution Point (shown below)

Check Certificate
Check Certificate

I then checked this distribution point (a HTTP location in our case) and found out that it was invalid. Right, so next it was off to reconfigure our internal Certificate Authority server with the correct CRL locations.

On the Certificate Authority, we open up the MMC snap-in, right click the server name and select properties. On the extension tab, select ‘CRL Distibution Point’. You then want to configure some valid location underneath here and tick the box to ensure these are being included in the issued certificates. For example in my case, I ensured that there were 3 additional entries (not including the C:Windows one):

LDAP:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
[TICK] Publish CRLs to this location
[UNTICK] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[TICK] Publish Delta CRLs to this location

file://\<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
[TICK] Publish CRLs to this location
[GREYED OUT] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[UNTICK] Publish Delta CRLs to this location

http://<ServerDNSName>/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
[GREYED OUT] Publish CRLs to this location
[GREYED OUT] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[GREYED OUT] Publish Delta CRLs to this location

Selecting OK will then restart the Certificate Services service. Then you need to recreate your OCS certificates via the OCS MMC certificate wizard. Once these have been applied to the OCS server (OCS services do NOT need to be restarted), you clients just need to sign out and back in and all of your address book issues are fixed!

If you look at your new certificate, the newly added CRL Distribution Points should be listed. You can also use the ‘Certutil.exe –v –verify –urlfetch c:exported_certificate.cer’ with above certificate and check that CRL locations can be reached successfully. The ‘pkiview.msc’ tools from the Windows 2003 Resource Kit was also very useful in checking that the CRL locations could be reached.