TMG SP2 Hotfix Rollup 2 released!

The TMG team has released a new hotfix release:

Changelog:

download it here:

http://support.microsoft.com/kb/2689195

Server 8 Direct Access https null encryption

Server 8 Beta has a great new feature which will increase performance when using an https tunnel.
It's called https null encryption. It uses the null cipher as encryption method.

The reason this increases performance is the following:

Normally Direct Access works in the following way: (see picture 1)

• Your client will first create an https connection using encryption.
• After that it will create an IPsec connection with encryption.

Windows Server 8 Beta works in the following: (see picture 2)

• Your client (Windows 8 required) creates an https connection using null encryption.
• After that it will create an IPsec connection.

Because of the null encryption there is less overhead on the connection and it will be faster.

I used Wireshark to see the difference:

On a windows 7 client the following happens:

Figure 1 https tunnel with normal encryption

On a windows 8 consumer preview the following happens:

Figure 2 https tunnel with null encryption

My Server 8 DirectAccess Lab

My DirectAccess Lab:

This post will describe my DirectAccess lab for Windows server 8 beta.

The requirements:

• Connect using https tunnel.
• Connect using the teredo protocol (this is not used in Direct Access Server 8 Beta, more on this later.)
• Connect using the 6to4 protocol.
• Have multiple networks to simulate Nat & Direct internet connectivity.
• Being able to enable multisite.
• Having a PKI to generate certificates.
• Have fake external ip addresses.
• Being able to deploy ipv6 throughout the network (including external).
• Integrate NAP & OTP.
• Being able to demo the three deployment possibilities for DirectAccess.

I have created the following networks:

• Client NAT: This connection simulates a work from home situation. It's a private subnet with a nat router.
• Simulate Internet1: This connection is used to simulate internet. This is used for 6to4 connectivity from the client.
• Simulate Internet2: This connection is used to simulate internet. This is the subnet where the DrectAccess Server will be published.
• Domain a: This connection simulates the corporate network.
• Domain b: This connection simulates a different site at the corporate network (for multisite connectivity).

Between every network I have deployed a virtual m0n0wall installation:

Mono1 is connected to: (NAT functionality)

• Client NAT    (192.168.5.254/24)
• Simulate Internet1 (1.1.2.1/29)

Mono2 is connected to: (Routing functionality)

• Simulate internet1 (1.1.2.6/29)
• Simulate internet2 (1.1.2.9/29)

Mono3 is connected to: (Nat functionality)

• Simulate internet 2 (1.1.2.14/29)
• Domain A (172.16.1.1/24)
• Domain B (172.16.2.1/24)
• Real internet (Because I want to be able to install updates)

I made a Visio drawing to make things more clear.

The virtual machines:

I did setup the following virtual machines:

In domain A:

• Windows Server 8 beta Domain controllers. (172.16.1.1/24)
• Windows Server 8 beta Active Directory Certificate Services. (172.16.1.2/24)
• Windows Server 8 beta Direct Access. (172.16.1.3/24) (for edge deployment: 1.1.2.10/29)
• Windows 8 consumer preview client. (DHCP)

In Domain B:

• Windows Server 8 beta Domain controllers. (172.16.2.1/24)
• Windows Server 8 beta Active Directory Certificate Services (172.16.2.2/24)
• Windows Server 8 beta Direct Access (172.16.2.3/24) (for edge deployment: 1.1.2.11/29)

In the upcoming blog posts I'll describe the three deployment options of DirectAccess on Windows Server 8 Beta.

Directaccess Connectivity Assistant beta 2.0 released

Microsoft has just released the DCA 2.0 beta for Windows 7.
Windows 8 actually has the connectivity assistant built in.

The DCA 2.0 adds the following functionality:

1.   DCA 2.0 provides one-time password (OTP) authentication functionality to Windows 7 clients using Windows Server “8” Beta DirectAccess server.

2.   DCA 2.0 provides logging information about the OTP process.

The installation of DCA 2.0 beta removes older versions (1.0 or 1.5).(1.5 didn't replace 1.0 and you would end up having both versions installed).

The installation comes with new gpo templates as well.

download it here: http://www.microsoft.com/download/en/details.aspx?id=29039

Known Issues

1.   An unsuccessful installation of DCA 2.0 during an upgrade of a previously installed DCA version (1.5 and 1.0) will result in the removal of the previous DCA version as well.

2.   Restarting the computer is required after every install and uninstall on DCA 2.0. The behavior of DCA 2.0 will be unpredictable if the restart is not performed.

3.   Cancellation of a DCA 2.0 installation can result in difficulty in removal, and therefore the installation process should not be canceled once started. If the DCA 2.0 installation has been started, then complete the install, restart the computer, uninstall DCA 2.0, and restart the computer again. This will ensure that DCA 2.0 is removed cleanly.

4.   On 64-bit DirectAccess client machines the “One-time password (OTP) state” in the DCA logs shows the wrong status, and should be disregarded.

5.   The setting AdminScript is not available in the admx configuration file. It can be manually added to the DCA GPO.

Reinstalling TMG fails, cannot assign port 2171: already in use by another service.

Recently I had to fix a broken TMG install at one of our customers.

After some initial troubleshooting, I found that the OS was functional, but none of the TMG services could be started.
In an attempt to keep the time to fix as low as possible (this was a live production environment) I went to the Programs and Features and tried to repair the install.
This failed, since TMG setup could not reach the CSS server (which was running locally on the machine).
As a next step I decided to just reinstall the whole machine and restore the TMG configuration from a previously created configuration backup.

I started TMG setup again from Programs and Features and chose the "remove" option, waited for it to finish and rebooted the server. After logging in again, I decided to pop in the TMG installation media and I kicked off setup again, only to be greeted by an error saying that TMG could not create the required instance in AD LDS.

Some investigation later (A quick peek in my "Programs and Features"), it turns out TMG setup failed to remove the AD LDS instance "ISASTGCTRL", which is bound to port 2171 on the TMG server.

Unfortunately, the option to uninstall this instance was sorely lacking from my "Programs and Features" console. Still with the limited timeframe in mind (we needed a fix asap) I tried removing the instance by just removing the entire role with the server manager "Remove Roles" wizard, which of course failed with the mention that I had to remove all instances first using the "Programs and Features" console.

To recap: TMG told me that AD LDS was broken -> The remove option was missing from "Programs and Features" -> the "Remove Roles" wizard tells me to remove all instances first, using the "Programs and Features" console...

You can see where this was going.... (in a circle).

In a last ditch attempt at removing the role, without resorting to recovering the entire Windows install from scratch, I decided to try running the adamuninstall tool from commandline directly, and see if I could force the instance out of existence.
And wouldn't you know it: It worked!

I did get some error about not being able to connect to the local AD LDS tree for backups, but after skipping that message, ADAM uninstall ran like normal and the instance was gone. A quick reboot later and TMG setup ran like never before.

So, if you ever run into this error, the fix (after all normal methods have been exhausted) is to simple run "C:\Windows\ADAM\adamuninstall.exe" /i:ISASTGCTRL, press enter, skip all errors and wait for the instance to dissapear.
Quite simple, really.

TMG SP2 setup fails when upgrading ADAM.\r\n

Recently, I ran into the following issue when upgrading an EMS from SP1 Update 1 to SP2:

After completing the steps in the SP2 setup the process would hang while trying to open the Configuration Storage Server (CSS) and quit while trhowing the error mentioned above ("Setup failed to upgrade ADAM.\r\n").

As any good Windows admin normally does, I decided to check the installation logfiles (usually under %systemrootr%\Temp) to determine the cause. After examining the TMG-KB2555840-amd64-ENU_Install.log, which turned up to be rather unreadable, I opened ISAADAM_IMPORTSCHEMA_ServicePack.log and noticed the setup failed whilst trying to perform the following action on ADAM:

Loading entries
 1: CN=msFPC-Access,CN=Schema,CN=Configuration,CN={A3AD3CD8-8248-45D3-B49E-38BBAA06CE9F}
 Entry DN: CN=msFPC-Access,CN=Schema,CN=Configuration,CN={A3AD3CD8-8248-45D3-B49E-38BBAA06CE9F}
 changetype: add
 Attribute 0) adminDescription:msFPC-Access
 Attribute 1) adminDisplayName:msFPC-Access
 Attribute 2) attributeID:1.2.840.113556.1.8000.901.1.1
 Attribute 3) attributeSyntax:2.5.5.10
 Attribute 4) isSingleValued:TRUE
 Attribute 5) lDAPDisplayName:msFPCAccess
 Attribute 6) name:msFPC-Access
 Attribute 7) oMSyntax:4
 Attribute  objectCategory:CN=Attribute-Schema,CN=Schema,CN=Configuration,CN={A3AD3CD8-8248-45D3-B49E-38BBAA06CE9F}
 Attribute 9) objectClass:attributeSchema
 Attribute 10) searchFlags:0

 
With this specific error:

Add error on entry starting on line 1: Busy

The server side error is: 0x21a2 The FSMO role ownership could not be verified because its directory partition has not replicated successfully with atleast one replication partner.
 The extended server error is:

000021A2: SvcErr: DSID-030A0AF2, problem 5001 (BUSY), data 0

 
This puzzled me, as we are only running one EMS, so there shouldn't be any replication whatsoever.

Trying to solve this mystery I opened dsmgmt on the EMS and queried the AD-LDS to determine who had the roles, which turned out to be my local EMS server.

This led me to believe that there might be something wrong with the AD-LDS on this particular server, so I decided to seize the roles to try and fix this issue by overwriting the current setting regarding the naming and schema master by executing these commands:

1. At the command prompt, type: dsmgmt
2. At the dsmgmt: command prompt, type: roles
3. At the fsmo maintenance: command prompt, type: connections
4. At the server connections: command prompt, type: connect to server <FQDN>:2171
5. At the server connections: command prompt, type: quit
6. At the fsmo maintenance: command prompt, type: seize naming master
7. Click yes to confirm you wish to transfer the role
8. At the fsmo maintenance: command prompt, type: seize schema master
9. Click yes once more to transfer the role

Turns out my assumption was right, because afterwards I was able to run and succesfully complete the SP2 setup.

(This article uses parts of: http://blogs.technet.com/b/isablog/archive/2009/03/31/transferring-configuration-storage-server-fsmo-roles.aspx)