We stumbled across these. I hope you can avoid the same issues.
Firstly Exchange with Forefront Security...
Symptom:
When you reboot your Exchange 2007 SP1 Hub and Edge role servers where you have Forefront for Exchange installed, you find that no mail is flowing.
Cause:
Some Forefront Services do not pull themselves up in time after rebooting. Consequently the Exchange Transport service which relies on Forefront being up and ready for action, fails to start. A manual start of the Exchange Transport service works with no issues.
Solution:
Remember to manually start your services after rebooting! There is rumoured to be a fix for Forefront in Update Rollup 4 or SP2 or both... See here Don't hold your breath.
Secondly VMware Whatsitcalled?
You may be aware that VI 3.5 update 4 is out since the end of March. For owners of VI 2.x or 3.x (other than 3.5 in any form) there are clear instructions on how to upgrade your infrastructure. It is worth following these to the letter. However, if, like us, you were running VI 3.5, the instructions end up being anything but clear.
First thing to note in all of this is that is that they have changed the names of their products. See here. VMware is now being very Microsoft-esque by sticking v next to a bunch of previous used names and calling products 'server' when in fact it is just an over hungry application. Nevertheless, get used to vCenter Server instead of Virutal Server and vConverter... well you get the drift.
So how to update to VI 3.5 update 4?
The first step is to download the VMware vCenter Server 2.5 Update 4 - includes Converter Enterprise (formerly VMware VirtualCenter) from the VMware download page. After doing all possible backups, run the installation and install vCenter 2.5 update 4 along with the latest version of the VI Client and Updater.
The second step is to update the ESX Hosts. This is where the documentation breaks down. I thought that the old ways of copying binaries and using boot disks was gone... Well, it is. Stop looking for esxupdate.zip, that for VI 3.0.x. Instead, open the VIC and install and enable the updater plugin. When you scan for updates you will now see an extra dozen or so updates that you could not see previously. Once you have applied these, you will note that the build number for your ESX servers goes up to 153875. Welcome to Update 4.
The final step is now to go into each VM and update to the latest VMware tools. How do I know this is the way to go? Check out the actual update for VI 3.5 update 4. It is downloadable from the VMware Downloads site. It is simply a xml list of updates that need to be applied to make Update 4. There are no binaries with the update itself.
Happy updating!!!
Showing posts with label Forefront. Show all posts
Showing posts with label Forefront. Show all posts
Friday, 3 April 2009
Wednesday, 25 February 2009
Installing Forefront Client on Windows Server 2008
Installing Forefront Client Security seems like a daunting task on Windows Server 2008. It can be done, but with a little extra help. If like me, you already have a WSUS server and you have less than 1000 clients, a two server solution is fine. The first thing is to read through the documentation found at:
http://technet.microsoft.com/en-gb/library/bb432630.aspx
However, it does appear that the technical manual department for the Forefront team did not want to spend much time with the documentation. There is a lot of repitition and a few things that are left out or are implied. We will go through and identify these missing instructions...
The first thing to notice is that there are separate instructions for installing on Server 2008. This are specifically for the 32-bit version of Server 2008. As noted in the hardware requirements, Forefront will not work on the 64-bit version of Windows Server 2008. However, these instructions correctly state that you MUST do everything in the order listed. For your own sanity, do so, while added the bits below:
The first missing/implied instruction is to complete the installation of .net 1.1 sp1. To complete the installation of .net 1.1 you have to wait until installing IIS. After installing IIS, you need to complete the .net 1.1 installation or the MOM components (I know, you don't have MOM) will fail and the entire installation will falter.
Step 1: Run the aspnet_regiis.exe /i command from the C:\Windows\Microsoft.NET\Framework\v1.1.4322 directory.
Step 2: Open IIS Manager. Click on the Server name. Under IIS in the main panel, open ISAPI and CGI Restrictions. Change "ASP.NET v1.1.4322" to 'allowed'.
The other is a peculiar problem with Reporting Services. You should check the following URLs to ensure that Reporting Services is installed:
http://reportservername/Reports
http://reportservername/ReportServer
If you get an error message amounting to a lack of permission on the installation account's part, then there is a way round this. This is, in fact, a UAC issue. (Please do not run to switch UAC off...) To get round this, go into the start menu and elevate IE by right clicking the IE link in the programs menu. Then go to the first URL. You now have a "Site Settings" link in the top right hand corner. Click it. Down the bottom of this page you now have a "Configure site-wide security" link. Add the installation account as a System Administrator and System User.
Checking the second URL now results in a blank directory list... Okay? You are now ready to complete the Forefront Client installation. (Remember that the installation will run elevated, so don't worry if you still get the error when running IE when not elevated.)
You may find yourself frustrated trying to run the distribution server installation on your WSUS server. SERVERSETUP.exe just seems to crash everytime. If you have WSUS v3 then you are wasting your time running the installation program. The Forefront Client installation for the Distribution Server is intended to fix WSUS v2 installations so that you can poll for updates every hour. WSUS v3 does this already as installed. Consequently, you do not need to install anything on your WSUS Server. Instead, you need to change the frequency of the synchronization to anything up to each hour of the day, depending how soon you want to recieve antivirus and malware updates.
Oh, and one more thing. The requirements state that a 32-bit installation of Server 2008 is required for the distribution server. Seeing that you do not need to install anything on the WSUS server with v3, you can still have your 64-bit cake there and eat it...
Finally, do not forget that to be truly compatible with Windows Server 2008, you need SP1. This is obtained through Windows Update rather than a seperate download. So get synchronising...
I still have some hair left.
http://technet.microsoft.com/en-gb/library/bb432630.aspx
However, it does appear that the technical manual department for the Forefront team did not want to spend much time with the documentation. There is a lot of repitition and a few things that are left out or are implied. We will go through and identify these missing instructions...
The first thing to notice is that there are separate instructions for installing on Server 2008. This are specifically for the 32-bit version of Server 2008. As noted in the hardware requirements, Forefront will not work on the 64-bit version of Windows Server 2008. However, these instructions correctly state that you MUST do everything in the order listed. For your own sanity, do so, while added the bits below:
The first missing/implied instruction is to complete the installation of .net 1.1 sp1. To complete the installation of .net 1.1 you have to wait until installing IIS. After installing IIS, you need to complete the .net 1.1 installation or the MOM components (I know, you don't have MOM) will fail and the entire installation will falter.
Step 1: Run the aspnet_regiis.exe /i command from the C:\Windows\Microsoft.NET\Framework\v1.1.4322 directory.
Step 2: Open IIS Manager. Click on the Server name. Under IIS in the main panel, open ISAPI and CGI Restrictions. Change "ASP.NET v1.1.4322" to 'allowed'.
The other is a peculiar problem with Reporting Services. You should check the following URLs to ensure that Reporting Services is installed:
http://reportservername/Reports
http://reportservername/ReportServer
If you get an error message amounting to a lack of permission on the installation account's part, then there is a way round this. This is, in fact, a UAC issue. (Please do not run to switch UAC off...) To get round this, go into the start menu and elevate IE by right clicking the IE link in the programs menu. Then go to the first URL. You now have a "Site Settings" link in the top right hand corner. Click it. Down the bottom of this page you now have a "Configure site-wide security" link. Add the installation account as a System Administrator and System User.
Checking the second URL now results in a blank directory list... Okay? You are now ready to complete the Forefront Client installation. (Remember that the installation will run elevated, so don't worry if you still get the error when running IE when not elevated.)
You may find yourself frustrated trying to run the distribution server installation on your WSUS server. SERVERSETUP.exe just seems to crash everytime. If you have WSUS v3 then you are wasting your time running the installation program. The Forefront Client installation for the Distribution Server is intended to fix WSUS v2 installations so that you can poll for updates every hour. WSUS v3 does this already as installed. Consequently, you do not need to install anything on your WSUS Server. Instead, you need to change the frequency of the synchronization to anything up to each hour of the day, depending how soon you want to recieve antivirus and malware updates.
Oh, and one more thing. The requirements state that a 32-bit installation of Server 2008 is required for the distribution server. Seeing that you do not need to install anything on the WSUS server with v3, you can still have your 64-bit cake there and eat it...
Finally, do not forget that to be truly compatible with Windows Server 2008, you need SP1. This is obtained through Windows Update rather than a seperate download. So get synchronising...
I still have some hair left.
Subscribe to:
Posts (Atom)
