Deploy Office 2019 via GPO

With the advent of Office 2019, Microsoft has moved away from GPO deployment via MSI. There is no MSI of Office, Visio, Project, etc available to download anymore. Microsoft is moving toward using SCCM or the Office Deployment tool. I was tasked with coming up with a method for deploying Office via GPO in a fully automated manner.

There may be more than one way to accomplish GPO deployment of Office, and I do not claim to have the best method. It took me quite a bit of research and troubleshooting to get this method to work. I hope it helps someone looking to accomplish the same thing I was.

First off, head over to Microsoft and download the Office Deployment Tool (ODT) HERE. Run the executable and extract the files to a directory.

Next, use the Microsoft tool for generating an XML file HERE. Set your preferences, in my case, it was a volume license MAK copy of Visio 2019. Export the XML file and place it in the directory where you extracted the ODT.

The XML file I used to deploy Visio 2019 using a volume license looked like this:

<Configuration ID="xxxxxxxxxxxxxxxxxxxxxxx"> <Add OfficeClientEdition="64" Channel="PerpetualVL2019" SourcePath="\\server\ODT\" AllowCdnFallback="TRUE" ForceUpgrade="TRUE"> <Product ID="VisioPro2019Volume" PIDKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"> <Language ID="en-us" /> <ExcludeApp ID="Groove" /> <ExcludeApp ID="OneDrive" /> </Product> </Add> <Property Name="SharedComputerLicensing" Value="0" /> <Property Name="PinIconsToTaskbar" Value="TRUE" /> <Property Name="SCLCacheOverride" Value="0" /> <Property Name="AUTOACTIVATE" Value="TRUE" /> <Updates Enabled="TRUE" /> <RemoveMSI /> <AppSettings> <Setup Name="Company" Value="Company" /> </AppSettings> <Display Level="None" AcceptEULA="TRUE" /> <Logging Level="Standard" Path="" /> </Configuration> Read More

Back from the Dead – Virtualizing DOA Laptops

Simple post on restoring dead laptops using virtualization.  Some people ask me: “Is there any way to bring a laptop back from the dead?” or “I dropped my laptop in the toilet and now it wont start! How do I get to my important stuff?”.   The answer is not exactly simple, but it is effective in most cases.  If you need access to the OS for some reason prior to restoring data on a new system, it may be possible to restore the laptop and boot it as a VM.

First off, you need to remove the physical hard drive from the device.  You will want the primary (boot) disk.  You may also need the secondary hard drives if you installed critical apps in non-standard locations.

Second, you need a hard-drive caddy of some sort. Something like this: http://www.newegg.com/Product/Product.aspx?Item=N82E16817270043 would work just fine.  Any enclosure will due.

Third, you need a working computer to plug the enclosure in to.  This will mount the OS drive as an external drive on the chosen machine.  We need to convert this drive to a format virtualization programs will understand.  The most common of which is Virtual Hard Disk (VHD/VHDX) format.  To do this, we need a program like Disk2vhd http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Run Disk2vhd, check the appropriate partitions from the connected external drive.  Choose a location with enough space and name your VHD.  Un-check VHDX if you intend to use VirtualBox as the VM player.

Once the VHD is created, install a VM player.  I will be using VirtualBox in this example.

Run VirtualBox and create new VM.  Choose the OS settings from the drop downs.  This must match the version of the OS that was running on the old machine.  If you don’t know the exact version, one way to check is to inspect the ntoskrnl file under /Windows/System32/, look at details and find the product version number.  Reference the version number here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832%28v=vs.85%29.aspx and here: http://www.gaijin.at/en/lstwinver.php

Select your memory amount and boot the VM.  The old OS should boot fine and install all new drivers needed.  You may need to perform some system repair, or OS repair due to driver conflicts but most of the time the boot is clean.

 

Cisco 7960G 3.x Firmware Upgrade Issues

Working on a project to bring a batch of Cisco 7960G phones online with a newer 7.1 CUCM server.  The issue is that the phones were donated, and although new in the box they were using just about every firmware version from 3.x to 8.x, SCCP and SIP.  The newer revisions were simple enough to manually upgrade via TFTP, but the 3.x revisions absolutely would not upgrade. We tried upgrading from 3.x to 5.x, 7.x, etc with no luck.  We would have liked to upgrade them from 3.1 to a newer 3.x revision, but all of those files from Cisco are packaged in an exe intended for CME.  This limited our options.  Finally found an obscure way to get around the UAL conflicts.

Workaround upgrade from 3.x to 7.x SIP then back to SCCP.

You will need the following things:

  • A switch isolated from the production network
  • A TFTP server (TFTPD32)
  • A DHCP server (either the switch or using TFTPD32)
  • Cisco P0S3-07-4-00 SIP zip from Cisco support or here: http://radiotwenterand.nl/~graver/cisco/SIP-7960/
  • Cisco 8.1(1) SCCP zip from Cisco support
  • Cisco 8.1(2) SCCP zip from Cisco support
  • Read More

    Exchange 2013 ECP – :-( Something Went Wrong

    Fresh deployment of Exchange 2013.  As you try to connect to the management console https://localhost/ecp/ with a valid administrator account, it redirects to OWA and responds with “:-( Something Went Wrong, A problem occurred when trying to use your mailbox.”

    This seems to be related to left over Exchange attributes in Active Directory.  I tried everything from a multitude of TechNet articles including the following:

  • Rebuilding the ECP front end and back end (Reference)
  • Adding appropriate permissions to the administrator account
  • Connecting directly to the back end by using port 444
  • Messing with certificates (Reference)
  • Many articles mentioned having CAS and MBX roles installed, but these were installed on the same machine at the same time
  • Manually creating the administrator mailbox using the exchange shell
  • Read More

    Exchange 2013 Schema Prep – ADC Found

    Installing a new Exchange 2013 deployment on an existing domain with questionable history.  The existing domain had untold number of previous Exchange deployments with remnants scattered throughout Active Directory.  After using ADSI edit to manually remove all instances of the old Exchange servers, running a schema prep runs in to an error about an existing Active Directory Connector.  Microsoft suggests (TechNet) disabling the ADC service on the running computer, then uninstalling the service using the exchange server installation CD.  In this situation of course the detected ADC was probably on a computer that was long ago trashed or removed.

    Lots of websites describe the method for removing ADCs from AD using ADSIedit.

    (Reference)

    (Reference)

    Open ADSIedit
    Expand Configuration –> Services –> Microsoft Exchange –> Active Directory Connections
    Delete ADC under Active Directory Connections
    Replicate changes to all Domain Controllers

    Running the Schema prep another time results in the same error:

    After some digging we found the rogue connector buried in Active Directory Sites and Services.

    Open the sites and services mmc and look for any machines that aren’t active servers.  Delete anything that doesn’t belong and run the tool again.  It should finish successfully.

    Polycom RMX 2000 and Lync 2010

    Continuing from my previous post on integrating an existing Polycom system with Microsoft Lync 2010, I will run down the process for integrating a Polycom RMX bridge.  The process is much more difficult than integrating the Polycom endpoints as it requires creating a trusted application within the Lync server, running some shell commands, generating certificates and RMX configuration changes.  Once the integration is complete you can create SIP enabled meeting rooms accessible by Lync users and Polycom endpoints alike.

    1. DNS – Making sure the Lync server can contact the RMX by name

    Head over to the RMX admin console, under rarely used, find IP Network services.  Go to the properties of the management network, and click the DNS tab.  Fill in the name, domain, and DNS server fields.

    When the setting is changed, the RMX will need to reboot.  Unfortunately you will be rebooting the RMX a LOT throughout this process.

    Next we head over to your DNS server and create a static DNS record in the primary domain lookup zone, and the primary SIP domain lookup zone (these may be the same depending on your Lync deployment).  Create an A record using the name you chose in the previous step, that points to the signaling IP of the RMX (not the management IP).

    I will have created a record for domain.local and domain.org (SIP domain).  You will want to test your DNS settings using nslookup and by pinging the FQDN of the RMX from the Lync 2010 server.

    2. Creating a trusted application pool on the Lync server

    Head over to the Lync 2010 server and fire up the topology builder.  We want to create a trusted application pool for the RMX.  Polycom and Microsoft reccomend using a pool as best practice to allow for future expansion.  If you add another RMX in the future, users can simply dial the pool name.  Expand the trusted application pool tree, and chose new application pool.

    Chose a pool name  (this does not have to resolve in DNS, and is for organization and dialing purposes within Lync only).  Make sure to select multiple computer pool even if you only have on device at this time.

    Next you need to define the computers in the pool, in this case you want to use the FQDN of your RMX bridge.

    Publish the topology once you are done configuring the pool.  Note that you will get an error about the RMX not being a domain member.  You can ignore this.  Open up the Lync 2010 console and check your topology tab.  Make sure the new computer and pool is listed.  You will see a red X on replication (this is normal).

    Now we need to run some shell commands to make RMX a trusted host.

    $route=New-CsStaticRoute -TLSRoute -Destination “th-rmx.domain.local” -port 5061 -matchuri “polycom.domain.org” -UseDefaultCertificate $true

    Destination = The RMX computer

    MatchURI = The pool name

    Now we need to SET the route we just added:
    Set-CsStaticRoutingConfiguration -Identity global -Route @{Add=$route}

    Next we need to create the trusted application:

    New-CsTrustedApplication -ApplicationId 

    polycom Read More

    Polycom HDX 7/8000 and Lync 2010

    Recently I have been working on integrating an existing Polycom video conferencing system with a new Lync 2010 deployment.  As it turns out the newer software releases for Polycom have made great progress towards making the integration of Polycom systems with Lync easier.  I say easier, because it still isn’t exactly easy.  There are many cool features of integrating Polycom and Lync.  By using a Polycom RMX, one can have continuous presence using the meeting room format.  This is something that was sadly left out of Lync 2010.  As most people who have used Lync 2010 will tell you, it doesn’t do a very good job of switching between active speakers.

    Integrating Polycom HDX 7000 and 8000 endpoints is VERY straight forward.  The only problem is if you don’t have multipoint licenses you can only have a one-to-one call with a Polycom endpoint.  Hence the reason for an RMX.

    Requirements for integrating an HDX 7000/800 with Lync 2010:

    First off you will need a valid user account in Active Directory for each HDX endpoint.  As an example, we are creating a user called “Polycom LA”, for our Los Angeles HDX 7000.  We will use polycomla@domain.local as the logon name.  Make sure password never expires and user cannot change password fields are checked. When this user is created, it will automatically be assigned a logon name in our valid SIP domain of @domain.org.

    For further organization we use Active Directory groups to organize Lync users.  Later, we push these groups to the contact lists of Lync users with powershell.  For this example we are creating a universal security group called “wgrp-polycom”.

    Now we need to activate this new AD user on our Lync front end server.  Using the Lync server management shell: PS C:\>Enable-CsUser -Identity “Polycom LA” -RegistrarPool lync01.domain.local -SipAddressType SamAccountName -Sipdomain domain.org.

    Just for the heck of it, and to allow easy visual identification of the Lync user as an actual Polycom system and not a human being, we add an AD image of a Polycom camera.  This corporate image will trickle down to Lync and make it look really slick.  You can use any free AD image attribute editor for this.

    Finally, we need to configure the HDX with a SIP connection to the Lync 2010 server.  The thing to note here is the difference between User Name and Domain User Name.  The User Name field should contain the username for the primary SIP domain “polycomla@domain.org”, and the Domain User Name should be the AD logon account polycomla@domain.local.

    Now we can test the Polycom configuration by heading to the global directory and searching for a user.  If the integration with Lync 2010 is working correctly you should be able to find any active Lync users and call them directly.  You should also be able to find other polycom units if they were Lync enabled.  Pretty cool huh?

    You can check the status of the registration with Lync on the unit itself or through the web interface, and the registrar server should have a green up arrow.

    In my next post I will be going over the integration of an RMX 2000, including the issues I ran in to with the RMX being unable to contact the Lync SIP server.

    Cisco StackPower – Port Issues

    I have recently been battling with Cisco Stackpower issues and commands that have been difficult to find. In one environment the company uses 3750X series switches exclusivly in large stacks to avoid a spending cap on single items. Instead of buying blade switches we stack 24 port gig PoE 3750X switches. As an added benefit, with Stackpower we can make the switches redundant without buying additional power supplies. They will also distribute power if PoE devices are unevenly distributed to one switch or the other. Unfortunately when configuring Stackpower, not all ports are active at first, and sometimes the power sharing mode may be configured as something other than “sharing” by default.

    A good overview for Cisco’s Stackpower can be found here: Cisco Stackpower Whitepaper

    First off we have a stack of eight 3750X switches. Obviously Stackpower in a redundant ring topology limits you to four switches on each power stack. You will want to issue a few show commands to see what is going on with Stackpower and the power supplies:

    switch#show env power all

    This show command should give you an overview of the installed power supplies and switch numbers.

    switch#show stack-power

    sj-sw2-01#sh stack-power
    Power stack name: Powerstack-1
    Stack mode: Power sharing
    Switch 1:
    Power budget: 719
    Low port priority value: 19
    High port priority value: 10
    Switch priority value: 1
    Port 1 status: Shut
    Port 2 status: Not Connected
    Neighbor on port 1: 0000.0000.0000
    Neighbor on port 2: 0000.0000.0000

    Two things to note here.  A “shut” status means that the stackpower port is administratively down, while “not connected” means there is a physical problem with the Stackpower cables.

    This is where things get tricky.  Documentation will tell you to enable the ports using the following command in exec mode:

    switch#stack-power switch 1 port 1 enable

    Seems like that would make sense, except when checking again:

    switch#show stack-power

    Power stack name: Powerstack-1
    Stack mode: Power sharing
    Switch 1:
    Power budget: 719
    Low port priority value: 19
    High port priority value: 10
    Switch priority value: 1
    Port 1 status: Shut
    Port 2 status: Connected
    Neighbor on port 1: 0000.0000.0000
    Neighbor on port 2: e05f.b90a.9c80

    The cure for this behavior is to issue a disable then an enable.

    switch#stack-power switch 1 port 1 disable

    switch#stack-power switch 1 port 1 enable

    switch#show stack-power

    Power stack name: Powerstack-1
    Stack mode: Power sharing
    Switch 1:
    Power budget: 719
    Low port priority value: 19
    High port priority value: 10
    Switch priority value: 1
    Port 1 status: Connected
    Port 2 status: Connected
    Neighbor on port 1: c471.fe62.2680
    Neighbor on port 2: e05f.b90a.9c80

    Once you have all of the stack-power ports enabled, the next step is to place them in stack power groups (if they didn’t automatically assign).  Remember that when changing group membership, the entire stack must be reloaded.

    switch(config)#stack-power stack Powerstack-1
    switch(config-stackpower)#exit
    switch(config)#stack-power switch 1
    switch(config-switch-stackpower)#stack Powerstack-1

    Repeat the command for each switch in the stack.  You can change the power sharing mode, and add priorities based on the needs of your environment.