DON'T REINVENT THE COW

This is a place for Systems Administrators and IT Professionals to find and share ideas, solutions and templates. If you have something that helps you solve a problem, chances are it will help someone else too. So pay it forward and send an email to TheAgreeableCow at gmail. Full mudos to you!

Sunday 18 August 2013

Creating SSL certificates for Exchange 2010 Edge servers

I recently moved from an on-premise email security gateway to a cloud service. As such, I had to setup some new Exchange Edge roles and install SSL certificates on them to provide TLS encryption. As there is a limited GUI, all of this needs to be done via powershell. Here is a quick, high level overview of the steps taken.

Generate Cert Request
 $data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=AU, o=IT Dept, cn=mail.mydomain.com.au" -PrivateKeyExportable $true  
 Set-Content -Path "c:\Temp\mailcert.req" -Value $Data  

Submit Request to CA
  • Common name should be the public name eg. 
    • mail.mydomain.com.au
  • Add in additional 'Subject Alternate Names' for the actual server names eg.
    • exchedge1.mydomain.com.au
    • exchedge2.mydomain.com.au

Complete Certificate Request
 Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mail_mydomain_com_au.cer -Encoding Byte -ReadCount 0))  

Note the thumbprint that is shown when successfully imported.

Assign the certificate to SMTP service
 Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP  

Update the intermediate Certs

  • Download and run the Digicert Certificate Utility (https://www.digicert.com/util/), on the edge server.
  • "Repair" the cert if it's showing any missing/misplaced intermediate certificates

Export the certificate (and repeat import on second server)
$file = Export-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD -BinaryEncoded:$true -Password (Get-Credential).password  
Set-Content -Path "c:\Temp\mailcert.pfx" -Value $file.FileData -Encoding Byte  
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mailcert.pfx -Encoding Byte -ReadCount 0)) -Password (Get-Credential).password  
Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP  

Update intermediate cert via Digicert Certificate Utility as above
Complete a synchronisation cycle (on an internal Hub Transport server)
 Start-EdgeSynchronization  

 Cheers,
         (__)
         (oo)  ok
   /------\/  /
  / |    ||
 *  /\---/\
    ^^   ^^


Wednesday 7 August 2013

Automatically re-size and import photos into Active Directory with Powershell

This script is a great example of how IT can hand back responsibility one of those trivial admin jobs to a non-IT department. You know the scenario; Marketing or HR get all of the staff photos together and send them to IT for posting to Active Directory for a bunch of relevant systems such as Outlook, Lync or a SharePoint corporate directory. Every time a photo changes, it's yet another request into IT. Well, if you implement this script, you'll never have to worry about manually re-sizing and importing these photos again!

In summary, the script bulk imports photos into AD, by selecting them from a network share based on their age. It will even re-size the photos on the fly according to Microsoft's recommendations, whilst ensuring to keep the original proportions. The cool thing is, that you can launch it from a scheduled task, so all someone has to do is save any new photos to the nominated location and they will get imported automatically.

During the import process the photos get checked against valid users in AD, so they need to be in the format of username.jpg. Everything is logged and if this test fails it will be added to the user friendly email output which can again become someone else's responsibility to receive and action. IT can get CC'd on this of course and step in as necessary.

The syntax to use is as follows

    Set-ADPhotos SourcePath Days

For example

    .\Set-ADPhotos '\\Server1\sharename' 1

The 'Source Path' can be any local folder or network share that's accessible. The photos are then copied down to a local working path for the actual import. Both the original photo (if one exists) and the new photos are date stamped and backed up. So if you have to restore a photo, you can simply place a copy (as username.jpg), back into the working directory and do a manual run without having to wait for the next schedule.

The 'Days' parameter is used to filter the import of photos based on the modified date. So for example '1' will only import photos modified in the last day. Assuming you run this as a scheduled task, it's important then to match the schedule with the the number of days entered.

Finally, if you're a Lync shop, the script can trigger an update of the Address Book which gets the photos out to the clients pretty quickly.

Here's the full script, or download it from GitHub.

 Cheers,
         (__)
         (oo)  ok
   /------\/  /
  / |    ||
 *  /\---/\
    ^^   ^^