Quantcast
Channel: Living the IT Life
Viewing latest articles
Browse all 25 Browse latest View live

Libraries in Windows 7

May 2, 2010, 4:26 am
$
0
0
Although this feature in Windows 7 is very handy in accessing your files easy there are some downsides on this feature when deploying it in your organization.

  1. If you use the Library feature in Windows 7 on remote files/folders, it requires indexing on the file/folder server which is only supported in Windows Server 2008(R2) or on Windows Server 2003 with Desktop Search 4.0. This is because the library feature needs to have a indexed source folder in order to know where your files are located. To have your Windows 7 client do this, will mean that you need to have 24*7 access to these folders and that's usually not the case.What you can do to have it work is to enable offline folder synchronization on the share you will need to access. This will make a offline copy of the share on the Windows 7 client, so that your client can do the indexing on the folder. Unfortunately this means that you will need a time to time replication to your share on your NAS device.In my understanding i have never seen a third party NAS device with CIFS sharing that can index on your file/folders and have Windows understand it.

  2. The library feature is not deploy-able via a GPO. This makes the Central Management of Libraries in Windows 7 a hard one. The philosophy behind Libraries i think is that it's a user feature. If users know what the advantages of properly set libraries are, they will need to create and manage them there own.

Search

Aanmaken SSL certificaat voor Outlook Web Access via Shell

May 2, 2010, 5:54 am
$
0
0
Om gebruik te kunnen maken van OWA, is het aanbevolen om gebruik te maken van een commercieel SSL certificaat met mobiele ondersteuning. De CSR die aangemaakt wordt in de komende stappen kan gebruikt worden tijdens de aanvraag bij een willekeurige SSL leverancier. Bijvoorbeeld www.sslcertificaat.nl. Hier wordt vervolgens gekozen voor een Comodo Mobile SSL Certificaat.



  1. Genereer een nieuwe Certificate Request (CSR) via Exchange Management Shell doormiddel van de volgende command line:


New-ExchangeCertificate -GenerateRequest -Path c:\webmail.req -SubjectName "c=NL, o=<klantnaam>, cn=<publicdomainname>" -DomainName <publicdomainname> -PrivateKeyExportable $true

Uitleg variabelen:

 























Path=het pad waarnaar het request bestand naartoe weggeschreven moet worden
C =Land van herkomst
O = Naam van de oganisatie zoals deze bij de KvK geregistreerd staat (kijk op www.kvk.nl voor de handelsnaam)
CN = De publieke fully qualified domeinnaam waarop OWA wordt aangeboden
Domainname =           De publieke fully qualified domeinnaam waarop OWA wordt aangeboden


  1. Vraag bij www.sslcertificaat.nl een Comodo MobileSSL certificaat voor 3 jaar aan;

  2. Installeer de Extra Certificaten voor Trusted Root en Intermediate Root in de Certificate Store op de Exchange Server

  3. Kopieer het via de mail aangeleverde SSL certificaat naar d:\install\ssl op de Exchange Server en geïmpor het in de Exchange Management Shell met commandline:


Import-ExchangeCertificate  <d:\install\ssl\ bestandsnaam.crt>

Opmerking: Indien Exchange 2007 op een Windows Server 2008 machine geinstalleerd staat, moet het ssl certificaat als administrator geinstalleerd worden. Dit kun je doen door de Exchange Console met rechtermuisknop en dan voor “run as administrator” te kiezen.

  1. Certificaat geschikt maken voor OWA en mogelijk ook SMTP


Enable-ExchangeCertificate -Services “SMTP, IIS” –Thumbprint <thumbprint van het ssl certificaat> (Deze kan opgehaald worden met het commando get-exchangecertificate)

  1. Exporteer het SSL cetificaat voor OWA met private key op de Exchange Server













Creating a wildcard webserver certificate with your internal CA

July 20, 2011, 5:24 am
$
0
0
It is possible to create a wildcard webserver certificate using your internal Enterprise CA based on Windows Server 2008 R2. To do this you need to have a Enterprice CA with the webserver template deployed.

The question you'll probably ask yourself is "Why do i need this?". Well the answer is simple. You probably don't want to use this certificate in a production environment, but you can use it for testing purposes without having you to buy a expensive commercial wildcard certificate. Espessially when the test results are having you deciding that a wildcard certificate is not the way to go.



This type of certificates is also very usefull in a Microsoft Exchange Server 2010 environment, when you are publishing your Office Web App and/or Activesync with an application firewall such as Microsoft Forefront Unified Access Gateway (discussed in a later article) or Microsoft Forefront Threat Management Gateway (TMG).

Since Microsoft Exchange Server 2010 needs a certificate with multiple subject names for the use of technologies like:  "AutoDiscover, Outlook Anywhere, Office Web App and co-excistence scenario's between Exchange Server 2003 and Exchange 2010 (legacy scenario)", using a wildcard certificate eliminates the need of create multiple virtual directories (with IP adresses) and certificates with multiple subject names.

During this proces we are going to create a custom certificate request and proces the request on the internal CA WWW Publishing Service. This article will guide you through the process.

  • First you will need to logon to a Windows 7 or Windows Server 2008 R2 domain member machine;

  • Now open the certificates mmc snap-in using mmc.exe.


Note: During the snap-in add it doesn't matter which account you select because it's only for the creation of the request. It's recommended to use the mmc snap-in on the machine where you are going to use the certificate and also to use the local computer account to proces the request on. This will make it easier you you in a later stadium to import the certificate.

  • Next expand Certificates > Personal and right click on Certificates and choose for All Tasks > Advanced Operations > Create Custom Request;




  • In the Certificate Enrollment Wizard click Next on the Before you Begin page;

  • In the Select Certificate Enrollment Policy page, choose Custom Request > Proceed without enrollment policy and click Next;

  • In the Custom Request page the Template (No template) CNG key is selected. Change this to (No template) Legacy key and click Next. (You can leave the Suppress default extensions checkbox empty and the Request format to PKCS #10);

  • In the Certificate Information page click on Details on the right site next to Custom Request to fold it down and click on the Properties button;

  • In the General Tab fill in a Friendly name of the certifiate and a Description for the purpose of the certificate. This information is visible when your viewing a certificate. You can fill in whatever you like, although it's recommended to use recognizable information such as *.contoso.com;

  • In the Subject Tab you will need to fill in the following information under Subject name. The following table shows you the Type and Values you will need to fill in. (These values are examples)








































Type:Value:Description:
Common Name*.contoso.comThe name of the certificate. This field is used to identify the certificate. Adding the * before the domain name indicates a wildcard certificate for that domain. You cannot use this when you are using sub-domains. When you are using sub-domains you will need to create a wildcard certificate for that domain.
Organizational UnitITThe name of the OU. In most cases this is the IT department
OrganizationContoso Corp.The name of the Organization where the certificate is for. When you are going to request a commercial certificate the information needs to be the same as registred at the Chamber of Commerce since most certification authorities cross-check this information.
LocationSeattleThe location of the registred location of the organization. Check your Chamber of Commerce.
StateWAThe State of your organization
CountryUSThe country of your organization


  • In the Extensions Tabselect:

    • Under Key usage select the options Digital Signature and Key encipherment. Deselect the option Make these keys usages critical.

    • Under Extended Key Usage (application policies) select the option Document Signing;



  • In the Private Key Tabselect:

    • Under Key options select the Key Size (depending on how secure you want the encryption. Default in Microsoft Environments is a key size of 2048). Because you want to be able to export the certificate for backup purposes select the option Make private key exportable. Leave the other options cleared.

    • Under Key type change the value to Exchange.



  • After you have filled in all information click OK;

  • Back in the Certificate Information page click Next;

  • Now fill in the path and filename where to save the certifcate request file (It's recommended to save the file with the extension *.txt because you need to copy the information in the file with a text editor such as notepad) and leave the file format Base64 and click Finish;

  • Now the request is created. Browse with explorer to the file and open it with your default text editor;

  • Select all information in there and copy it;

  • Open a new browser session (preferably Internet Explorer) and browse to your Certification Authirity Web Service (example: https://server1.contoso.com/cersrv);

  • On the page click on the task Request a Certificate;

  • Click on the task  advanced certificate request;

  • Click on the task Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file;

  • Paste the copied information in the Saved Request field;

  • Under Certificate Template select Web Server and click Submit;

  • In the next screen download the certificate. (If you are going to use the certificate on a domain machine you don't need to download the certificate chain because te CA is already in the Trusted Root Certification Authorities);


The certificate is now ready to use.

Running 64-bit Powershell scripts via SCCM

August 18, 2011, 9:43 am
$
0
0
It kind off started worrying me a bit when i was deploying SCCM 2007 R3 and i wanted to run several power shell scripts that needed to install some Windows Features. I just didn't want to work. Finally after several days, several reinstallations of my test VM, etc, etc i got it working and this is how to do it:



When i started my project, i thought (as probably every newbie with SCCM) i just needed to create my scripts and then make a package and a program to run it in SCCM. It should work you think. The problem is unfortunately that SCCM is not 64-bit. Therefore if you advertise a program/script via the normal routine, it starts a 32-bit process. This however creates problems when you want a script to install windows features or anything else via powershell that requires the 64-bit version of powershell.

The solution to this is quitte simple actually. You just need to create a task sequence and add a "Run Command line" task and put the following command in:

powershell.exe <path to script>

Note: If the path to your script is on a central network repository you need to fill in the complete networkpath.

After adding the command select "Disable 64-bit file system redirection". This option allows 64-bit applications to run as 64-bit applications instead of redirecting it to the 32-bit version.

This is it actually.

Pretty frusty to see that i needed to spent so many hours on this :S. This is also because the logging in SCCM is pretty poor. But that's my opinion ;)

Five things to reconsider when designing Exchange Server 2010

November 20, 2011, 5:18 am
$
0
0
Five things you don’t do when designing a new Exchange Server 2010 environment.

When it comes to designing a new Exchange Server 2010 environment, a lot of techies think that this isn’t so hard. They just think “Let’s put some servers and install some Exchange roles on it and the job is done”. Especially when installing these servers in a virtual environment like VMware or Hyper-V these things happen. Techies often think hey it’s virtual, therefore my design boundaries are unlimited. Well wrong, wrong, wrong thinking.



Therefore I have created a list with some things you don’t do when implementing Exchange Server 2010.

I could write whole book about this subject but some things just take experience and expertise to do the job properly.

  • Don’t think Exchange 2003 or Exchange 2007 like;


A lot of engineers or IT administrators think that if they have 1 Exchange 2003 server in their current environment, it will automatically does the trick when implementing 1 Exchange 2010 Server in their new environment. In some cases this can actually be true, in most cases however it isn’t. Because Exchange Server 2010 is using 64-bit architecture, the load of the server(s) running Exchange on it will automatically be higher.


The other fact you see a lot is the quote “Hey I have this set-up in Exchange Server 2007, let’s do the same thing in Exchange Server 2010”. Why this is wrong thinking? Well first of all Exchange Server 2010 is not Exchange Server 2007. As Exchange Server 2007 was considered as a pretty unstable messaging system, especially when working with CCR clusters, Exchange Server 2010 is not. Microsoft made a lot of improvements in for example database optimization by removing SIS (Single Instance Storage). Because of this, Microsoft realized a IOPS win of 85%. Another mayor improvement is the realization of DAG (Database Availability Groups). Creating a DAG to fore fill your HA needs is pretty simple, however designing the optimal DAG configuration does take some consideration.




  • Don’t install all Exchange roles on as many servers you can find;


When it comes to Exchange Server 2010 it is best practice to deploy multi-role servers in almost all circumstances. The great thing about Exchange Server 2010, also mentioned in the previous remark, is that because of the mayor improvement of IOPS load it is not needed anymore to install all roles separately. Another advantage of multi-role servers, is that if for one reason you need an extra server, you can just install a new one which is exactly the same as your current Exchange servers. This makes your administration and documentation easier and hey we all want that right.




  • Think to easy about HA (High Availability);


Never think to easy about HA. Installing two CAS or HUB servers, doesn’t automatically gives you HA. You always need to consider a proper load-balancing solution. Best practice is a hardware load balancer, or when running virtual a virtual hardware load balancer. Why? All clients are using your CAS server(s) to contact their mailbox and Exchange organization information. Think about what happens when a client is switched to another IP by switching to wireless or when a client is connected via outlook anywhere and gets a new IP address from it’s provider or when the request is going to one CAS server and the reply is coming from another. You don’t want this. Another reason to think about load balancing is service provided failover. When a services of one Exchange CAS or HUB transport server is not available, a hardware load balancer is aware of this and will automatically redirect traffic to the remaining servers in the load balancing server. This could also be nice if you want to put one server into maintenance to update or something else.




  • Don’t forget security from outside boundaries;


A lot of Exchange admins think hey Exchange Server 2010 is secure, why the need of a reverse proxy? Well pretty simple. Your CAS server for example are domain joint servers which are in all cases located in your internal network. What happens when a potential unwanted individual is able to use a backdoor on your system? Right this individual is now on the internal network with access to your complete Active Directory and all the information what’s in it. You don’t want this. Therefore always implement a proper reverse proxy solution like Forefront TMG or UAG to protect your internal network.




  • Design by need;


Before deciding on how many servers, how much storage, how much memory and how many CPU is needed, always write down the following facts:






      • How much mailboxes do you have in your organization?

      • What is the total amount of mail data in your organization?

      • How many e-mail does an average user receives / send per day?

      • Do you have any quota’s or does you organization wants any?

      • Is your organization using pst files as archives?

      • If yes how much storage do all pst files take?

      • Is there any way to clean up all mailboxes before migration?

      • Are you still using an older version of Outlook then Outlook 2007?

      • Etcetera…




Having these facts written down gives you a better understanding in the circumstances that you need to consider when creating you design.


In all cases, leave your thoughts and experience with previous Exchange Server versions as they are and try to look into the new technology features and design recommendations. If you are uncertain in how to do it, just hire a consultant or architect specialized in Exchange Server solutions, like me ;).

Change the UPN of a federated user after user has been synced to Office365

January 19, 2012, 3:02 am
$
0
0
Microsoft strongly recommends to make sure all UPN's needed in Office 365 to be set correctly before doing the initial DirSync.

However in some cases you may want to change the UPN after the initial DirSync anyway, for example:

  •  When you're companies history lacks correct user registration (names are not correct);

  •  When a user changes their lastname when he/she get's married and wants to use that name when logging in.


In this case it is possible to change the UPN of the user in the federated domain. However again this is not recommended. Here is how you do it.



  1. Login on the primary federation server;

  2. Open powershell;

  3. Import the MSonline powershell module "import-module msonline";

  4. Run the change UPN cmdlet "Set-MsolUserPrincipalName -UserPrincipalName [CurrentUPN] -NewUserPrincipalName [NewUPN]"


See also Microsoft Support article KB2523192 for more information on this subject.

DirSync: Preparing all UPN's required or not?

February 7, 2012, 1:44 am
$
0
0
Everyone who implemented a hybrid office 365 Exchange Online configuration probably have read the deployment guide for Office 365.

In that guide you will read that you need to make some preparations to your Active Directory.

One of these preparations is making sure the UPN of all users is properly set to a routable domainname. For most organizations however this could be a real challenge. In the beginning of Active Directory (somewhere in the early 21st century), it was a recommendation by Microsoft to create a FQDN that was not the same as your public domain name (non-routable). However things changed over the years and last year Office 365 came out.

To setup DirSync for synchronization of your Active Directory objects, it requires you to create a UPN for all users that is internet routable. That means that the UPN must be set to @publicdomainname.

In some organizations this is a challenge because the user part of the UPN is, over the years, incorrectly administrated or is changed often due to marriages or divorces. And because the UPN will be used to login to Exchange online, you probably want this to be set correctly. What however is unclear in the documentation, is what will happen if you don't set the correct UPN before configuring DirSync.

From my personal experience. In first case. I still would recommend to set the UPN of all users before configuring DirSync. However if you are in a situation that requires you to proceed because the customer is not ready yet, it is possible to set the UPN later and configure DirSync.

Please be advised that if you do this DirSync will create errors during the sync. These errors will be written to the eventlog of the DirSync server. Besides that DirSync tries to synchronise every 3 hours. After the sync, DirSync e-mails all Administrators a summary report of the sync. In this report you will see the errors too.

If you setup DirSync without a proper UPN, DirSync will synchronize all AD objects and creates a "@name.onmicrosoft.com" UPN.

If you don't want to have errors during the syncs you can also choose to only configure the domain part of the UPN and change the user part later. This will result in a successful sync without any noticeable errors.

I have created a script that prepares the UPN of all user objects with a proper domain.






<# 

UPN Change Script (PS_CRI_ChangeUPN_v0.1.ps1)

 

Author: Cor (C.J.H.) Reinhard

Copyright: 2012, Unauthorized use from author prohibited

 

Version: 1.0 - Final

Create date: 31-01-2012

Last modification date: 31-01-2012

 

Notes:      Make sure script execution is set to unrestricted by running "Set-ExecutionPolicy -ExecutionPolicy unrestricted -Force"

Make sure to run this script from within the Exchange Server 2010 Management Shell

 

Change history:

31-01-2012: First and final version, v1.0

#>

 

$odom = "<current domain FQDN of users>"

$ndom = "<public/new domain FQDN of users>"

 

$usr = Get-user

 

function Change-UPN {

ForEach ($upn in $usr){

if ($upn.UserPrincipalName.Contains($odom) -eq $true){

Write-Host"Current user" $upn.Name "has UPN" $upn.userprincipalname

$newupn = $upn.UserPrincipalName.Replace($odom,$ndom)

set-user $upn -UserPrincipalName $newupn

Write-Host"UPN" $newupn "set for" $upn.Name -ForegroundColor Green

}

}

}

 

Change-UPN

After your customer or organization has made up their decision in which UPN they will use, you can change the UPN by following my previous post "Change the UPN of a federated user after user has been synced to Office 365"

Good luck and enjoy!

Offloading mailboxes from Exchange Online to on-premise Exchange Server2010

June 4, 2012, 8:25 am
$
0
0
When a user mailbox is created in Exchange Online by the "Create Remote Mailbox" feature in Exchange Server 2010 and the mailbox of this user needs to be moved back to the on-premise Exchange 2010 environment, it will end up in the error "Exception has been thrown by the target of an invocation.

This was clearly a bug in Exchange Server 2010 SP2.



After some research this error is created because during the initial mailbox creation the mailbox GUID of the Exchange Online Mailbox is not set in the remote mailbox user properties. This will end up in a GUID mismatch (appearantly the move mailbox action uses this property to match the ID's of the user) and the move mailbox action end with the error "Exception has been thrown by the target of an invocation."

There is a workaround for this problem by creating a remote powershell session, recieving the mailbox properties of the user mailbox that needs to be moved, copy the GUID and pasting it manually in the remote mailbox properties in the on-premise environment. See http://community.office365.com/en-us/w/exchange/566.aspx for more information on how to do this.

As you can imagine, this workaround is pretty time consuming and not very efficient if you need to do this for more then 50 users at the same time.

Now since last week Exchange Service Pack 2 Update Rollup 3 (UR3) is out and this issue is allocated on the fix list. See http://support.microsoft.com/kb/2698960

I advise you all to install UR3 as soon as possible. You can download UR3 for Exchange Server 2010 SP2 at http://www.microsoft.com/en-us/download/details.aspx?id=29899.

If you have a Multi server Exchange Environment, please be aware to install UR3 on all nodes in the same maintenance window to avoid rare problems.

For a complete list of all issues fixed in UR3 see http://www.microsoft.com/en-us/download/details.aspx?id=29899

 
Search

Could not bind port 80 on TMG with Windows Server 2008 R2 SP1

July 12, 2012, 8:02 am
$
0
0
During a new implementation of a reverse proxy solution for Exchange Server 2010 OWA based on a Threat Management Gateway 2010 server. I encountered an issue where I couldn't bind port 80 for redirection to port 443. The server where i tried to install and configure TMG on was a Windows Server 2008 R2 SP1 machine.

The following post will guide you thought the issues i had and give you a solution to this problem.



During the installation of Service Pack 1 for Windows Server 2008 R2, the installation automatically installs the .NET Framework 3.5.1. feature. A side effect of installing this feature is that the "Web Server (IIS) role is dependent so this role will automatically install this role.

IIS shouldn't however be installed at all on a TMG machine. This will result in the binding of port 80 on the default network interface.

Before I figured it out, I received the following event in the event log.







Log Name:      Application 

Source:        Microsoft Forefront TMG Web Proxy

Date:          12-7-2012 14:59:13

Event ID:      14148

Task Category: None

Level:         Warning

Keywords:      Classic

User:          N/A

Computer:      ---

Description:

The Web Proxy filter failed to bind its socket to 0.0.0.0 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional.

 

To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.


 

After performing a netstat I could see that port 80 was already in use:







C:\Windows\system32>netstat -a | findstr "80" 

TCP    0.0.0.0:80             WE-UTR01-TMG01:0       LISTENING

TCP    10.31.1.98:8080        WE-UTR01-TMG01:0       LISTENING

TCP    127.0.0.1:8008         WE-UTR01-TMG01:0       LISTENING

TCP    127.0.0.1:8080         WE-UTR01-TMG01:0       LISTENING

TCP    [::]:80                WE-UTR01-TMG01:0       LISTENING


 

After the removal of the Web Server (IIS) Role and .NET dependencies and performing the netstat again, I received the following information:







C:\Windows\system32>netstat -a | findstr "80" 

TCP    10.31.1.98:8080        WE-UTR01-TMG01:0       LISTENING

TCP    127.0.0.1:8008         WE-UTR01-TMG01:0       LISTENING

TCP    127.0.0.1:8080         WE-UTR01-TMG01:0       LISTENING


 

So this looks OK. After configuring the Web Listener and Publishing rules voor Exchange 2010 OWA en ActiveSync i performed the netstat command again and received the following information:







C:\Windows\system32>netstat -a | findstr "80" 

TCP    10.31.1.98:80          WE-UTR01-TMG01:0       LISTENING

TCP    10.31.1.98:8080        WE-UTR01-TMG01:0       LISTENING

TCP    8.8.8.8:80      WE-UTR01-TMG01:0       LISTENING

TCP    8.8.8.8:80      194:20682              ESTABLISHED

TCP    127.0.0.1:8008         WE-UTR01-TMG01:0       LISTENING

TCP    127.0.0.1:8080         WE-UTR01-TMG01:0       LISTENING

TCP    127.0.0.1:8080         WE-UTR01-TMG01:10168   TIME_WAIT


 

As you can see port 80 is now binded to both interfaces as it should be. After this I tested the redirection and it worked like a charm.

Good luck in solving this issue if you ever encounter it.

Exchange Server 2013 – A first glimpse – part 1

July 18, 2012, 8:37 am
$
0
0
On 11 july 2012 Microsoft Released the long expected preview version of Exchange Server 2013 (also known as Exchange 15). In this multipart blog I will try to show you a glimpse of what's new in Exchange Server 2013.

  • In part 1 I will describe the new features and changes that this new version of Exchange is going to offer;

  • In part 2 I will guide you through the installation of Exchange Server 2013;

  • In part 3 we will have a deeper look into the management of Exchange Server 2013.




Earlier this year customers started asking questions about the new Exchange version. Back then my (and probably the whole community) curiosity was starting to rise, but my mission stranded indefinitely because the was simply no answer to find in what the new version of Exchange was going to offer. The only answer I could find was that everything there was to be told, should be told on the Microsoft Exchange Conference later this year in Orlando (www.mecisback.com).

Last week Microsoft suddenly released a preview version of Exchange Server 2013. Almost immediately I downloaded it and started to configure it in my demo lab. My findings I am trying to share in these coming blogs.

To start. It seems that in this new version of Exchange, the new strategy of Microsoft is to simplify Exchange Management and integration with Office 365 (cloud). Besides that Microsoft made some changes in the split roles that was introduced in Exchange Server 2007. This last change is interesting but not new because in Exchange Server 2010 the best practice was already to create multi-role servers instead of breaking down your Exchange organization in as many servers as you could find.

Basically Exchange Server 2013 provides you in two main roles. The Client Access server role and the Mailbox server role. In the RTM version of Exchange Server 2013 the Edge Transport role will probably be released but in this preview version it's not there. You could, if you want, install the Exchange Server 2010 Edge Transport server and create a edge subscription to it. This is supported for the moment.

  • Client Access server role This role proxies connectivity for all clients, such as Microsoft Office Outlook, Outlook Web App, mobile devices, POP, and SMTP and also accepts mail from and delivers mail to other mail hosts on the Internet. Client access servers can be organized into Client Access server arrays.

  • Mailbox server role This role stores mailbox data, performs processing and rendering for client connections proxied by the Client Access server, and handles Unified Messaging requests. Mailbox servers can be organized into back-end clusters that use database availability groups (DAGs).


So what's new?


Client Access servers accept connections from clients and proxy those requests to the back-end Mailbox server that houses the active mailbox database copy. Multiple Client Access servers can be grouped together into a load-balanced array. The Client Access server performs authentication, redirection, and proxy services; it doesn't perform any data rendering. Connections to the Client Access server are stateless which means that there is no need to maintain affinity between a client and an individual Client Access server for subsequent connections because all data processing and transformation occurs on the Mailbox server. Because of this change in architecture, Exchange 2013 Preview requires layer 4 load balancing. Layer 4 load balancing is protocol-unaware and balances traffic based on IP address and TCP/UDP port.

Layer 4 load balancing integrated in Exchange? Cool, but what does it mean? Is the need for a separate hardware load balancer not needed anymore? I really don't have a clue yet. I will come back to at a later stage.

A Client Access array includes two different components: the Client Access service and the Front End Transport service.

The Client Access service performs the following functions:

  • Provides a unified namespace, authentication, and network security.

  • Handles all client requests for Exchange.

  • Routes requests to the correct Mailbox server.

  • Proxies or redirects client requests for legacy servers, such as Exchange 2007 and Exchange 2010 Client Access.

  • Enables the use of layer 4 (TCP affinity) routing.


The Front End Transport service performs the following functions:

  • Protocol level filtering Performs connection, recipient, sender, and protocol filtering

  • Network protection Centralized, load-balanced egress and ingress point for the organization.

  • Mailbox locator Avoids unnecessary hops by determining the best Mailbox server to deliver the message to.

  • Load-balances client and application SMTP requests.


Mailbox servers house the mailbox data for the organization and perform data rendering and other operations. Mailbox servers can be grouped into back-end clusters which consist of database availability groups (DAG). Mailbox servers perform the following functions:

  • Host mailbox databases.

  • Provide email storage.

  • Host public folder databases.

  • Calculate email address policies.

  • Conduct multi-mailbox searches.

  • Provide high availability and site resiliency.

  • Provide messaging records management and retention policies.

  • Handle connectivity because clients don't connect directly to the Mailbox servers.

  • Provide all core Exchange functionality for a given mailbox where that mailbox's database is currently activated.

  • Fails over mailbox access when a database fails over.


The following briefly describes some new and some improved features in the Mailbox role for Exchange 2013 Preview:

Evolution of Exchange 2010 DAG:

  • Transaction log code has been refactored for fast failover with deep checkpoint on passive database copies.

  • To support enhanced site resiliency, servers can be in different locations.

  • Exchange 2013 Preview now hosts some Client Access components, the Transport components, and the Unified Messaging components.

  • Exchange 2013 Preview Store has been re-written in managed code to improve performance in additional IO reduction and reliability.

  • Each Exchange 2013 Preview database now runs under its own process.

  • Smart Search has replaced the Exchange 2010 multi-mailbox search infrastructure.


Source: Microsoft Technet – Exchange 2013 Server Roles

Supported co-existence scenario's


A first impression is that Microsoft doesn't take customers who are still running on Exchange Server 2003 and older serious anymore. There is no way you can transition from Exchange Server 2003 to Exchange Server 2013 without transitioning to Exchange Server 2007 or Exchange Server 2010 first. In my opinion this is a big fail! A lot of companies are still running on Exchange Server 2003 and older. Some of these companies are actually waiting till Exchange Server 2013 arrives because they don't want to upgrade to Exchange Server 2010 when in a couple of months a new version is there. Now they still need to upgrade to Exchange Server 2010 first before going to Exchange Server 2013. This means that there is lot of extra costs and implementation involved that companies maybe scares off.

The following table shows the supported co-existence paths that are supported:























Exchange version Exchange organization coexistence
Exchange Server 2003 and earlier versionsNot supported
Exchange 2007Not supported with Exchange 2013 Preview. Coexistence with Exchange 2007 will be supported in the release to manufacturing (RTM) version of Exchange 2013.
Exchange 2010Not supported with Exchange 2013 Preview. Coexistence with Exchange 2010 will be supported with Exchange 2013 RTM.
Mixed Exchange 2010 and Exchange 2007 organizationNot supported with Exchange 2013 Preview. Coexistence with Exchange 2007 and Exchange 2010 will be supported with Exchange 2013 RTM.


 

Active Directory support


To install Exchange Server 2013 preview your Active Directory forest functionality mode must be Windows Server 2003 or higher. Next to that the following roles need to be compliant to the corresponding OS levels:
































































Schema MasterWindows Server 2012
Windows Server 2008 R2 Standard or Enterprise
Windows Server 2008 Standard or Enterprise (32-bit or 64-bit)
Windows Server 2003 Standard Edition with Service Pack 2 (SP2) or later (32-bit or 64-bit)
Windows Server 2003 Enterprise Edition with SP2 or later (32-bit or 64-bit)
Global catalog serverWindows Server 2012
Windows Server 2008 R2 Standard or Enterprise
Windows Server 2008 R2 Datacenter RTM or later
Windows Server 2008 Standard or Enterprise (32-bit or 64-bit)
Windows Server 2008 Datacenter RTM or later
Domain controllerWindows Server 2012
Windows Server 2008 R2 Standard or Enterprise SP1 or later
Windows Server 2008 R2 Datacenter RTM or later
Windows Server 2008 Standard or Enterprise SP1 or later (32-bit or 64-bit)
Windows Server 2008 Datacenter RTM or later


OS Support


The following operating systems are supported to install Exchange Server 2013 preview on:
















ComponentRequirements
Mailbox and Client Access server rolesOne of the following:
Windows Server 2012
Windows Server 2008 R2 Standard with SP1
Windows Server 2008 R2 Enterprise with SP1
Windows Server 2008 R2 Datacenter RTM or later
Management toolsOne of the following:
Windows Server 2012
Windows Server 2008 R2 Standard with SP1
Windows Server 2008 R2 Enterprise with SP1
Windows Server 2008 R2 Datacenter RTM or later
64-bit edition of Windows 8 Release Preview
64-bit edition of Windows 7 with SP1


Supported clients


Exchange 2013 Preview supports the following minimum versions of Microsoft Office Outlook and Microsoft Entourage for Mac:

  • Outlook 2013 Preview

  • Outlook 2010 SP1 with April 2012 Cumulative Update

  • Outlook 2007 SP3 with July 2012 Cumulative Update

  • Entourage 2008 for Mac, Web Services Edition

  • Outlook for Mac 2011


Outlook clients earlier than Outlook 2007 are not supported. Email clients on Mac operating systems that require DAV, such as Entourage 2008 for Mac RTM and Entourage 2004, are not supported.

Outlook Web App supports several browsers on a variety of operating systems and devices. For detailed information, see Supported Browsers for Outlook Web App.

Well that's all for now. I will be publishing part 2 of this blog series soon.

Unable to on-board and off-board mailboxes in an Exchange HybridConfiguration

August 14, 2012, 6:28 am
$
0
0
This blog post describes the situation where you are unable to move an Exchange Online (Office 365) mailbox to an on-premise Exchange 2010 server in a hybrid configuration.

If an Exchange Online mailbox is created via the Exchange 2010 Management Console, the ExchangeGUID of the MS Online Mailbox is not properly set in the remote-mailbox configuration of the Active Directory user object. In most cases this is no problem at all, but if you want to move an MS Online mailbox from the cloud to your on-premises Exchange 2010 server the process fails with the error "Exception has been thrown by the target of an invocation.".



This all took me a while to figure it out. I had a customer that had created about 5500 Active Directory users. During this stage the existing users needed to have an Exchange Online mailbox without removing them first, so we used the "create-remotemailbox" cmdlet to create all mailboxes in Exchange Online. In this cases some users who had an Exchange Online Kiosk subscription changed positions and the client wanted to off-board these mailboxes to on-premise (this was the business case). During these actions the process failed because the remote-moverequest process apparently compares the ExchangeGUID value on both sides. If they not match, the process will fail with this pretty unusable error.

If this happens you will need to copy the ExchangeGUID of the mailbox in Exchange Online and replace the ExchangeGUID value of the remote-mailbox setting on the Active Directory user.

Below you can find a script that I have created to do this for all your users at once.

Just some prerequisites before running this script:

  • You can only run this script by using elevated permissions of User Account Control is turned off;

  • You need the Exchange cmdlets, therefore you either run the script from within the Exchange Management Shell or you'll need to import the cmdlets for Exchange in your current powershell session.

First we are going to create a new session called "Remote" in our current powershell session to run the Microsoft Exchange Online cmdlets in. If you don't do this it will not work because the Exchange Online cmdlets are the same as the Exchange On-Premise cmdlets and they will interfere with each other if you run everything in the same session.
New-PSSession -Name remote #Creates a new local pssession to avoid cmdlets conflicts

After we have created the new session, the script needs to perform some actions in this session to create an output CSV file that we can use later on. This section of the script gets the userprincipalname and the ExchangeGUID from all Exchange Online mailboxes and saves them to a CSV file in the path "D:\temp".

Note: There are several ways to do this. I have chosen to use the "enter-pssession" and "exit-pssession" cmdlets.
Enter-PSSession -Name remote #Enters the new pssession to proces commands
    $cred = Get-Credential ""
    #creating a new remote powershell session to Microsoft Online
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection
        Import-PSSession $Session
    # Recieving ExchangeGUID of all mailboxes in Microsoft Online and exports it to a CSV file
        $temp = Get-Mailbox -ResultSize unlimited | select userprincipalname,exchangeguid
        $temp | export-csv -Path d:\temp\export-o365-boxes.csv -NoTypeInformation
Exit-PSSession

In the following section we are going to use the created CSV file to check if the ExchangeGUID of the Exchange Online Mailbox matches the ExchangeGUID of the remote-mailbox attributes of the Active Directory user.
Start-Transcript -Path D:\temp\transcript.txt #writes all output into a transscript file
$csv = Import-Csv -Path d:\temp\export-o365-boxes.csv #imports the created CSV file
    foreach ($item in $csv) { # create a loop to check if ExchangeGUID matches the MSonline Mailbox GUID. If not this script sets the value ExchangeGUID
        $mbtemp = get-remotemailbox $item.userprincipalname
            Write-Host $item.ExchangeGuid "is cached from csv file" -ForegroundColor Green
            Write-Host $mbtemp.ExchangeGuid "is cached from get-mailbox"-ForegroundColor Magenta
        if ($mbtemp.exchangeguid -ne $item.exchangeguid) {
            Write-Host "No match. Writing GUID" $item.exchangeguid "into user" $mbtemp.userprincipalname -ForegroundColor Red
            set-remotemailbox $mbtemp.userprincipalname -ExchangeGuid $item.exchangeguid
        }
}
Stop-Transcript

The whole script you can download here:

<# 
MS Online sets local Exchange 2010 remotemailbox ExchangeGUID

Author: Cor (C.J.H.) Reinhard
Copyright: 2012, Unauthorized use from author prohibited

Version: 1.0
Create date: 14-08-2012
Last modification date: 14-08-2012

Notes:  Make sure script execution is set to unrestricted by running "Set-ExecutionPolicy -ExecutionPolicy unrestricted -Force"
  Make sure to run this script from within the Exchange Server 2010 Management Shell

Change history:
13-08-2012: First version, v0.1
14-08-2012: Added pssessions, v1.0

Nice to have:
#>

New-PSSession -Name remote #Creates a new local pssession to avoid cmdlets conflicts

Enter-PSSession -Name remote #Enters the new pssession to proces commands
 $cred = Get-Credential ""
 #creating a new remote powershell session to Microsoft Online
 $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection
  Import-PSSession $Session
 # Recieving ExchangeGUID of all mailboxes in Microsoft Online and exports it to a CSV file
  $temp = Get-Mailbox -ResultSize unlimited | select userprincipalname,exchangeguid
  $temp | export-csv -Path d:\temp\export-o365-boxes.csv -NoTypeInformation
Exit-PSSession 

Start-Transcript -Path D:\temp\transcript.txt #writes all output into a transscript file
$csv = Import-Csv -Path d:\temp\export-o365-boxes.csv #imports the created CSV file
 foreach ($item in $csv) { # create a loop to check if ExchangeGUID matches the MSonline Mailbox GUID. If not this script sets the value ExchangeGUID
  $mbtemp = get-remotemailbox $item.userprincipalname
   Write-Host $item.ExchangeGuid "is cached from csv file" -ForegroundColor Green
   Write-Host $mbtemp.ExchangeGuid "is cached from get-mailbox"-ForegroundColor Magenta
  if ($mbtemp.exchangeguid -ne $item.exchangeguid) {
   Write-Host "No match. Writing GUID" $item.exchangeguid "into user" $mbtemp.userprincipalname -ForegroundColor Red
   set-remotemailbox $mbtemp.userprincipalname -ExchangeGuid $item.exchangeguid
  }
}
Stop-Transcript

Goodbye MCM! Hello MCSM!

October 15, 2012, 5:30 am
$
0
0
As most of you all know is that the Microsoft Certified Master (MCM) program is coming to an end. The last MCM rotation for Exchange Server is hold on November, 15. But what happens to the program and what do you need to do to get certified? This post gives you an overall view of what is going to change and what you'll need to do to be in the program.



First of all when I heard of this change on the MEC 2012 I was not very happy. I already had an approval to join the MCM program at the end of 2012 from my employer but due to other obligations I couldn't sign up. The best next thing for me was to wait for the MCM for Exchange Server 2013 somewhere in 2013. But…. Microsoft made the decision to change the MCM program to MCSM (Microsoft Certified Solutions Master) to fit the new certification paths. Now I wanted to know what the requirements of the new program where because I already had all the needed requirements to join the MCM program, so I did some research.


So what are the changes in the program?


How do I get certified?


At the moment? You can't. The MCSA certification is already there so you can certify on this, but there is no real preparation material available so you have to prepare yourself using the Microsoft Technet site. You also need to take a close look at what topics are questioned. If you hold one of the following certifications you can do the upgrade exam 70-417.

  • MCSA: Windows Server 2008

  • MCITP: Virtualization Administrator

  • MCITP: Enterprise Messaging Administrator

  • MCITP: Lync Server Administrator

  • MCITP: Sharepoint Administrator

  • MCITP: Enterprise Desktop Administrator


If you don't have one of these certifications you need to do the whole certification path. That means taking the exams 70-410, 70-411 and 70-412.

For the MCSE Messaging certification it is not possible to certify yet if you're not participating in the beta program. The required exams 70-341 and 70-342 will probably be available at the end of January 2013. You can of course prepare yourself by reading Microsoft Technet and the iammec websites and creating a demo lab, but although Exchange Server 2013 is RTM (since last week) it is still not available till November 2012 (see my friend Dave Stork's blog). So you'll have to stick with the preview release which is subject to change.

And how do I get proven deployment experience?


Now Exchange Server 2013 is RTM you should say it's easy. Just sell it! But you can only sell and implement Exchange Server 2013 when you're implementing it in a greenfield (new) environment. For Exchange Server 2013 to co-exist in an existing Exchange Server 2007 or 2010 organization you'll need to have either Rollup Update for Exchange Server 2007 or Service pack 3 for Exchange Server 2010. Both updates are not released yet. There is no real date given when these updates appear but it will be somewhere in the first half of 2013.

My conclusion


Looking at all the options and variables you'll simply need to get certified before you can participate in the MCSM Messaging program. I think changing the program to have you updated you skill every 3 years is a good thing. In 3 years a lot of things change (even in service packs) and in real life you simply not use all the features that Exchange Server 2013 provides. Retaking the exams will keep you're skill level on edge, what I think is needed for an MCM or MCSM to be one.

In my humble opinion you can't get any good experience with Exchange Server 2013 until you deployed it in a co-existing scenario. Therefore I think it's a big disappointment again from Microsoft to stop the current program and have no short term solution available.

At the end this will set ME back with at least a year!

Why Office 365 is no option in a European Tender

October 15, 2012, 12:21 pm
$
0
0
Maybe you recognize is scenario. A local government company is merged from three other local government companies to be more (economical) effective. These three local companies however all run a separate IT infrastructure. The next logical step is of course to integrate these separate IT infrastructures into one new IT infrastructure. The most common decision is to create a new "greenfield" IT infrastructure where the IT services of all three companies will be merged into one new platform.



Once the project is initiated the new company often need to have external expertise in how to create it. In Europe this plan needs to be bought via a "European Tender". This procedure is often complex and sometimes misunderstood. But the tender is mandatory so not negotiable. Basically in a "European Tender" suppliers have the choice to sign up. Once this phase is done and all suppliers are known, the suppliers receive documentation about the requirements and wish lists and are asked to make a quotation. This quotation will be divided into chunks (like investment plans, overall plans, project plans and the solution itself) where the supplier receive points for. The supplier that has the most points has won and can start the project.

So far so good, but where does it goes wrong?


Well a big portion in scoring points is the initial investment of the complete project. This means the amount of money that is needed to implement and finalize the project within means and time. The tender often doesn't look at the Total Cost of Ownership (TCO) of the complete duration of the project.

To be more precise. A project always consists of multiple phases which are:

 



1.   Initiating a project

2.  Planning and directing a project

3.  Managing product delivery (implementation)

4.  Managing project boundaries (monitoring)

5.  Closing a project

 

 

 



 

 

A project manager or initiator however often thinks his/her project is ended when the actual implementation or execution phase is done. Now this is where it goes wrong. Every project is has a life cycle. The life cycle of a project is from the initiation phase until the completion phase. The completion phase is however, despite what most people think, not the end of the implementation but the whole economical life cycle. As an example:

On September, 1st 2012 a company states that, if it wants to compete and still be cost effective, it needs to have a new IT infrastructure. Now the project is initiated. The company states that the economic life cycle of the new infrastructure needs to be five (5) years. However the implementation of the new infrastructure needs to be finished on March, 1st 2013. Now a project manager is assigned to successfully implement the solution within time and means, and does it before March, 1st 2013. Now the project is released and considered successful.


This is wrong thinking however. The implantation of the new solution is finished and was successful. Yeah! However the project (economic) life cycle is five years. This means that if you want to see if the project brought a success you need to calculate the TCO and the ROI (Return on Investment) over the complete five years. It could be that over these five years the project turned to be not so effective. Therefore the project was in this case not successful.

Ok and what does this have to do with the subject?


Well everything actually! Because the economic calculation of a (public) cloud service like Office 365 is on a monthly and per user base, the calculation of the initial investment needs to be done over the complete life cycle. In the case of the example this is five years. Where an on-premise solution is only calculated on the investment needed to deliver the new infrastructure and not on the complete life cycle.

Basically in an on-premise scenario the costs of hiring employees, server maintenance, technical life cycle, cooling, etc is not considered as a financial post in the project. Therefore a traditional solution (on-premise) is per definition cheaper if you only count the initial costs. If you however, calculate the TCO and ROI like you should do, a cloud based solution is often not more expensive and in most cases even cheaper.

And since most points in "European Tenders" are given based on the initial costs, a cloud solution is "often" not an option.

Conclusion


Considered all the facts and theories, the title should have been "Why Office 365 is often no option in a European Tender". Because of two reasons:

  1. The word "project" is often misunderstood and misinterpreted. If the project is handled as a project then the points in case of investments should go to the most economic friendly solution over the complete life cycle.

  2. The tender rules are often misinterpreted by all people involved in a project. There is nothing mentioned in the regulations about initial investments. If you want the give both solutions an equal chance you should calculate the TCO and ROI of both solutions as equals, so during the complete life cycle.


I hope my post brings people a better understanding in how you can have different perspectives about calculating the success of a project/solution.

IMHO: Coolest changes in Exchange Server 2010 since going RTM

December 4, 2012, 2:48 pm
$
0
0
Moments before being replaced by it's successor Exchange Server 2013 i want to share my thoughts about the IMHO coolest changes in Exchange Server 2010 since it's release on October, 8th 2009.

Off course lot's of improvements where made to make Exchange Server 2010 an even better product then it already was, i will not deny this. In a blog however, i think, you need to describe the most noticeable and biggest improvements. Therefore my top ...

1. Office Outlook 2003 support (SP2)
Although Office Outlook 2003 was supported since the RTM of Exchange Server 2010, it had some struggles getting it to work with Exchange Server 2010. This was al because of the RPC/TCP connections that Outlook 2003 is relying on. For some reason Exchange Server 2010 could'n handle these connections properly which related in view update problems when using an Outlook 2003 client. Microsoft tried to fix it in several Update Rollups and even in Service Pack 1, but the problems stayed. Since Service Pack 2 however we (Me and my collegeas at PQR) didn't find any big problems, concerning this issue, anymore. There are still some minor issues with the calender and icons in the address book but no real big problems.

Therefore i think this is THE biggest improvements since going to RTM. It kept us advising customers going to Exchange Server 2010 and upgrading the Office Outlook client at a later stage.

2. Hybrid Configuration Wizard (SP2)
I have always been a great fan of Public SAAS services. Especially Microsoft Office 365. In my humble opinion going hybrid should always be a consideration when talking to customers and creating a business case for a new Messaging Environment and even more.

Why you ask? In some cases it could enable customers to split functionality of e-mail to fit the needs of different types of users. I did some projects for big healthcare companies who wanted to provide the "caring" people a corporate e-mail address but not wanted to wast expensive internal IT resources. In these cases going hybrid was the perfect way to go. Providing internal users an on-premises mailbox and providing the less e-mail relying "caring" users an Office 365 Kiosk mailbox which is federated with the on-premises Exchange organization.

Configuring a full hybrid solution however was, until Service Pack 2, a pretty time consuming and intensive thing to do. You manually needed to configure about 75 steps. Since Service Pack 2 you still need some configuration (no it's not easy), but the introduction of the Hybrid Configuration Wizard definitely made it easier.

Therefore it's on number 2 in my list.

3. Introduction of the "New-MailboxRepairRequest" cmdlet (SP1)
Before it was always a struggle in dealing with database corruption. You either needed to:
1. Take the corrupt DB offline and manually repair, defrag and check it which was very time consuming if you had large DB's, or;
2. Create a new DB and move all mailboxes to the new DB which would cost you temporary storage utilization, or;
3. In a DAG solution create a new DB and perform a reseed action which was very time consuming, or;
4. Restoring the DB from the latest proper backup.

Therefore this new feature introduced in Service Pack 1 deserves a good spot on my list.

4. The ability to soft-delete mailboxes after move completion (SP1)
Can you remember this great functionality in Exchange Server 2007, where you could move a mailbox and set the move-mailbox cmdlet to hold-on the source mailbox in case something went wrong during the mailbox move? Well i used it quite often and was pretty stunned that this option was not available anymore in Exchange Server 2010.

Luckily Microsoft also noted this and restored a similar function back in Service Pack 1. It's not the same feature but you are able to restore a soft-deleted mailbox, by using the MailboxRestoreRequest cmdlet's, in case a move request went wrong.

5. The ability to place archive mailboxes on a different DB (SP1)
Although i was never a big fan of how Microsoft looks at archiving, the biggest new thing and also the biggest shortcoming in the RTM of Exchange Server 2010 was the location of the archive mailbox in the same DB as the production mailbox. In my opinion and many with me it didn't make sense at all. Since Service Pack 1 you can place archives of archive enabled users to a different database. This makes more sense.

I still think that "Microsoft" archiving is no real archiving. Compared to Enterprise Archiving products like Symantec Enterprise Vault or Commvault Archiving, you are limited to retention policies based on time and it only moves the item to another location. It also is quite expensive, considering an Enterprise CAL and Office Professional Plus is required. Enterprise Archiving Products are, besides cheaper, way more sophisticated then Exchange Archiving. You can for example create different archiving policies based on attachment sizes or else. Enterprise Archiving products also have better understanding of how to use storage more efficiently by using technologies like single instance storage, compression and de-duplication. Which al can save you a lot of storage at the end.

Still, if you want to go for Exchange Archiving, this feature deserves a spot in my list.

6. Cross-Site Silent Redirection for OWA(SP2)
One of the cool new things introduced with Service Pack 2 is the Cross-Site Silent Redirection. With this option you can redirect CAS request to a better servicing CAS server in another AD Site. You can also create SSO experience with this feature.

7. Mailbox Auto-Mapping (SP2)
Some love it, others hate it. Personally i love it. If a user has full-control permissions on a mailbox, the mailbox is automatically added to the users Outlook profile when logging into Outlook by using the autodiscover service combined with the Auto-Mapping feature. In my experience this saved a lot of IT admins and Service Desks a lot of incidents to help users adding all the mailboxes when a profile became corrupt or else.

Well these where my 2 cents for now ;)

Microsoft Support Lifecycle. Hoe zit dat ook alweer?

February 26, 2013, 2:46 am
$
0
0
Hoe zit dat nou ook alweer met de product lifecycle support van Microsoft producten? Deze vraag heb ik de laatste tijd regelmatig gekregen. Om deze reden bij deze een quick refresh.

Het support lifecycle beleid van Microsoft producten is eigenlijk heel simpel:
  • 10 jaar ondersteuning (5 jaar algemene ondersteuning en 5 jaar uitgebreide ondersteuning) op het ondersteunde service pack niveau voor zakelijke- en developer producten en desktop besturingssystemen.
  • 5 jaar algemene ondersteuning op het ondersteunde service pack niveau voor consumenten producten, multimedia producten en hardware.
  • 3 jaar algemene ondersteuning voor producten met een jaarlijkse verschijning (Bijvoorbeeld Money, Encarta, Picture It!, Streets & Trips)

Wat houdt dit dan eigenlijk in? Als voorbeeld:
Windows Server 2003 is op 28-5-2003 gelanceerd. Voor de (basis) support betekent dit dat deze verloopt op 13-7-2010. Echter is het laatste service pack voor dit OS uitgekomen op 10-4-2007. Wat inhoud dat de uitgebreide support verloopt op 14-7-2015.
 
Wat is dan het verschil tussen basis en uitgebreide support? De onderstaande tabel geeft de verschillen (fases) tussen basis en uitgebreide support weer: 







































Hoe kan ik erachter komen wanneer een product uitgebracht is en wanneer de support verloopt?
Hier heeft Microsoft de "Lifecycle Support Database" voor ontwikkeld. Deze is te benaderen via http://support.microsoft.com/lifecycle/search/

Interessant weetje
Wist je dat de uitgebreide ondersteuning van  Exchange Server 2003 en Windows XP verlopen op 8 april 2014? Je hebt dus nog een jaar de tijd om weer support te krijgen door te upgraden.
Search

Thinking Out of the Box: Exchange 2013 and backup

June 5, 2013, 8:32 am
$
0
0
What else do you want to do on a sunny Wednesday afternoon then to write an article about Exchange Server 2013 and backup ;). No really it was a pretty long time ago that I posted a useful article about Exchange so I thought, why not write something about backup.

Last weeks I received a lot of questions from colleagues and customers about backup and disaster recovery in the new Exchange Server 2013. These questions really seemed to focus on the fact that organizations still have a pretty old understanding about backup and recovery. All customers still want to have item level backup while their data usage is growing.

So I thought, this is a good opportunity to write an article about backup and disaster recovery (DR) with Exchange Server 2013 (Exchange).

Introduction

First of all you can divide backup primarily into two main concerns:

  1. You'll probably need backup to perform a point in time restore based on a single item or complete mailbox.
  2. In any enterprise production environment you'll need a solution that provides you a solution to recover your data in case of an emergency.

In the old days the solution to the first concern in Exchange was to buy and implement a backup solution that provided you single item backup and recovery. This feature enabled IT organizations within a company to restore a single or multiple items back into a user's mailbox in case the user accidently deleted the item.

The demand for this solution was high so everybody implemented it and performed well within the requirements. However a few years ago mail data demand began to grow and backup time windows began to shrink because of hypes like "The new way to work" and/or "Work/Life integration". These hypes created more flexible work times and therefore a shorter backup windows. Also users kept their e-mail into their mailbox until the end of times.

These developments began to create some challenges for IT organizations to handle backup of mail data within the boundaries of time provided.

When the years went by Microsoft optimized it's database structure and implemented new features in Exchange to cope with these problems. This resulted in even bigger mailbox databases, but the mindset of organizations concerning the backup of mail data did not change. Even today customers want to have single item backup in their Exchange environment. And when you ask the question, how many times did you use this functionality the past year, they can't give you a real answer.

The second concern is how you need to cope with outage and emergency and getting you're data back (Disaster Recovery or Emergency Recovery). To describe this concern I'll give you a short explanation about DR.

DR can best be divided into two objectives:

  1. RPO (Recovery Point Objective) and
  2. RTO (Recovery Time Objective).
 
RPO
RPO is the maximum tolerable period in which data might be lost from an IT service due to a major incident. In other words how much data (measured in time) is an acceptable loss in case of an emergency.

RTO
RTO is the duration of time in which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. In other words in how much time does the service(s) need to be restored in case of an emergency.

So how does this all related to Exchange Server 2013? Well I will try to explain this in the following paragraphs.

Backing up Exchange Server 2013

Third party backup solutions

At the moment of writing this article the support of third party backup solution/providers to backup Exchange Server 2013 is marginal. The following table gives you a better understanding of the most common ("enterprise ready") backup solutions and their support of Exchange Server 2013.

Note: From a Microsoft statement all backup solutions need to make use of the Volume Shadow copy Service(VSS) in order to create a successful and consistent backup. For more information about these requirements click here.




 

Solution

Supported?

Level

1.

Symantec NetBackup

Support from version 7.5.0.6.

Database

2.

Symantec BackupExec

Support from version 2012 Service Pack 2

N/A

3.

NetApp SnapManager

Supported in version 7 and higher

Database

4.

CommVault

Supported in version 9 and higher

Database

5.

VEEAM

No support. Support is going to be in version 7. Release date unknown

N/A

6.

HP Dataprotector

Support from version 8.

Database

7.

EMC Avamar/Networker

No support

N/A

8.

IBM Tivoly Storage Manager

No Support

N/A
 
As you can see there isn't much support from third party products for Exchange Server 2013 yet. Why suppliers of backup software don't have a solution yet is unclear. But the question is, is this a potential problem when you want your organization to move forward in implementing Exchange Server 2013? Personally I think not. Better saying, I personally don't think you'll need a third party backup solution at all! And why is that you say?

Well the explanation is pretty simple. In Exchange (of course if you design it properly) all features to eliminate both backup concerns are built into Exchange. In the next paragraphs I will go deeper into it, so keep on reading ;).
 
Exchange Item Restore
When you ask your customers or the management of your organization if it is really necessary to have their single items back from backup in case of a user error, they probably say yes. But if you ask them till what point in time, they most of the time don't have a direct answer. If you then ask them if they are comfortable to have a restore period of let's say 1 month for recoverable items they probably say that it is ok. You have to keep in mind restoring single items has limitations. In case of a single item restore (not possible yet in combination with Exchange Server 2013) this brings long backup times and probably performance loss.

Exchange however has the ability to keep deleted items for a specific period of time. This is called retention policies. By default all deleted item's (by means items that are removed from the users "Deleted Items" folder) are saved for 14 days. This means that users are able to restore them within 14 days themselves from within Outlook.

So to for fill the need to restore single items you can simply use or extend the retention policy for recoverable items. This is done on the database. You'll however have to keep in mind that you'll need to calculate this in your mailbox storage requirements design.

The advantage of this approach are numerous:

  • It saves you a lot of time to backup single items with any software;
  • It saves you storage in case of snapshot backups on storage level;
  • It saves you storage on your backup tapes;
  • It saves your IT Helpdesk the burden to answer call's about restore of single items;
  • And last but probably the most important, users don't have to call the IT department anymore. They can do it themselves! And that means, one step forward in pissing of users ;).

Exchange HA and Site Resiliency
Great! And what about Disaster Recovery I hear you say? Well Exchange has a built-in solution for that to. It will require you to think well about your design so I only describe the features and technologies needed to achieve the goal.

Since Exchange Server 2010 there is a new thing called Database Availability Groups  or DAG's. DAG's are the successor of the pain in the ass Continues Replication Cluster (CCR) which was available in Exchange Server 2007. Exchange Server 2013 the use of DAG's is continued and improved. With a DAG you can create High Available passive copies of your mailbox databases over up to 16 Exchange Mailbox Servers. The advantage of a DAG is that (although MS Cluster Services is still used on the background) the configuration is relatively simple. You'll need however extra storage for every copy of the database. It is also possible to divide your DAG's over separated Data Centers to ensure services continue to be available and data loss is kept at a minimum. This tackles your direct HA requirement.

But what if for whatever reason your active database gets corrupted? Are my passive copies then also affected? Uhhh yes they probably are. The reason for this is that each copy of an active database in a DAG is seeded (kept up-to-date) by using transaction log shipping. If corruption is inserted in a database the log will simply be played into a copy too.

But don't worry there is a solution for this and that's called "lagged copies". In every DAG you can create next to regular HA copies a Lagged Copy. A lagged copy simply means that you tell Exchange to insert a lag (delay in time) before it commit's changes to the database. Therefore if data gets corrupted in a database the lag will ensure the corruption is not directly in the lagged copy.

The use of Lagged Copies are there since Exchange Server 2007. And therefore also in Exchange Server 2010. However lagged copies where a bit hard to handle in Exchange Server 2010. Also if the organization needs a 0 day RPO it was simply not possible because the logs where gone if all "normal" copies of the databases where not there anymore and therefore the mail queue was empty.

In Exchange Server 2013 this issue is solved by a feature called Safety Net. Safety Net is the successor of the Transport Dumpster and is a layer that is not a part of the databases or the DAG. What Safety Net does is when a transaction is required (incoming or outgoing mail for example) it holds the message until the message is delivered in all the copies (including the lagged copy) of the databases in a DAG.




This all basically means that without any backup software you can tackle item level restore and you can reach a 0 day RTO and RPO together. Of course your design needs to be right and you'll need enough data centers and servers to do the job for you.

Accreditations
A special thanks to Martijn Moret (Data Management Consultant at PQR, @MMMoret) to provide me a table of all backup providers and their support of Exchange Server 2013.

Updates

09-07-2013: Updated support matrix for Symantec NetBackup and HP Dataprotector
09-08-2013: Updated support matrix for Symantec BackupExec

My best new features in Powershell v3 and v4

August 12, 2013, 4:44 am
$
0
0
Powershell is getting more and more used. My love for this commandline and scripting environment goes back to 2007 when Exchange Server 2007 was released. I was always a pro automation guy. IMO you can't be a good professional if you don't know how to script.

Now with the new version 3 of Powershell, the Microsoft Team introduced lot of new features. Here is a list of some of my quick favorites.

Show-Command


Do you ever get lost in all available cmdlets? Well I do. In Powershell v3 a new cmdlet is introduced called "Show-Command". When you run Show-Command a graphical window appears where you can search for cmdlets, create predefined syntaxes and read the help of the cmdlet. Very cool and it makes your life as a scripter much easier.






Out-Gridview

With Out-Gridview you can export a table or list to a graphical window called the GridView. Within GridView you can then Filter your output to narrow your results.

Example syntax: Get-Process | Out-GridView

Easy insert

I always had problems inserting a cmdlet parameter after you created a oneliner. You couldn't do it. In Powershel v3 you now can. Just simply go to the place where you want to insert your parameter type - and the parameter name et voila.

Module Auto-Loading

You now can just type in the cmdlet of a module that is not loaded into the runtime. This is very handy if you forget to import de module.

As you can see below only two modules have been loaded:

Next I type (for example) the cmdlet Add-VpnConnection and I auto complete by hitting the TAB key.

Now when I type in get-module again, you can see the module where the Add-VpnConnection cmdlets resides is automatically added.




 
 
 
 



Checking if Office 365 wave 15 upgrade went OK

October 28, 2013, 1:13 am
$
0
0
Last month a big customer of mine had a postponed wave 15 upgrade. After the upgrade we wanted to check if everything was upgraded to version 15 via the portal. Unfortunately this is not possible. However you can check it via powershell.

First of all you'll need to check if your Office 365 Organization (tenant) is upgraded properly. You can do this by connecting to the MSOL via the MSOL powershell module.

Check your tenant status

1.      Install  Windows Azure Active Directory Module for Windows PowerShell

2.      Open Windows PowerShell (I prefer to do it from the runtime in a normal powershell session but you can also use the Windows Azure Active Directory Module for Windows Powershell directly)

3.Execute the following commands:

Import-Module MSOnline #for powershell v3 and v4 this step is not needed 

$cred = Get-Credential <global admin account Office 365>
Connect-MsolService -Credential $cred
(Get-MsolCompanyInformation).CompanyTags

You now should see that your tenant is version 15:



 Check your Exchange Online Organization status


The next step is to verify if Exchange online is upgraded to wave 15. For this you need to create a pssession to Exchange Online.
1.      From within the earlier created powershell session connect to Exchange online with the following commands:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $session

2.      Next get the organisation version with the following cmdlet:

 Get-OrganizationConfig | fl Name, Admindisplayversion, IsUpgradingOrganization

3.      You now should see the following information if your tenant is upgraded:

 

Note: If the AdminDisplayName says 15.0.* then your organization is upgraded.

Verifying mailbox version


The last step is verifying that all the mailboxes are upgraded properly to wave 15.

1.      Execute the following oneliner in the powershell session you created in the previous step:

Get-Mailbox -ResultSize unlimited | where {$_.MailboxRelease -ne "E15"}

            Note: This command retrieves all mailboxes that do not have the E15 mailbox version.

2.      If you do not get anything back you're all done :)

 

Free TechSmith Software for Technology Leaders

November 14, 2013, 1:42 am
$
0
0
If you are a Microsoft Certified Trainer (MCT) or Most Valuable Professional (MVP) you can get Camtasia Studio and Snagit for free! That's what someone (another MCT) was telling me earlier this week. Seems that the deal is still active after many years (since 2009). Didn't know that myself actually, so therefore this blogpost as a reminder. Just go to MCT Request Form or MVP Request Form to request an activation key. Very cool as you ask me!
 
Download can be done here:
-Snagit PC or MAC
Record onscreen activity at your desk or in front of an audience and create eye-catching HD-quality training, presentation, and demo videos. Enhance them with editing effects like callouts, transitions and more. Then share for viewers to watch on-demand…anytime, anywhere.

-Camtasia Studio PC or MAC
Quickly create professional quality videos that you can share with
 anyone, on nearly any device – without formal training. Use Camtasia to give presentations, train audiences, share knowledge, and more.

@TechSmit Software Thanks for the software and free licenses!
@Henk Hoogendoorn Thanks for pointing it out to me

Auto add specific Office 365 licenses to all users

November 27, 2013, 11:15 am
$
0
0
Ever needed to only add Exchange Online licenses to thousands of users in Office 365? Well i did. Since i didn't want to click i created a powershell script for it.

I have created this particular script for an academic company. Therefore the plan and the service options are specifically for an educational company.

This scripts add the users based on the attribute "Office". If this attribute is empty it's an employee, if the attributed is not empty it's a student. The scripts saves the output to a logfile and also to the display (including a progressbar :)).

If you want to know what plans are available in your tenant, you can type in the below commands in a powershell session: 
Import-Module MSOnline
Connect-MsolService -Credential (Get-Credential)
Get-MsolSubscription
 


Once you have the subscriptions you can narrow it down to only the services available in the subscription by using the below command: 
Get-MsolSubscription -SubscriptionId  | select-object -ExpandProperty servicestatus
 
 
 
 
 

Here is the script. Have fun with it!
 
Import-Module MSOnline
Connect-MsolService -Credential (Get-Credential)
$GlobalLog = "D:\Scripts\Logs\$(gc env:computername)_$(get-date -format hhmm_ddMMyyyy).log"
$Date =  get-date -Format "hh:mm:ss - dd MMMM yyyy"
$Users = Get-MsolUser -All
$Location = "NL"
$LicOptions = 'SHAREPOINTWAC_EDU','MCOSTANDARD','SHAREPOINTSTANDARD_EDU'

#Faculty members
$Faculty = "<TenantID>:STANDARDWOFFPACK_FACULTY"
$PlanFc = New-MsolLicenseOptions -AccountSkuId $Faculty -DisabledPlans $LicOptions 

#Students
$Student = "<TenantID>:STANDARDWOFFPACK_STUDENT"
$PlanSt = New-MsolLicenseOptions -AccountSkuId $Student -DisabledPlans $LicOptions

function LogLine {
 Param(
 [string]$LogInput
 )
 Add-content $GlobalLog -value $LogInput
}

function LogHeader {
 LogLine "--------------------------------------------------------------------------------"
 LogLine "Adding user licenses:"
 LogLine "Time: $Date"
 LogLine "--------------------------------------------------------------------------------"
}

function LicAdd {
$Users | ForEach-Object -Begin {Clear-Host;$i=0;$Stu=0;$Fac=0} -Process `
{ 
 if ($_.IsLicensed -ne "TRUE")
 {
 Set-MsolUser -UserPrincipalName $_.Userprincipalname -UsageLocation $Location
   if ($_.Office -ne $null) 
   {  
       $User = $_.UserPrincipalName
    Set-MsolUserLicense -UserPrincipalName $User -AddLicenses $Student -LicenseOptions $PlanSt
    LogLine "Added student license for user $User"
    Write-Host "Added student license for user" $User -ForegroundColor 'Gray'
    #Start-Sleep -Milliseconds 30
     $Stu++
   }
   else 
   {  
    $User = $_.UserPrincipalName
    Set-MsolUserLicense -UserPrincipalName $User -AddLicenses $Faculty -LicenseOptions $PlanFc
    LogLine "Added faculty license for user $User"
    Write-Host "Added faculty license for user" $User -ForegroundColor 'Green'
    #Start-Sleep -Milliseconds 30
     $Fac++
   }
 }
 write-progress -activity "Adding licenses" -status "Progress:" -percentcomplete ($i/$users.count*100)
 $i = $i+1
} `
-end {}
LogLine "--------------------------------------------------------------------------------"
LogLine "Number licenses added for students: $Stu"
LogLine "Number licenses added for faculty employees: $Fac"
LogLine "--------------------------------------------------------------------------------"
LogLine ""
}

LogLine
LogHeader
LicAdd

To IE or not to IE?

April 29, 2014, 4:41 am
$
0
0
Vanmorgen heeft de Telegraaf een bericht uitgebracht dat je geen Internet Explorer (IE) meer moet gebruiken vanwege een zero-day bug. Er zijn nu mensen die vragen "Wat moeten we nu, alle IE browsers verwijderen?" en "Microsoft wordt wel lekker in de verlegenheid gebracht he?".

Mijn antwoord: Nee natuurlijk niet, dit kan helemaal niet!

Ten eerste deze bug is niet nieuw en het nieuws ook niet. Dit is al een tijdje bekend!

Ten tweede, wat de Telegraaf vergeet te vermelden is het volgende:
"Microsoft suggests a few other workarounds, such as switching on IE's Enhanced Protected Mode or setting security levels to “High” to stop ActiveX controls and Active Scripting working.

The upside, if there is any, is that Windows Server's default settings make it hard to create the kind of honeypot website that could exploit this flaw."

Zoals gewoonlijk is de media weer eens verantwoordelijk voor het plaatsen van een verkeerde context door bewust informatie weg te laten.

Je kunt je bovendien natuurlijk altijd het volgende afvragen "Hebben andere browsers dan geen of nooit problemen?" en "Wordt door deze bug nu automatisch iedere IE browser aangevallen?". Het antwoord hierop is, natuurlijk, nee!

Hiermee praat ik uiteraard niet goed dat er een bug is die er niet had moeten zijn, maar ik probeer wel de context recht te zetten.

Heb jij andere meningen, deel ze, graag!

Is Office 365 really going to save me money?

August 14, 2014, 7:28 am
$
0
0
Saving money is something every organization wants, right? Well it is if it was my organization. But is moving to Office 365 really cheaper on the long run like Microsoft says it is? And is saving money the only thing you'll need to consider when moving to a public cloud platform like Office 365?
That is the question most of my customers have and is, unfortunately, not so easy to say or predict. Although in theory most of my customers can save an average of 66% compared to their current solution, saving these amounts are usually not very feasible.

In this post I am trying to explain the different variables and catches there are concerning this questions.

What is Office 365?

For those who lived under a rock the last few years and don't know what Office 365 is, i am giving a short description of Office 365 in this paragraph.

Office 365 is not the new version of Office on you PC or MAC. Office 365 is also not used to chew on or eat. Office 365 is a public cloud platform delivered by Microsoft and can leverage several productivity servers and applications to your organization.

Productivity Services

Productivity Services are services that you can rent within the Office 365 platform. The main services you can use from within Office 365 are:
  • Mail (Exchange Online)
  • Communication (Lync Online)
  • Collaboration (SharePoint Online)
  • Social (Yammer)
  • Document editing (Office Online)

Note: These services are the main services the platform provide at the moment. New services can be added in the future.

Productivity Applications

Productivity Applications are all applications you can use to access the information that are located in the Productivity Services. The main applications you can use within the platform are:
  • Office 365 Pro Plus. This is a desktop version of Office like Office 2013 only with a subscription service to activate or de-activate based on the users permission or license. With a typical Office 365 Pro Plus license you can install Office 365 Pro Plus on five different devices and on both PC and MAC.
  • Project Online with Project Pro for Office 365. Project Online is a flexible online solution for project portfolio management (PPM) and everyday work. Delivered through Office 365 and designed for people who need to manage with full project management capabilities on the desktop as well as work online from virtually anywhere on almost any device
  • Visio for Office 365. Visio for Office 365 requires a separate subscription. With a Visio for Office 365 subscription you can provide users who need Visio a possibility to install Visio on their client. This is the same way as users install Office 365 Pro Plus.
  • Mobile Apps. Microsoft is providing several mobile apps (like OneNote for Business, Yammer, OWA and Office 365) to all main mobile platforms Android, iOS, Blackberry and Windows Phone*

*  On Windows Phone 7, 8 and 8.1 all mobile Apps are integrated seamlessly into the platform. There is no need to install separate apps.

For a complete overview of all plans, subscription options, available services and applications you can use this page or consider hiring an expert via one of the many certified partners or just ask me ;-).

Baseline

First of all, to keep the records straight, we need to have some sort of a baseline. In most calculations I perform for a customer, I use the following six categories to split the costs:

  • Hardware
  • Microsoft Software and Services
  • Third-Party Software and Services
  • Operations
  • Deployment and Migration
  • Disaster Recovery

Hardware

This category is about the costs of hardware you need to maintain or purchase during the lifetime of the solution (in The Netherlands this is normally the financial depreciation which is usually 5 years).

What I usually see is that hardware costs will drop compared to Office 365 but are (in most cases) not the big cost saver.

Microsoft Software and Services

This category is about the costs of Microsoft licenses you need to pay to have a licensed solution over the lifetime of the solution. Included in this category are:
  • Licensing costs for the messaging solution (Exchange)
  • Licensing costs for the communication solution (Lync)
  • Licensing costs for the collaboration solution (SharePoint)
  • Licensing costs for the clients (Office)

In Office 365 you use a pay-per-use model. Because of the large scale of the Office 365 platform and the flexibility of a pay-per-use model, costs of buying, renting and maintaining expensive licenses are not needed anymore. Therefore Office 365 is most of the time cheaper in licensing costs.

Third-Party Software and services

This category is about the costs needed to maintain or purchase third party solutions like backup, antivirus and anti-spam or different vendors for your communications solution (if you are already using them).

Because the data of the services you subscribe is not in your own datacenter anymore, you don't need to worry about the purchase and support for AV, anti-spam and backup solutions anymore. Therefore it can save you a lot of money if you decide to move to Office 365. It also simplifies your contract management, but it's hard to tell the real financial impact of this.

Also, if you implement it right and include the optimization of having meetings and leveraging your mobile workforce with the proper processes for working at home and not having to travel a lot, this can save your organization a lot of money. If you successfully implement Lync, users who need to travel a lot can save time being in traffic jams, having flights, etc. This is one of the biggest cost savers. But you have to be able to implement it right.

Operations

This category is about the personnel and consultancy costs you are going to have maintaining the solution.

Operations can be a real cost saver, but most of the time the actual saving is not achieved. This is mainly because the admins are not provided with new tasks and responsibilities or are rusted away in there very comfortable chair. It is therefore hard to put an actual number on this topic.

My advice to all customers is to really think about the opportunities moving to the public cloud can create for IT employees and also address the proper actions to it. This doesn't per se mean that you need to get rid of your IT employees, but activate yourself and your personnel to create new roles and possibilities and also pull conclusions out of it if these new responsibilities and opportunities are not achieved.

Deployment and Migration

This category is about the costs you are going to have deploying and migrating the current solution to Office 365 or a new on-premises solution.

So typically migration to Office 365 will cost your organization somewhat more then upgrading the current solution. Migration to Office 365, and especially the initiation and preparing phase, will consume a lot of time. Also most organizations are not capable to see the big picture of Office 365 and/or do not have the expertise and experience in-house. The use of an external expert is, in almost all cases, advisable. Hiring such an expert cost you money.

However the costs of hiring an expert to implement and migrate to Office 365 are a fraction compared to the savings your organization can make.

Disaster Recovery

This category is about the costs involved maintaining a disaster recovery solution.

When using Office 365 you don't need to worry about disaster recovery anymore. It's clear that the costs for a disaster recovery solution for the services in Office 365 will almost completely disappear.
  

Advantages of Office 365

Moving to the Office 365 really has several advantages for your organization compared to an on-premises solution or solutions, like:

Scalable

Office 365 is a very scalable platform. If you only want to use Messaging (Exchange Online) or leverage the complete platform, you can choose whatever you like for every user or persona in your organization. 

For instance, if you are a company who is subject to heavy increments or decrements of personnel (like project based organizations) you can easily add or remove licenses based on your current needs. In an on-premises environment you are less flexible because you need to scale the solution based on the needs at that point in time.

Another advantage concerning scalability is that you can divide users or user groups into persona's. So if you are an organization who has users who only need to have an Exchange Online mailbox and users who also need to use other services like SharePoint sites, OneDrive and/or conferencing, you can easily purchase and enable multiple plans or SKU's for each type of persona.

High Availability

Using Office 365 automatically adds high availability (HA) to your solution(s). You don't need to worry about the design and maintenance of multiple datacenters and the fact if your HA solution is working. Office 365 has several datacenters across the world and, by default, every service has a primary and failover location in your continental region.

The only exception is when you are going to use Single Sign On (SSO) based on Active Directory Federation Services, which is covered later on in this post.

Accessibility

By using Office 365 you or your employees can literally access their data from anywhere in the world, as long as they have a usable internet connection. It doesn't matter if the user is in one of your offices or in an internet cafe somewhere in the middle of Peru or somewhere else, the user can always access his or her data.

Where in an on-premises solution you'll have several dependencies, like:
  • Is or are your datacenter(s) available in the region where the user is?
  • What is the user experience if the user is on a location which has limited internet connectivity?
  • Are the Service Level Agreements met? For most subscriptions Microsoft guarantees 99,9% (in 2013 it was 99,6%) availability.

Complexity

By moving to Office 365 reduces complexity of your own environment. Although it not always saves you servers (like if you were only using one or two Exchange servers and you want SSO, DirSync in a high available construction you need to have at least 2 proxy servers, 2 AD FS servers, some load balancers and one DirSync server), it can save you complexity regarding to the availability requirements of Exchange, Lync and SharePoint. It also reduces the complexity for storage of these products. You simply don't have to worry about this anymore.

Disadvantages of Office 365

Like every choice in this modern world there are disadvantages or considerations to make when your organization is considering a move to Office 365.

Considerations for not moving to Office 365 can be, but are not limited to:

Highly Configurable - Not Customizable

All services provided in the Office 365 platform are highly configurable but are not customizable. This means that if you want to, for example, change the login screen or create a custom theme in Exchange OWA you are not able to. You can however change most theming in SharePoint, as long there is no server based coding in the theme or app.

Data Location and Transfers

In Office 365 Microsoft desides where your data is stored. You are not able to infuence this. Most of the time Microsoft stores your data in the continental region where your organization has there home ground. For example, if you organization has it's headquarter or only office in The Netherlands, Microsoft stores your data in the European Datacenters.

This is done due to several reasons. One of the reasons is to minimize the latency used to access your data. The other reason is to comply to the country's or regional governance policies (covered later on).

No Customer Right to Audit

Customers or tenants of the Office 365 platform are not able to physically audit the data and or services located in one of Microsoft's datacenters. However, Microsoft provides all audit data twice a year on the Microsoft Office 365 Trust Center site. But, if you need to comply to certain audit requirements which requires you to have access to the datacenter, you are out of luck.

In my experience however most organizations or vertical markets don't have or are not aware of any specific regulations regarding this topic.

Comfortable with the Office 365 Roadmap

When your organization moved to Office 365, you need to feel comfortable with the Office 365 roadmap. This means that if Microsoft decides to upgrade there platform to a newer version, deprecates features / services or implements new features / services your organization needs to comply and go with the flow.

Most of the time this actually creates possibilies for you organization like leveraging new abilities to your workforce. But sometimes this roadmap is a bit fuzzy and unclear. For that Microsoft is providing a public roadmap which helps in most cases but not always. Also, if you have or work in a very conservative organization which, for example, doesn't have a flexible upgrade process or uses applications and/or addins in Office that cannot comply, moving to Office 365 can be quitte a challenge or in worst case a real deal breaker.

Less complexity or more

Although removing specific product complexity for Exchange, Lync and Sharepoint in an on-premises environmont, moving to Office 365 can also introduce new ones. For example if you organization wants to use Single Sign On (SSO) you will need to have Active Directory Federation Services (AD FS).

If your organization also wants AD FS to be available anytime and anywhere (which in my opinion is a must in any case because not having this can create severe complications regarding to the availability of the platform), you will need to have multiple AD FS servers in a farm or multiple AD FS farms.

By introducing AD FS you leverage a lot of opportunities relating to SSO on many web services from within your organization or at partner organizations. However, introducing AD FS also introduces the need for specific and specialist knowlegde and local* dependancies. Therefore AD FS can add unneeded and unallocated complexity.

So if you or your organization decides to add AD FS as a needed part of the solution, you need to really consider the above.

*  Local related to servers or virtual servers in you own datacenter. You can also use virtual servers in Microsoft Azure. This post does not cover Azure.

Governance

As mentioned earlier, governance can be a challenge. Although Microsoft claims that their platform complies to most of the world accepted regulations, we know all the recent fuzz created concerning the Patriot Act and PRISM.

Personally I am having trouble to form an opinion about this topic. I always think how data is no secret for anyone in anycase. If you have users who are not provided the right tools, they will send data to there own mail account (like google) or put it on dropbox. This can be much harder to control and even be a bigger threat then putting it on Office 365.

One thing I know for sure, Microsoft is doing everything she can to provide her customers with a high integrity enterprise grade solution, but i guess you never know for sure.

For (potential) movees who are concerned about the number of data requests in there region, Microsoft provided a periodical Law Enforcement Requests Report which you can find here.

At least all Governance related (potential) issues need to be addressed as soon as possible in the project. What i normally do is to provide my customers with a "Cloud Briefing". For this session I ask the customer to invite all potential stakeholders for this project within the organisation. During this session an open discussion is made to discuss all potential concerns and issues related to a move to the public cloud.

Having some sort of session like this not only addresses governance concerns but also provides a better view of Office 365 and gives an opportunity to make decisions like naming conventions and used services etcetera.

Conclusion

So back to the question "Is Office 365 really going to save me money?".

As you have read my post, this is an easy question that is not so easy to answer. It all depends.

Although I am an early adopter, real expert, evangalist, public speaker and big promotor of Office 365 from the early days (when it was still named BPOS), I am also critical. I did a lot of advisory in and moved a lot of customers to Office 365. During all projects above topics really came into play and in some projects, unfortunatly, not always at the beginning of the project.

I am also realistic about the fact that Office 365, or any other public cloud platform, has it's limitations. These limitations don't always have to be a desicion breaker, but you always need to have a clear mind and address potential decision breakers.

Moving to Office 365 can save your organization can save you a lot of headpains in the IT department and money in the long run, but proper preparation, adjusting business policy and processes are needed to make it a succes. In my experience a lot a lot of organizations are making their decisions based on the investment costs of a project or new technology. Better said CAPEX.

In my opinion making a big desicion like this that can really leverage and optimize all corners of your organization. Therefore you should look at every aspect of moving to Office 365 over a longer period of time then only during the project. Better said OPEX. Only then you can will save money and time.

I hope i provided you all with easy readable information concerning this topic and provided you with enough food for thought. If you have any questions related to this topic or your organization wants to hire my company to discuss Office 365 or on-prem environments. You can contact my via info@unifyit.nl.
Search

Strange behavior AD FS Windows Server 2012 R2 after changing the service communications certificate

October 21, 2014, 7:18 am
$
0
0
Yesterday I ran into a problem in my demo environment after I changed the AD FS service communications certificate. My old certificate wasn’t prepared for DRS (Device Registration Service) and since I wanted to test some things with DRS in combination with Office 365 I needed to replace the certificate with a new one which included the enterpriseregistration.domain.com UPN suffix.
However, after I requested a new SSL certificate and changed the service communications certificate in the AD FS management console and restarted the AD FS service I ran into the following problems:
1.       My Web Application Proxy (WAP) had problems creating a trust relationship with my AD FS server:
Log Name:                AD FS/Admin
Source:                      AD FS
Date:                          20-10-2014 16:56:16
Event ID:                   422
Task Category:         None
Level:                         Error
Keywords:                 AD FS
User:                          NETWORK SERVICE
Computer:                OP-WAP01
Description:              Unable to retrieve proxy configuration data from the Federation Service.

2.       I started receiving event id error 15021 on my AD FS server:
Log Name:                System
Source:                      HttpEvent
Date:                          20-10-2014 16:57:03
Event ID:                   15021
Task Category:         None
Level:                         Error
Keywords:                 Classic
User:                          N/A
Computer:                OP-DC01.demo.unifyit.nl
Description:             An error occurred while using SSL configuration for endpoint localhost:443. The error status code is contained within the returned data.

3.       I wasn’t able to login to Office 365 anymore using a federated identity from an internal client:


4.       The Device Registration Service (DRS) on my AD FS server didn’t want to start anymore:
Log Name:                DRS/Admin
Source:                      Device Registration Service
Date:                          20-10-2014 16:57:03
Event ID:                   124
Task Category:         None
Level:                         Error
Keywords:                 Service
User:                          DEMO\svc_adfs$
Computer:                 OP-DC01.demo.unifyit.nl
Description:              Could not determine the SSL port over which the AD FS service is listening on.
User Action:              Make sure that the AD FS service is running and that AD FS is configured correctly.

Since the AD FS service itself didn’t report any problems I first tried to remove the AD FS trust between the Web Application Proxy (WAP) server and the AD FS server. However, after I removed the trust and tried to recreate it using the “install-webapplicationproxy” cmdlet on the WAP server, I received the following error:


Because it took me some time to figure it out, I wanted to share my solution with you.

Apparently there is some strange behavior in Windows Server 2012 R2 if you want to change the AD FS service communications certificate. After you changed it, for some reason Windows Server doesn’t change the SSL certificates on the socket layer of the system. In my case the Certificate Hash or Thumbprint didn’t match between AD FS and the socket layer anymore:


As you can see, after typing in “cd cert:\LocalMachine\My” and then a “ls” or “dir”, my new certificate thumbprint/hash was 2A4BF86B8387BA006C7AC63183557F4D009FE7C4.

However, when I looked into the socket layer with the command “netsh http show sslcert”, it returned the following information:


Clearly the socket layer was still in the understanding that it needed to use my old certificate, which was already gone by now.

Since AD FS in this version of Windows Server is not running on IIS anymore, you can’t change the default certificate on the IIS website. You need to remove all SSL Certificate bindings and add new bindings with the new SSL certificate.

So before we do this, you need to save the output of the “netsh http show sslcert” command to a notepad. This is important because you need the appid, hostnameport, certstorename and sslctlstorename to recreate the SSL certificate bindings.

Note: It is not necessary but before I do anything related to an application with a service install, I always stop the related service and make sure I have a current backup of the server in place.  

After we have saved the needed information, we can remove the current SSL Certificate bindings by using the “netsh http delete sslcert” command. In this command you need to specify the hostnameport for the binding you want to remove. Since there are 3 bindings, we need to remove all of them. Also, you need to run your commandprompt or powershell commandprompt in elevated permissions. This is how the commands look like in my environment:

Now the old bindings are removed and you are ready to add the binding again with the SSL certificate that relates to the AD FS service communications certificate. You can verify if the removal of the SSL bindings where successful by running the “netsh http show sslcert” command again:


So, for the creation of the new SSL binding for AD FS you need the following information ready (you can take this out of the earlier created notepad file):

hostnameport
Unicode hostname and port for binding.
certhash
The SHA hash or thumbprint of the certificate. This hash is 20 bytes long and specified as a hex string.
appid
GUID to identify the owning application.
certstorename
Store name for the certificate. Required for Hostname based configurations. Defaults to MY for IP based configurations. Certificate must be stored in the local machine context.
sslctlstorename
Store name under LOCAL_MACHINE where SslCtlIdentifier is stored.

For some reason netsh doesn’t allow you to use the same syntax as showing and deleting the bindings. If you do this anyway, it prompt you the error “parameter is incorrect”. So, we need to create a session by entering the following commands:
netsh
http

This gets you in the http session of netsh. After this you can recreate the binding with the command  “add sslcert”. In my case this where the following command lines:

add sslcert hostnameport=sts.demo.unifyit.nl:443 certhash=2A4BF86B8387BA006C7AC63183557F4D009FE7C4 appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY sslctlstorename=AdfsTrustedDevices

add sslcert hostnameport=localhost:443 certhash=2A4BF86B8387BA006C7AC63183557F4D009FE7C4 appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY sslctlstorename=AdfsTrustedDevices

add sslcert hostnameport=sts.demo.unifyit.nl:49443 certhash=2A4BF86B8387BA006C7AC63183557F4D009FE7C4 appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY

After running these commands, you should get the following output:


Now, we want to verify if the bindings are restored in a proper manner. You can do this by entering “show sslcert” from within the netsh shell. This should give you the following output:


As you can see now, the bindings are successfully created and the Certificate Hash matches the SSL certificate installed on the AD FS server.

After this I started the AD FS and DRS Service on AD FS server again, recreated the proxy trust between the WAP and AD FS server again and all problems disappeared. 


I don’t know if this behavior is just default in Windows Server 2012 R2 or if it is a bug, but it’s important to always check if the new SSL certificate for the AD FS service communications matches with the SSL certificate binding on the socket layer of the AD FS server.

I hope this guide is useful for you when you encounter similar problems.

Good luck!

What you say? Windows Nano Server? Looking great, but…

April 9, 2015, 1:35 am
$
0
0
As we all know by now Microsoft Announced Windows Nano Server edition to be released in the Next version of Windows Server yesterday. Here are some of my thoughts about it :).
In my years as a IT consultant, architect, trainer and scripting fanatic I love to see evolvements in the IT landscape.

As an early adopter for PowerShell back in 2006 when it was sort of launched with Exchange Server 2007 I really love to see what you can do with it. I wrote and still write a lot of advanced scripts to make our lives easier in the admin and migration process. I also am involved in the design and architecture of new Windows based infrastructure and trying to get customers or IT admins to adopt the new and rich possibilities the Windows Server and Windows client OS brings.


For some years now I’m trying to convince a lot of my customers to move on to use PowerShell and Windows Server Core edition (no personally not 2008 (I think this version was not really good), but since 2012), but still a lot of IT Pro’s and IT admins still don’t know how to use PowerShell and what you can do with it. To be more clear, I still see that IT admins for example are trying to change the same setting for 4000+ users within Active Directory. Not very efficient I think and also very fault sensitive. Therefore the adoption of Windows Server Core Edition is not happening as quickly as I would have wanted to see.

And this is where I have double feelings about Windows Server Nano. I personally I think it’s great to see you don’t have any overhead anymore in forms of a GUI, local logon, no more WOW64 support and many other stuff. I love to work with remote PowerShell. I think connecting to a server with RDP and then do your stuff on it is slow and you are limited to a maximum number of sessions. Also all these components require updating and installing a lot of hotfixes and patched and so on.
Removing all this overburden leaves you a much more hardened server, a lower footprint (less harddisk space, memory, etc). It also saves you the installation of a lot of updates that you don’t need and leave you with a lot of potential security risks if you don’t install them.

However, as I wrote earlier, in my experience is that the adoption of these new evolvements with the current generation of IT Pro’s (Yes unfortunately I now a lot of IT consultants and engineers that still don’t know how to use PowerShell) and IT admins is a thing to worry about while getting Windows Nano and Core edition server to be adopted.

I do hope it will be a success and personally I will adopt it and recommend it in my advise and designs to customers, but there needs to be a real change in the IT landscape and mindset of IT related people. I think…

Do you guys have any thought on this?

Let me know… I like to have interesting discussions about it :)


Reference:
http://blogs.technet.com/b/windowsserver/archive/2015/04/08/microsoft-announces-nano-server-for-modern-apps-and-cloud.aspx

Take upgrading to #Windows10 for phones under advise. @Microsoft @Windows

May 4, 2015, 1:33 am
$
0
0
Hi! First of all I dedicate this post to make Windows 10 for phones better and to provide feedback for Microsoft to implement in later versions. This post is not meant to bash on the platform. I am a Windows Phone user since 2 years now and I love the platform. I honestly think WP is underrated by most of the smartphone users. So why this post… Well maybe you own a Windows Phone with WP8 or WP8.1 and you are thinking about upgrading it to Windows 10 for phones pre-release using the Insider program.


First of all it’s a good thing you want to try out and help to make Windows 10 better. I did the upgrade on my backup phone and with this post I will try to convince you to do the same. At least not on your primary phone. Since this is a beta release a lot of functions still not work or don’t work as you are used to. Microsoft also states this when enlisting for the insider program.
The version I currently have installed is 10.0.12534.59.
Here are my first experiences using the new Windows 10 for phones pre-release. I will try to update this post when I work more with it or install newer builds along the way. For now I hope it helps you to decide if you are pursuing the upgrade or not.

Now using Outlook app for mail

I like the Outlook App in general. Mainly because it’s not using ActiveSync technology but the Exchange (online) web API EWS and therefore you can apply RMS to your messages and also you get the same experience as in OWA or Outlook. The Outlook App is also more efficient in connecting to your Exchange environment. In the past I have seen phones overloading the Exchange CAS servers because there was a bug in the phones software (mostly iOS). Because of this app this belongs to the past. But what I don’t like is that the App doesn’t give me updates when I receive a new message. Maybe this will change in later versions but in this version it doesn’t.

Battery drains like hell

One thing I noticed is that the battery usage is crazy bad. Also the phone seems to generate a lot of heat which I think results in bad battery usage. To put things in perspective, I charged my phone all night and removed it 4 hours ago and I have 15% left.

Calendars are now handled in the Outlook App

The experience is ok by terms of managing your calendars but since it’s now an incorporated feature inside the app I don’t receive my next appointments on my standby screen anymore. You are also not able to change to the monthly view. I used this a lot to quickly see if I have gaps in my calendar when making new appointments. Maybe this comes in a later version but for me this is a deal breaker in the pre-release.

Keyboard layout is changed (confusing)

So there are many improvements in the keyboard layout Microsoft says. But I don’t like them very much. I am a bi-lingual user so I often change my keyboard and language settings from Dutch to English and vice-versa. In this version you need to make a lot of effort to change it because there is no direct button. Also they have added a comma button on the left side of the space. I was used to have the emoticon icon there so now I almost every time hit the comma instead. Very annoying. And last but not least I think Microsoft changed the size of the keys in the keyboard to accommodate the new buttons. If you have a large screen this will be okay but I am using a Lumia 925 which had a 4.5″ screen and therefore I make more mistakes typing.

SIM Pincode screen is a bit buggy

When you start the phone and you have the pin code for your sim card set you don’t see what you type. It’s ok if you don’t look but if you do it can be a bit confusing to determine you typed in something or not.

Installed apps keep on loading

I have a lot of apps that don’t load properly anymore, even the build in Apps like the camera. I personally don’t use a lot of different apps except for the camera, whatsapp, Lync, calendar, phone, mail and to register my car trips , etc…, but most of the time they keep on hanging in the “Loading…” screen.

Terribly slow on current phones

So as said before I installed this version of Windows 10 for phones on a Lumia 925. It’s a nice enterprise great phone which had a 4.5″ screen, Dual Core 1.5Ghz Qualcomm® Snapdragon™ S4 processor and 1GB RAM. But Windows is crazy slow on this phone. Maybe this will improve or maybe it will only provide optimized experience for the new and announced Windows 10 phones.

Cortana is still only available in English

I love Cortana. In fact I have changed my phone region to use it. But having changing the region of the phone to English UK or US comes with some drawback. For example I cannot install apps that are posted in app store of my region (Netherlands). I also find using Cortana to read incoming messages and to have Cortana dial my contacts a bit hard. Because of the fact most of my contacts have dutch names Cortana doesn’t understand them very well. As said I love Cortana but I really hope Microsoft will release it to more regions (like mine).
Viewing latest articles
Browse all 25 Browse latest View live
Search