June 2012 Version of Windows Intune Goes Live Today

The new version of Windows Intune is going live today.  Intune is the cloud based user device management solution that bundles:

  • Windows 7 Enterprise: featuring DirectAccess (VPN without VPN client), BranchCache (WAN optimisation), BitLocker (disk encryption), and BitLocker-To-Go (USB device encryption).
  • Endpoint Protection: The only way to manage Endpoint Protection without using System Center 2012 Configuration Manager.

I say “user device management” because Intune now supports:

  • The expected PCs, slates, and laptops running XP SP3 or later
  • Windows Phone 7
  • iPhone
  • iPad
  • Android

And as reported at MMS, this includes side-loading apps onto Android and IOS.

A unified experience across all devices through:

  • Automatic discovery of mobile devices that access Exchange Server
  • User-centric views for device inventory
  • A single console (the Windows Intune administrator console) to manage computers and mobile devices

The ability to help secure corporate data on mobile devices through:

  • Targeting Exchange ActiveSync polices to user groups. Policies include settings that let you set requirements for password length and encryption (if it is supported by the mobile device).
  • Setting device access rules by device family or model
  • Retiring and/or wiping lost, stolen, or otherwise compromised mobile devices.

The ability to make licensed internal line-of-business applications available for your users through:

  • Hosting and targeting licensed internal line-of-business applications to user groups
  • Self-service capabilities for your users, which enable them to download internal line-of-business applications to their mobile devices
  • Prerequisites for supporting mobile devices with Windows Intune are as follows:

An on-premises component to orchestrate communication between Exchange Server 2010

Service Pack 1 and later, and Windows Intune

A computer that has access to the Exchange environment. The computer must meet the

following requirements:

  • The computer must run Windows Server 2008 Service Pack 2 (64-bit) or Windows Server 2008 R2.
  • .NET Framework 4.0 and PowerShell 2.0 must be installed on the computer.
  • The computer must be joined to the Exchange Server domain.
  • The computer must have Internet access.

There is a new company portal:

image

Windows Intune now uses the same Azure-based AD services as Office 365.  This includes the ability, by the looks of it, to synchronise with your on-premise AD.  Now your internal users can appear in Intune. 

You can read this getting started guide to … well … get started.

Technorati Tags: ,

What Do The New Windows Azure Services Mean to Us … and Hyper-V?

Azure, as it was previously, was a Platform-as-a-Service (PaaS), where developers could upload applications, run databases, and store data.  All that continues.  But there was no way to run virtual machines or websites like in traditional website or virtual private server (VPS) hosting.  PaaS on Azure looked very cool to developers with a lot of interesting back end services.  But the problem with PaaS is vendor lock-in.  You cannot take the application and move it to another hosting company like you can with a VM or a website; the code is written for Azure and its services.

Then a few years ago at the PDC conference, it was announced that virtual machine hosting was coming to Azure.  Surely this would give customers an atomic unit, a VM like we know in Hyper-V, that could be moved around?  Sort of.  The problem was that this proposed service would be stateless.  Reboot the VM and reset it back to its original state; data was stored on the other Azure services.  That’s not how we work with infrastructure so how could it be useful to us?

Then Mary Jo Foley reported many months ago that true stateful Infrastructure-as-a-Service (IaaS) was coming to Azure.  And yesterday, the details were announced by Microsoft.  They also released a document that gives a bit more detail on the new services:

Windows Azure Virtual Machines

You can take your normal Windows or Linux virtual machine workloads (Hyper-V compatible I guess), and run them in the public cloud (Azure).  These are persistent virtual machines, just like traditional VPS hosting.  The supported OSs at this point are:

  • Windows Server 2008 R2
  • Windows Server 2008 R2 with SQL Server 2012 Eval
  • Windows Server 2012 RC
  • Linux
  • OpenSUSE 12.1
  • CentOS-6.2
  • Ubuntu 12.04
  • SUSE Linux Enterprise Server 11 SP2

That looks pretty similar to the supported OSs for Hyper-V, with the addition of OpenSUSE 12.1.  I wonder if that’s in Hyper-V’s future?

Windows Azure Virtual Network

Question: Can I create a Hybrid cloud where I run services on my private cloud (in my data centre) and in a public cloud (Azure), where my public cloud service is not open to the entire Internet audience. 

Answer: Yes.  You can set up a site-site VPN using Windows Azure Virtual Network.  To be honest, some of the clues to this have been around for quite a while.  Take a look at some of the MSFT slides for Windows Server 2012, especially around VPN.

This is interesting:

With Virtual Network, IT administrators can extend on-premises networks into the cloud with control over network topology, including configuration of IP addresses, routing tables and security policies.

Does that sound familiar?  Do you think that there’s a bigger vision here, with MSFT providing a unified solution for public and private cloud, including Windows Server 2012 and Windows Azure Services?  You should.

Windows Azure Web Sites

Some people just want space to host a website.  Something nice and simple.  That’s exactly how I run this blog; I have a simple account that allows me X websites, space, and traffic.  I then upload/install a web app in the space and away I go, talking shite for years on end Smile

And when it comes to host, that’s the majority of what people want.  It’s enough of an online presence for the majority businesses, more flexible than the alternative that MSFT offered: SharePoint in Office 365.  Welcome Windows Azuer Web Sites:

…easily build and deploy websites with support for multiple frameworks and popular open source applications, including ASP.NET, PHP and Node.js. With just a few clicks, developers can take advantage of Windows Azure’s global scale without having to worry about operations, servers or infrastructure.

They go on:

It is easy to deploy existing sites, if they run on Internet Information Services (IIS) 7, or to build new sites, with a free offer of 10 websites upon signup, with the ability to scale up as needed with reserved instances.

Did I just read the word “free”?  Really?  What’s the catch?  Surely there is a catch?

This isn’t just for .NET and SQL Server either:

  • Multiple frameworks including ASP.NET, PHP and Node.js
  • Popular open source software apps including WordPress, Joomla!, Drupal, Umbraco and DotNetNuke
  • Windows Azure SQL Database and MySQL databases
  • Multiple types of developer tools and protocols including Visual Studio, Git, FTP, Visual Studio Team Foundation Services and Microsoft WebMatrix

Windows Azure Management Portal

The most difficult piece of hosting is not the web servers and it’s not the virtualisation layer.  The most difficult piece is the portal, or as it’s traditionally known in the hosting business, the control panel. 

… the new Windows Azure Management Portal provides an integrated management experience across Windows Azure workloads in a single, modern user experience and is accessible from various platforms and devices.

The Windows Azure Preview Portal supports the following services:

  • Cloud Services
  • Virtual Machines (Preview)
  • Web Sites (Preview)
  • Virtual Network (Preview)
  • SQL Database (formerly known as SQL Azure)
  • Storage

There are other Azure improvements in this announcement, so check out the aforementioned document to get the details.

Online Presentation

Microsoft is running an online presentation later today to launch these new services.  It is on at 9PM Irish/UK time (10PM CET), and unfortunate time of day to choose for such an event.  A 9am PST event would have been better, then being 5pm UK/Irish time and 6PM CET.

What Does All This Mean?

Nothing has been announced but we could speculate Smile  At Build it was made clear that lots of lessons were learned from Azure to make Hyper-V better.  Network Virtualisation was pitched as a way to move VMs from the private cloud to a public cloud (exactly what Azure is) with minimal disruption.  So maybe you could move Hyper-V VMs right up there!  Could that be partly why we have Shared Nothing Live Migration?  That’s a bit of a stretch, because Live Migration does require bandwidth.

One of the sales pitches with Hyper-V Replica is virtual DR in the cloud.  Hmm, what if you could replicate VMs to Azure?  But don’t forget that there’s more to virtual DR than starting up your VMs.  Remember that user’s need a way to access the services, assuming that their PCs are burned down or under a flood too (see VDI or virtual RDS).

I think over the next 2 years we could see some very interesting ways for us to expand our infrastructure footprint into Azure, and in ways we might not be expecting … yet another reason to be considering Windows Server 2012 instead of the alternative.

What About Other Hosting Companies?

There are a few reasons that I chose to get out of the hosting business back in 2010.  One of the big ones was that I saw the writing on the wall.  The likes of HP, Dell, Amazon, and Microsoft are too big to compete with on a large scale.  Yes, there are lots of customers who will want the bespoke services that a boutique and local hosting company can offer, but there aren’t that many of them.  And the year 2012 reminds me of the year 2001: everyone with a modem is launching a cloud (hosting) company.  Not many of them will be around in 2014, and very few of those extinctions will be because of acquisition (the good way to go out of business).

Hosting companies that are Microsoft partners might feel like their partner relationship is strained this morning.  MSFT can be cheaper and out market you just by their pure scale.  Service innovation will be the key.  Do it better.  Give a more human service where there’s an account manager and the helpdesk is more responsive.  Offer engineering and customisation services (consulting).  Don’t sell space … because this is a commodity market and the big guy always wins.  At least, that’s what I think.

Talking Microsoft Cloud Opportunities for a Small/Medium Business

I seem to be having the same design conversation every couple of weeks so I’ve decided to blog a little on it. 

Let’s take a company, Honest Joe’s Ovens or HJO, making specialty products, based in central Ireland.  HJO has 150 employees.  100 of those staff work in the office/factory.  Another 50 are sales/services people who work on the road.  These are specialty ovens that HJO makes, so they sell all around Ireland, the UK, continental Europe, Japan, Brazil, and the USA.  Collaboration and communications are critical.  Sales and services people need the latest information on marketing pushes, features, and product servicing.  Email by itself is just not cutting it and security is an issue because sales can carry sensitive customer information (the ovens are “specialty” Winking smile). 

Question: How do you solve this problem?

Answer: There is no one correct answer for every company.  You have to ask questions, understand the challenges, learn how they want to work, and figure out their strategy for the future.  Only then can you figure things out.

When Windows 7/Server 2008 R2 were launched, we might have suggested something like:

  • Windows 7 Enterprise on every PC and laptop.  Sales folks have Direct Access to get into the office easily, and BitLocker (To Go) for securing data.
  • Centralised Exchange with OST files would enable remote staff to send email back/forth securely via Direct Access.
  • Centralised SharePoint (also via Direct Access) would enable staff to collaborate and gain access to the latest information.
  • Centralised Lync to allow staff to have online meetings

Think about this one for a moment.  Benefits: roaming staff always have access to their local desktop and apps even if they don’t have Internet access … mobile Internet access is not pervasive, despite what telecoms sales/marketing might have you believe.  There’s a lot of stuff here … SharePoint, Exchange, Lync, SQL Server, Direct Access, IPv6, certificates, firewalls, load balancers, DMZs, edge servers, and on, and on, and on.  Consultants can deploy this and probably will enjoy the challenge.  But think about HJO.  Will their 1 or 2, probably low paid, admins be able to keep it running?  To do all this stuff reliably and securely, this 150 employee company has deployed quite a bit of infrastructure.

You could pitch the Remote Desktop Services/Citrix Gateway approach to share apps or desktops over the Internet.  Yeah, more stuff to manage and secure in the SME with limited experience admins.  To me, that seems like not a good way to go.

And those laptops on the road … what about them?  How do you support them?  How to you get new business apps onto a laptop in Japan that probably is not on the company network more than once a year … if ever?  How do you secure it with patches in a reliable manner?  Company procedures that tell users to do stuff do not work.  It’s been a while since I brought up the first 2 IT admin commandments:

  1. Users are stupid
  2. Users lie

So here’s what I’m considering as an option in the conversation:

  • Office 365: Dump Exchange.  Dump SharePoint.  Dump Lync.  Don’t be an accidental SQL DBA.  Don’t get messed up with firewalls, DMZs and load balancers.  Let Office 365 be the “server farm” in the cloud.  Heck, get the SKU with Office, and let users work together as one.  I know, Internet access is still a requirement, but unfortunately that’s always the case.  At least it doesn’t have to be 3G to sync your OST mailbox.
  • Windows Intune: Deploy the office desktops and roaming laptops with Windows 7 Enterprise.  Now you have BitLocker and BitLocker to Go for security.  Good news, if you have active Software Assurance on Windows desktop licensing then you get a discount on Intune.  With Intune, your admins can support (remote access), secure (patching and AV), and configure (policy settings and software distribution) local and roaming laptops.

Benefits?  An experienced consultant can deploy this environment with little if any infrastructural cost to HJO.  And let’s face it, with the market the way it is now, they make very little on h/w costs.  The consulting gig is more important.  The customer gets a better value solution that they can manage themselves.  Maybe HJO outsources some of their management to the consulting company because HJO’s admins are busy enough with the 100 desktops in the office, and the consultant adds to their managed services business, as well as value to the customer.  And this is scalable.  In my last two conversations, the topic of growing sales staffs came up.  Not a problem …change the subscription, get the user to buy a laptop, courier them a USB stick with a per-configured MDT build of Windows 7 Enterprise with Office Pro Plus, the Intune agent, etc, and that user is up and running in no time (lots of possible variations on this induction process).

Now you have roaming workers quickly accessing the same repository of information on the net as office workers, able to chat with each other easily, and the admins aren’t being asked to do more than they are able to.  HJO has a good business solution.

As for the internal office infrastructure … lots of possibilities: stay on PCs, go with RDS, go with VDI, you name it.  I’m still a PC guy, with RDS/XenApp second, pooled VDI a distant third, and assigned VDI waaay down in 4th place.  No one solution is perfect, just don’t buy the marketing crappola about reduced costs/management of VDI. 

Windows Intune Client Fails With 0x80cf402c or 0x8024402c

I’ve started working on Microsoft Windows Intune as part of my role with work.  I’m building up a demo lab and I need it to be able to perform somewhat decently when I’m using hotel wifi.  My big concern is pushing out software.  I’m using a small software package, but hotel wifi can crawl. 

My setup is simple enough. I’m using my “beast” laptop and it is ins with Windows 8 Developer Preview (client) with Hyper-V enabled.  I started out just with a simple Win 7 VM sitting on an external switch with Internet access.  Everything worked fine – reporting, software deployment, AV, etc.

For Internet performance boost (hopefully), I installed a VM with FreeProxy.  It was dual homed on the external switch and on an internal switch.  I moved the Win 7 VM to the internal switch and I configured the IE proxy.  Browsing worked OK.  I tested some Intune software deployment.  That works by using Windows Update, which points at Intune.  That when I got a 0x8024402c fail.  That WU error is related to proxy settings.  Huh?  I’d configured that.  I found a fix, but more later.

I wanted to scale out my lab for a more realistic demo.  I deployed out more Wni7 VMs from my generalised image.  They were popped behind my proxy on the internal switch.  I tried to install the Intune client but I got this error:

The software cannot be installed: 0x80cf402c

I’d already fixed the Windows Update issue so I guessed (correctly) what the fix was.  WU is not checking the IE proxy settings.  The fix was to run an elevated command prompt and run:

netsh winhttp set proxy <proxy name or IP>:<port>

For example:

netsh winhttp set proxy 10.1.10.1:8080

When I tested Intune client operations after that, everything worked fine.  It’s a pain, but you can avoid this if you configure Web Proxy Auto Detect (WPAD).  Windows Update can use this as an alternative way to configure WinHTTP.

Technorati Tags: ,

System Center 2012 Licensing

Now you have pre-ordered your Microsoft Private Cloud book *cough*, you’ll want to figure out the licensing for System Center 2012.  Those details were announced tonight in the “transforming IT” webcast.

The good news: licensing for System Center is getting easier:

image

A big change is that you cannot buy individual SML products by themselves.  You must buy SML suites.  To be honest, people who run virtualisation have been typically buying a System Center Management Suite because it was cheaper than buying individual “2007” management licenses (MLs), so this isn’t a big deal (or a little on either).

You will now license it using one of two System Center 2012 suite editions, Datacenter and Standard.  They are referred to as Server Management Licenses or SMLs.  Datacenter gives you unlimited management rights for licensed hosts.  That’s perfect for virtualisation and private clouds.  The Standard edition is aimed at very small virtualisation deployments or physical servers. 

image

It is per-processor licensing based on physical (host) processors.  You can over-license a host, e.g. assign multiple Standard SMLs to a host.  You can see some examples here:

image

All System Center licensing with SA can upgrade to System Center 2012 SMLs.  Note that the System Center Management Suites include SA. 

image

Remember that you can also manage clients with System Center.  There is new licensing for these as well:

image

Microsoft has published a datasheet on System Center 2012 licensing.  There is also a System Center 2012 licensing FAQ.  Please contact your reseller, distributor, or LAR if you have any questions on this licensing.

Private Cloud & Company Politics

I was chatting with a friend earlier today about a big project he’s about to do.  It’ll bring a lot of change and some egos would be at risk of being bruised.  It reminded me of a job I once did when I worked for a new bank that was being formed from lots of branch offices of the former parent.  There were lots of little NT4 domains, and we “pixie Irish” were consolidating it into a single W2003 domain and upgrading all the NT4/Office95 PCs to XP.  How did that go?  To start with, this clip from The IT Crowd kinda reminds me of a Monday morning in Munich, after 10 days of work build that office IT from scratch:

 

Then there was the company politics.  The IT staff of half the branch offices fought.  1 guy in Paris stormed home one morning and had to be called back in by his boss.  A guy in Munich spent the next 2 years conspiring and scheming to get his way.  The London crew weren’t happy with being run by Dublin at all.  Managing our IT was easy compared to the company politics.

And this got me to thinking … deploying a private cloud is surely going to cause the same sort of kerfuffle?  Centralisation, the “emasculation” of big-ego IT staff, a shift in power and control, they’re the sorts of things that cause powder keg & flame situations.

A couple of ideas:

Visible & Enforced Management Buy-In

People will act up and fight you if they think they can.  If they think this is some sort of personal project then they’ll bitch and moan to their bosses to try get your deployment/migration stopped.  I’ve been there when a director said “I want XYZ” to us but wouldn’t share that vision with the company.  And 2 years of in-fighting was the result, long after the project was completed.

If there’s a big project that’s going to shake things up, then the business owner of it (the CEO, CIO, etc) has to communicate that vision to the company, clearly illustrating what it is, and that their will not be an opportunity for fighting it.

Get Buy-In From Your Colleagues

As a consultant I once worked a site where a deployment was rejected by the IT staff.  I was asked to come in and run workshops with them.  With that I could learn each problem, and resolve it, whether it was lack of understanding of the tech or some business/operations problem that the tech could solve.  After a series of documents and workshops, the staff felt like they’d learned the tech and that they’d contributed to the solution.

I’ve a funny feeling that over the coming years we’re going to hear some stories like those of failed over cost overrun SAP deployments.  Deploying private cloud will be complex, not just because of a change of tech but also because of the change to business operations and the company politics that might happen.

Technorati Tags: ,

Cloud and Increased Uptime – Is it a Myth?

Some of the hype about (public) cloud services is that they’ll give you increased levels of uptime.  I propose that this is a myth.  There’s been lots of headlines about downtime (some being quite brief) for the likes of GMail and BPOS.  Last night, storms in Dublin cause electrical issues for the Amazon and Microsoft cloud data centres which led to service outages.  Microsoft claims that the Amsterdam data centre will kick in for the Dublin one during an outage but it appears that this did not happen last night.  It’s funny because not only are these data centres unbelievably complex, and therefore susceptible to failure, but they can be incredibly simple too, which also can lead to failure.

These data centres may have incredible built-in levels of fault tolerance, but somewhere there is always a single point of failure.  I’ve personally seen them hurt two operators in the past 4 years.  One was a single point of fault in an electrical supply, right where incoming power met the UPS/generator (I’m no electrician).  That one caused an incident that was referred to as “black Friday” when 1/3 of the Irish internet went offline for less than an hour but the exponential traffic backlog caused an issue for a weekend.  The other was a central router in a tier IV data centre that decided to crap itself.  That one lasted just 10 minutes, but this was supposed to be a “zero single-point-of-failure” tier IV data centre that charged it customers like it was a tier IV data centre.  Somewhere deep down, despite all the clustering, despite the redundant diesel generators, despite the international replication, despite the automation, there is usually one or more single points of failure, such as being vulnerable to a lightning strike.  We understand that even Google, Microsoft, and Amazon have data centre failures from time to time, now let’s continue dealing with the uptime comparison myth.

How often does your internal Exchange service fail?  How often is your internal SharePoint/file services offline?  We’re a typical small business with a single Exchange server.  It was off briefly last week when a switch died.  We were on it straight away and replaced it.  Maybe 10 minutes of downtime.  Note: I am not involved in day-day internal IT all that much.  I would be very happy in saying that in the last 4 months, something like BPOS has had more downtime than our internal Exchange server.  Our file server hasn’t had any downtime since I’ve been here.

Go have a look at the downtime history of those public cloud services.  Then go look at how often your on-premises services have downtime.  I bet your IT folks are doing a better job than you think.

I hate it when I hear people saying that the (public) cloud will increase uptimes of your IT services.  To me, it’s a BS myth.  There are other reasons to consider the cloud, but I am not willing to agree that uptime is one of them. 

Technorati Tags:

Carbonite on my Windows Home Server

When I set up my Windows Home Server I configure the normal Windows Server Backup task to backup the server folders to a USB disk.  That’s nice for normal backup/recovery.  But that doesn’t protect my data (documents, books, whitepapers, and thousands of photos) against fire and theft.  Sure, I could probably swap disks and store them offsite.  But I know how poor my discipline with doing that in the past was.  I need something automated for off-site backup.

So I decided to try Carbonite.  It’s one of the few online personal backup solutions that will work on WHS.  There’s a 15 day free trial so I signed up for that, and I added the offer code from the TWiT Security Now podcast – that gives you an extra 2 months free in addition to your 12 month subscription (unlimited storage for less than $60/year!!!!).

The install was easy.  The configuration wizard walks you through the few steps.  You’re warned that files like video will not be backed up.  I’m OK with that – I have no personal/holiday videos because I’m a still photo man.  Targeting a folder is easy – use Windows Explorer, right-click, and select the add to backup option.  I had two schedule choices: constantly backup changes or schedule.  I went for the first option.

OK, the flaw: I have 20GB per month limit and I’m on ADSL.  It’s going to take a very long time to get all of my photo collection backing up to the cloud.  I’ve been incrementally adding folders, starting with My Documents, and then I added some of my older photo folders to test.  All worked well.  I’ll continue testing, and then decided next week if I’ll pay for the service.

Technorati Tags: ,,

Progress of Third Party Azure

It’s quite a while since Bob Muglia & co announced that some Microsoft partners would be running a third party implementation of Azure in the form of the Azure Appliance.  Who cares?  Well, some want more than what Microsoft can offer – and some have a problem with the USA Patriot Act that affects all USA businesses no matter where their operations or subsidiaries are located/registered.

HP are said to be going VMware for their cloud but have also said they are deploying Azure Appliance.  HP can offer more than what Microsoft offers, no doubt, especially in the storage space.  They probably can do more in the 3rd party or open source space, even though MSFT has embraced things like PHP on Azure.  But HP is American so thumbs down for data protection.

Ebay is puzzling.  Are they going to auction CPU cycles?  I really don’t get it, other than they can run their own site on their own Azure appliances.  File under irrelevant.

Dell is going in another direction, possibly OpenStack.  IBM – Lotus Live (Lotus Dead is more like it).  IBM is doing a lot of consulting and making a lot of money from government and corporates in the cloud space.  Probably a lot of Z series hardware and VMware licensing being sold, with a lot of consultants on site sucking up budget.

Fujitsu is the one that interests me the most.  Fujitsu are Japanese (obviously) and can therefore operate independently of the USA Patriot Act.  A Fujitsu datacentre in the EU can comply completely with EU laws.  They’re allegedly unveiling their Azure Appliance public cloud in August, thus offering a 0% Patriot Act Azure public cloud the world.  If I’m Microsoft, I’m pushing that sucker big-time because it offers the power of their PaaS in a venue that resolves the legal issues with their own datacentre offering.

Technorati Tags: ,