Month: January 2013

Office 365 and Remote Desktop Services

This post is out of date. Please talk to your reseller or your distributor.

Great news for customers of Office 365.  When you get your free bundled Office 2013, you’ll be entitled to use it on Remote Desktop Services (aka Terminal Services).  In other words, if your company is into server-based computing, you’re going to save money.

You can find out the specifics in the Microsoft Product Usage Rights (PUR) document.  Under Office 365 ProPlus:

  1. Each user to whom you assign a User SL may activate the software for local or remote use on up to five concurrent OSEs.
  2. The Licensed User may also use the software activated by another user under a different User SL.
  3. Each user may also use one of the five activations on a network server with the Remote Desktop Services (RDS) role enabled.
  4. You may allow other users to remotely access the software solely to provide support services.

This appears to apply to:

  • Office 365 ProPlus User SL, or
  • Office 365 Enterprise E3-A4 User SL, or
  • Office Professional Plus A User SL, or
  • Office 365 Academic A3-A4 User SL, or
  • Core CAL Suite* with Office 365 Academic A3 (A4) User SL Add-on, or
  • Enterprise CAL Suite* with Office 365 Academic A3 (A4) User SL Add-on, or
  • Core CAL Suite* with Office Pro Plus* and Office 365 Academic A3 (A4) User SL Add-on, or
  • Enterprise CAL Suite* with Office Pro Plus* and Office 365 Academic A3 (A4) User SL Add-on, or
  • Office Pro Plus* with Office 365 Academic A3 (A4) User SL Add-on, or
  • Office Professional Plus G User SL, or
  • Office 365 Government G3 User SL, or
  • Office 365 Government G4 User SL, or
  • Office 365 Midsize Business User SL

*  Denotes “with current Software Assurance”

An important note, possibly related to online activation renewal:

Each user to whom you assign a User SL must connect each device upon which they have installed the software to the Internet at least once every 30 days. If a user does not comply with this requirement, the functionality of the software may be affected.

Hyper-V and System Center Training for VMware Professionals

This post is dedicated to the person from VMware Australia (name withheld) who keeps attempting to post spam on my blog.  Sorry dude, we’re not buying any.  But I thought you’d like to learn some facts about the Microsoft stack so you can understand why so many of your Australian customers are switching to Hyper-V and System Center.  Maybe there’s some time left for you to drop the FUD feedbag and reskill Smile

Virtualization for VMware Professionals Jump Start

Tomorrow at 08:00 until 17:00 PST (-8 hours GMT) Symon Perriman and Matt McSpirit (both VMware VCPs) are running the second of a three course series that is tailored for VMware professionals looking to get up-to-speed on how Windows Server 2012 Hyper-V and System Center 2012 SP1 compare with VMware vSphere 5.1 and VMware’s Private Cloud, respectively.

You can register here.

Scale-Out File Server Role Fails To Start With Event IDs 1205, 1069, and 1194

You have created a Windows Server 2012 Scale-Out File Server.  The cluster, including the network and storage, pass the cluster validation test.  Everything looks and is good.  You create a File Server role for application data (SOFS) but it fails to start:

image

image

When you look in Cluster Events the errors include:

  • 1205
  • 1069
  • 1194

Event ID 1194 has the clue to the problem and solution:

Cluster network name resource ‘Demo-SOFS1’ failed to create its associated computer object in domain ‘demo.internal’ during: Resource online.

The text for the associated error code is: A constraint violation occurred.

Please work with your domain administrator to ensure that:
– The cluster identity ‘DEMO-FSC1$’ has Create Computer Objects permissions. By default all computer objects are created in the same container as the cluster identity ‘DEMO-FSC1$’.
– The quota for computer objects has not been reached.
– If there is an existing computer object, verify the Cluster Identity ‘DEMO-FSC1$’ has ‘Full Control’ permission to that computer object using the Active Directory Users and Computers tool.

Basically, the cluster (in my case Demo-FSC1) needs permissions to create a computer object (for the SOFS) in the same Active Directory OU that the cluster object (Demo-FSC1) is stored in.

The fix is in: 

1) Open Active Directory Users And Computers.

2) Enable Advanced view if not enabled.

3) Edit the properties of the OU containing the cluster computer object

4) Open the Security tab and click Advanced

5) Click Add (opens Permission Entry dialog), click Select A Principal, Click Object Types and select Computers.  Enter the name of the cluster computer object.

image

6) Back in the Permission Entry dialog, scroll down, and select Create Computer Objects.

image

7) OK everything, (you might need to wait for your DCs to replicate if you have site links to deal with) return to Failover Cluster Manager, right-click on the SOFS role, and click Start Role.  It should now start up.

These are screenshots that I took when rebuilding the lab at work.  I can’t remember seeing someone document the fix before so I thought I’d re-create the scenario and grab some screens.

Deploying Application Virtual Machines Just Got A Whole Lot Quicker

Several years ago, I first heard Mark Minasi talk about accidental DBAs.  The term refers to server administrators/engineers who find that the vast majority of their Windows Servers either have or use a SQL Server installation.  We were mostly still in a physical world back then, with virtualisation just in its infancy in the industry (as a whole).  Things have moved on since then.  Anyone deploying servers now should be looking at the virtual option first (be it some open cloud, Xen, VMware, or Hyper-V).  Virtualisation seems to encourage server sprawl and that means lots more servers.

My last experience as a hands-own “own it” engineer was in hosting.  Here’s how a deployment looked:

  1. Time to deploy a VM: about 30 seconds in a wizard, and do something else while the files copied
  2. Customize the OS: about 1-10 minutes
  3. Install SQL Server: 30-45 minutes (longer if SQL 2008 R2 Reporting was required)
  4. Install the SQL Server service pack (if not already slipstreamed): 30-45 minutes
  5. Install the SQL Server service pack cumulative update (if not already slipstreamed): 30-45 minutes

In my experience, I could lose the guts of a day installing SQL Server if I didn’t have a slipstreamed package, while the VM deployment itself took very little time.

“Why, in a cloud, shouldn’t the user install SQL Server?”

LMAO!  Clouds are like hosting, and I left the hosting business because 80% of the customers made me want to scream at them.  They were clueless: e.g. the guy who opened a helpdesk call to get a DR replication application written for his new SaaS business (selling DR).

Not that all of them were like that.  I learned from a few and some were doing very interesting and innovative things.

When it comes to things like SQL Server, the infrastructure people (or system) must do the installation.  But we want to minimize that time.  SQL Server 2012 SP1 CU2 has expanded support for Sysprep.  This means that you can optimise the deployment of virtual machines with SQL Server (including service pack and related cumulative update).  For more information you can see:

Reminder: Re-Download Configuration Manager & Endpoint Protection 2012 SP1

You may have noticed some issues being reported with System Center 2012 SP1 Configuration Manager deployments.  It turns out that there were also some issues with the Linux/iOS Endpoint Protection agents.  As a result, you might need to re-download your media.  Check out this blog post to get more information.

Technorati Tags: ,

KB2804526 – Fixes A Number Of Third Party Storage Issues with WS2012 Clusters

Microsoft has released a number of fixes for when a third-party storage resource is configured in a Windows Server 2012-based failover cluster, certain features do not work.

KB2795997 UI is displayed incorrectly when you right-click a third-party disk resource in the Available Storage area in Windows Server 2012

Assume that you configure a third-party disk resource in a Windows Server 2012-based failover cluster. In this situation, the following issues occur:

  • When you right-click the resource in the Available Storage area, an empty dialog box appears.
  • When you left-click and then right-click the resource in the Available Storage area, the options in the right-hand pane are not displayed. For example, the Bring Online, Bring Offline, and Properties options are not displayed.

This issue occurs because the failover cluster filters out the third-party storage resources, and the third-party storage resources are categorized as Other Resources.

To resolve these issues, install the hotfix together with the hotfixes that are described in Microsoft Knowledge Base (KB) article 2795993 and 2796000

KB2796000 You cannot create a cluster file share on a third-party disk resource in Windows Server 2012

Consider the following scenario:

  • You create a Windows Server 2012-based failover cluster by using third-party disk resources.
  • You configure a File Server service resource in the Failover Cluster Management snap-in.
  • You try to add a cluster file share in the File Server service resource.

In this scenario, the following issues occur:

  • You cannot create the cluster file share by using the Add File Share shortcut menu.
    Note If the Add File Share shortcut menu does not start, install the hotfix that is described in Microsoft Knowledge Base (KB) article 2795993 to resolve this issue.
  • When you try to create the cluster file share by using File Explorer, a Server Message Block (SMB) share is created instead of a cluster file share on the volume. For example, assume that you try to create a cluster file share that is named " ContosoShare" by using File Explorer on a drive named "ThirdPartyDisk" by using the following configuration:
    Cluster Name: ContosoCluster
    Cluster File server resource: \ContosoFileShare
    Thirdparty storage resource that \ContosoFileShare depends on: ThirdPartyDisk
    Server/Node Name: ContosoClusterNode1
    Share Name: ContosoShare
    In this situation, the file share is accessed through the "\ContosoClusterNode1ContosoShare" path instead of the "\ContosoFileShareContosoShare" path.
  • You cannot create the cluster file share by using the NetShare API or a Windows PowerShell command. Additionally, you receive an error message that resembles the following:

    System error 87 – The parameter is incorrect

This issue occurs because the Windows Server 2012-based failover cluster does not correctly determine the third-party disk to be a cluster disk.

To resolve these issues, install the hotfix together with the hotfixes that are described in Microsoft Knowledge Base (KB) article 2795997 and 2795993.

KB2795993 New Share Wizard does not start when you try to create a cluster file share on a third-party disk resource in Windows 8 or Windows Server 2012

Consider the following scenario:

  • You create a Windows Server 2012-based failover cluster by using third-party disk resources.
  • You configure a File Server service resource in the Failover Cluster Management snap-in.
  • You try to add a cluster file share to the File Server service resource by using the Add File Share shortcut menu or theActions pane. 

In this scenario, the following issues occur:

  • The New Share Wizard does not start from either the shortcut menu or the Actions pane.
  • You cannot create the cluster file share by using a Windows PowerShell command, the NetShare API, or File Explorer. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

    2796000 You cannot create a cluster file share on a third-party disk resource in Windows Server 2012

This issue occurs because the Failover Cluster Management snap-in in Windows Server 2012 assumes an incorrect order of the resources in the File Server role.

To resolve these issues, install the hotfix on a Windows Server 2012-based cluster node or on a Windows 8-based computer that has the Remote Server Administration Tools for Windows 8 installed. Additionally, install the hotfixes that are described in KB KB 2795997 and 2796000 to resolve all the related issues

Managing Apple iOS Devices From Windows Intune

This was the most exciting thing I saw at MMS 2012.  I knew what System Center was capable of, but I wasn’t expecting to see iPhones and iPads (as well as Android, etc) being managed by Microsoft from the cloud, using the same solution for managing PCs.

This week I’ve been setting up a demo environment in Windows Intune “Wave D” (thanks to my colleagues at work for the help in setting up the “partner”).  It’s one thing to manage PCs, but you really score points with customers when you can show a Microsoft product managing the rivals.  I use Ubuntu as my guest OS when showing of Hyper-V.  I want to show of an iPad Mini being managed by Windows Intune Smile

The process is “documented” on TechNet, with links from the Windows Intune console.  I use “documented” very loosely.  The information incomplete in my opinion.  So here are my notes:

A step I missed in this documentation is choosing your mobile device management solution.  I chose the Windows Intune option, instead of using System Center with Windows Intune, which was under Tasks in Administration > Mobile Device Management.

The Push Notification Certificate

The first requirement for managing iOS devices is that you have an Apple ID for your company.  There is no cost to this.  This contrasts with the €75/year cost of signing up for a Windows Phone developer account for managing Windows Phone 8.

Now open the Windows Intune admin console and browse to Administration > Mobile Device Management > iOS > Upload an APNs Certificate.  Confusion point: there is more to this than a simple upload.  Here’s how.  Click Download The APNs Certificate Request.  This downloads a .CSR file certificate request.

Now you browse to the Apple Push Certificates Portal.  Here is where you upload the .CSR file that you just downloaded from Windows Intune.  If like me, you’re using IE, you will likely be prompted about a .JSON file.  Ignore that.  Refresh the page (I muddled about here trying to figure out the JSON thing) and you should end up with something like the below:

image

Click Download to get a file called MDM_ Microsoft Corporation_Certificate.PEM; this is the certificate that you will be uploading to Windows Intune.  It will uniquely identify your organisation to managed iOS devices (or something like that). 

Return  to Windows Intune where you downloaded the .CER file, and click Upload The APNs Certificate. Browse in the dialog and select the .PEM file you just got from Apple.  You also need to supply the Apple ID name that was used in the Apple Push Certificates Portal to create the PEM file.

image

That all sounds messy.  I agree.  But you only have to do it once in your portal … every year.  Check the previous Apple screenshot and look at the expiry date for the APN certificate.  It only lasts for 1 year.  Set a recurring reminder in your (and your colleagues) calendar to repeat this process in advance of the expiration (you don’t want to be digging up email addresses and passwords).  And document what accounts/passwords are being used.  Please use a strong passphrase for your Apple ID.

Create User Accounts

You create user accounts in the Windows Intune Accounts site.  You can set up AD synchronisation instead of manually creating your users.  A warning: management of the devices will not work unless you add the users to the Windows Intune user group in the Accounts site.  Open the user, click Group, and check the Windows Intune box:

image

Enroll the Device

This is a crude mechanism.  You need to supply the IOS device user (probably via email) with the following information:

At this point there’s a whole bunch of crap that happens from the Apple side.  You have to OK lots of things to enable the device to volunteer to be managed: Install, Install, Install Now, Install, and then Done.  A Company Portal “app” (it’s actually a web shortcut that opens the mobile site in Safari) is installed on the iOS device.  Now the user can open the Company Portal, log in using their Intune account, and install company supplied apps.  Here’s a screenshot of a user browsing a serious business app on an iPad Mini in the Windows Intune catalog.

image

You can add apps from the Apple App Store (just links which open the App Store and allow the user to install apps as always) or you can develop in-house apps and side-load them directly from Windows Intune, bypassing the app store completely.  Good news: you use the exact same tool for managing apps on all types of devices, including PCs.  And it’s pretty simple to use too.

The Management Profile

Part of the configuration on the device is setting up the Management Profile.  You can find this under Settings > General > Profile – Management Profile.

image

You can expand More Details to see more information (might be useful for troubleshooting certificates).  You can remove management of the device by Intune (“returning” the device to the user) by clicking Remove.  It takes a few seconds to remove the profile.  Management Profile should disappear from Profile after this and Windows Intune is now nothing to do with the machine again.

Device Not Appearing In the Console

The “documentation” says:

To enable iOS devices to receive notifications using a wireless connection, make sure that port 5223 is open.

There is no mention if this is an inbound or outbound port requirement, or if it is TCP (probably) and/or UDP.  You could also read it as a firewall requirement on the actual iOS device itself (which it isn’t).  I had the devices on the lab at work and, while I could pull down apps from and browse the Company Portal, the devices refused to appear in the console.

Want to check if it’s working OK?  Log into the Company Portal on the device in question, and browse to Support.  If the name of the device appears there then comms seem to be OK and the device is registered … at least in my experience – I have no idea if that’s a valid indicator but it works for me … so far.

image

On the Wi-Fi in the company lab, the devices refused to register.  I put them onto 3G and they registered pretty quickly, and you can see lots of information for each device.

Reinstalling The Management Profile

I decided to remote the management profile and try to re-add the iOS device to Windows Intune.  I could not get the device to re-register to Windows Intune using the above process.  I believe the correct procedure is to log into the Company Portal, hit Support, click Change, and click Add Another Device.  This has worked for me a couple of times.

Policy

You can create Mobile Device Security Policy objects in the admin console.  There are some generic and some iOS specific settings:

image

image

image

Summary

The certificate stuff is a bit fiddly but you’ll only have to do that once per company, per year.  I can’t be sure, but I guess that is an Apple restriction on the validity of the APN certificate.  After that, it’s a pretty simple process.

Enrolment of these consumer style devices will always (with any product) be user driven.  You can’t push management onto a consumer (or BYOD) device.  If necessary, you could do the sneaker-net thing.  I can envision helpdesks doing a lot of that for BYOD management.

Some of the Apple folks in the office were very impressed with this solution.  Centralised management of mobile (particularly iOS) is a hot topic right now.  Windows Intune does a nice job.  Does it have all the bells and whistles of a Zenprise?  No, but Intune has a nice price at around €4.89/user/month (with 5 devices/user).  Throw in Software Assurance (€8.98/user/month) and those Windows PCs can be upgraded to the rights of SA, including Windows 8 Enterprise.

Thumbs up!

Technorati Tags: ,,

Put A Running Domain Controller In Your Hyper-V Replica DR Site?

I was working on a customer design recently for Hyper-V Replica. The customer was going to have their own dedicated DR site, using Hyper-V Replica for DR replication.  It looks something like this:

image

All production VMs would run in the primary site on a WS2012 Hyper-V cluster.  Hyper-V Replica would replicate VMs to the DR site, and remain in the cold offline state until the business continuity plan (BCP) was invoked in response to a disaster.  Test failovers could be conducted (this uses copies of the replica VMs).  All good so far!

The DCs in the primary site would run WS2012.  Using VMGeneration-ID and cluster bootstrapping, those DCs can be virtualised.  This bootstrapping works for both the primary and secondary site clusters.  Excellent!  Less hardware is required.  That VMGeneration-ID feature also means we can consider replicating virtual WS2012 DCs using Hyper-V Replica to the secondary site.

What happens if we have a disaster and for some reason the primary site virtual DCs refuse to come online after being failed over to the DR site?  I know, it’s a longshot.  But so is the disaster that could shut down the primary site.  If this happens then there goes your business because all of your on-premises services are tied to that domain.

When it comes to AD, I am very cautious.  I like having it available and online.  And AD replication is pretty solid.

Options?

Run a virtual DC in the public cloud?  Sure, you could.  There’s a cost to that.  But, if there is a disaster, and like with 9/11, the Internet becomes swamped, good luck at authenticating and authorizing against a DC across a VPN link.  If that happens, your BCP fails.

What about running a DC in the DR site?  Yes, a virtual DC could be installed in the secondary site and left to replicate via normal means via a VPN across the DR link.  That will do the trick … if you’re ultra-cautious like myself.

The problem I’m countering with this design option is a very low risk.  I’m being very conservative and keeping my options open, e.g. if I ran a mid/large environment again, I’d run virtual DCs and back them up as VMs (VMGeneration-ID), use an agent in a single DC to get a system state backup, and use Windows Server Backup to also get a system state backup.  In my mind, you can’t have enough options for restoring an AD.  It’s like triple-insuring yourself, but at least I would have contingency plans when Murphy comes calling and the brown stuff hits the fan.

KB2803748 – Fixes KB2750149 On Windows Server 2012 Clusters

You were recently warned not to install KB2750149 (a Windows Update fix for .NET 4.5) on WS2012 Failover Cluster members.  This was because it would cause the Failover Cluster Manager to crash – actual service operation was unaffected.

Microsoft has released (via Windows Update) KB2803748 to repair this issue.

Q&A On The Microsoft Server & Cloud Blog

I did a questions & answers email interview for the Microsoft Server & Cloud blog recently and the results of it were posted online overnight.  The subject: the Cloud OS (Windows Server 2012 and System Center 2012 SP1).