Friday 31 January 2014

Protecting Your Yahoo Account

So, apparently Yahoo has suffered yet another breach. A quick search of the news sites (Bing Search) would bring up more info.

Sign in to Yahoo and change the account password as soon as possible.

Then, enable Second Sign-In Verification:

image

We suggest using SMS as the primary method for protecting the account as opposed to the security questions.

Under Account Info:

image

Once the mobile is confirmed make the following setting:

image

This at least will provide a layer of protection unless the verification system itself also gets compromised. But, if that's the case Yahoo would probably have bigger problems on their hands! :S

While you're at it please enable 2FA (2 Factor Authentication) on all Microsoft IDs and download the Authentication App to your mobile device and _use_ it!

Now that online service providers are starting to allow us to protect ourselves with additional security steps the onus is on us to use those features!

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Monday 27 January 2014

From the Desk of Philip - Happy Monday

We are running at 115% right now. Things are crazy.

This can be good, but it can also get quite stressful.

So, taking a few moments to drop off and dream ...

image

I've had that book since I was a young teen. Small Block Marine was probably some of the better builds I've been a part of in the past (easily 1hp/CID).

Today's wistful thinking is along the lines of LS6 at 6.2L, cold-air intake, 8-10lbs of Magnuson Roots based boost, headers, high flow cats and Y pipe with a 4" straight pipe, and then a pair of high flow mufflers on a banana. The final bit would be in the tune (Side-Note: Gotta get rid of the nanny pause whenever I hit that accelerator! What were manufacturers thinking?).

The Dyno slips I saw for this setup showed 490bhp/ at the wheels (the one that really counts). Torque was relatively flat from about 2,800RPM to a little over 5K.

As a car guy it brings a bit of pain to say this but this would be the setup for a Sierra 1500 series pick-up.

We all know that one needs to be practical when it comes to life in the country!

We hope your Monday is going as good as ours is!

Keep dreaming the dream. :)

EDIT: Point of order: I was stuck on the Z06 LS6 crate motor ... Engine code for the 6.2L is L9H in the Sierra Pick-ups. My apologies for the misleading bits. :)

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Thursday 23 January 2014

A Server 2012 R2 Hyper-V Cluster Is Born

We are just in the process of finishing up a newly configured domain with one physical DC and a four node Hyper-V cluster built on Windows Server 2012 R2 Core:

image

As you can see we build out a custom MMC on an RSAT enabled Windows 8.1 x64 Enterprise VM with the above snap-ins that allow us to fully manage that cluster. A copy of the MMC will reside on the physical DC for management from that point if required.

An Intel RMM (Remote Management Module) that is Internet facing is configured on the physical DC. This gives us console access to the DC that is especially important for managing the cluster for anything from updating through to full power-down situations.

Failover Cluster Manager has the best logging facilities bar-none. Sorry, but VMM (Virtual Machine Manager) does not have anything near what FCM has especially when it comes to live logging the cluster and the nodes. All one needs to do is build a custom query that includes all Cluster and Hyper-V Event streams. We can also build custom queries that are focused on cluster, storage, and Hyper-V streams.

While we have added the Windows Firewall snap-in for each node to date we have not had a need to tweak anything at the node level since we set the basic port exemptions at the Group Policy level as well as permitting local exceptions. This allows the Cluster Service setup routine to configure the firewall as appropriate.

Note that it is a good idea to set up the Cluster Service _after_ the nodes have been joined to the domain, teams created if being used, and the Network Awareness service is set to Automatic (Delayed) if Windows Native teaming is being used. This allows the port exemptions to be placed in the correct firewall profile.

This particular cluster will end up hosting a number of different workloads including DCs, File services, Exchange, SQL, SharePoint, and a few LoB specific ones.

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Tuesday 21 January 2014

Somedays . . . IE11 Just Plain Stinks :(

There are times where IE 11's behaviours both in Windows 8 RTM and Windows 8.1 make no sense at all.

Bitly.com is a site we use _a lot_ to manage our links throughout our communications.

Here is what the site looks like in IE 11 on Windows 8 RTM today:

image

Now top that off with the Compatibility option having completely disappeared from any menu option and we have one frustrated user.

Oh, wait, no, the option has disappeared under the Gear but hit the ALT on the keyboard and:

image

There it is.

No Joy:

image

Okay, one last step before throwing the browser right out the window. Add the site to the Trusted Sites list.

Voila:

image

Jiminy Cricket, this process was frustrating enough for us, imagine what it must be like for users that may not know about Trusted Sites and Compatibility Mode.

What a complete waste of time and productivity to business users that need to jump through these hopes just to go about their daily business.

Yes, Firefox and Chrome (we won't run with Google product. Period.) are "options" but the business world runs on Microsoft products. Once would hope to believe that somehow things could be done in such a way that users are not impacted in such a way as to lose their productivity to this kind of thing. :(

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Friday 17 January 2014

One Post SBS Configuration

We are doing the following and are quite successful with the setup:

  • 2x Windows Server STD
  • Windows CALs
  • Exchange STD
  • Exchange CALs
  • RDS CALs

With that we set up one host with Hyper-V (2012 R2 preferred).

  • VM 1: DC
  • VM 2: Exchange 2013 CU3
  • VM 3: RDS
  • VM 4: LoB, WSUS

We just finished migrating our last SBS 2003 out to this setup (though with two servers and a few extra licenses).

For larger firms we can set up two identical servers and have licensing in place to allow for the following:

  • Server 1 & 2: DC VM with DHCP Failover enabled (new 2012 R2 feature)
  • Server 1: LoB VM with Replica to Server 2
  • Server 1: Exchange
  • Server 1: RDS VM with Replica to Server 2

Because Exchange and SQL have their own built-in redundancy features we have the option to configure in-guest clustering to build out the required redundancy for them.

Or, we can go with two servers with dual SAS HBAs and a dual controller SAS direct attached storage (MD3220, VTrak E610sD, DS3524) and set up an actual Hyper-V Failover Cluster. This option works very well for the very downtime conscious client.

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Monday 13 January 2014

RDWeb in Windows Server 2012 R2

If you have not seen RDWeb in Windows Server 2012 R2 yet, then a look at the feature along with the full Remote Desktop Services suite of abilities in Windows Server 2012 R2 is a must.

image

Our "Collaborate Anywhere" solution (sound familiar eh? ;) ) is based upon RDWeb and the AuthAnvil Secure Access Portal that we are investing heavily in.

We believe that Cloud has it's place however on-premises still provides the _same_ feature set and location flexibility to our clients that Cloud vendors extol to Cloud alone with the added benefit of data ownership and security.

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Saturday 11 January 2014

Set Exchange 2010 and 2013 Internal and External Virtual Directory URLs in PowerShell

Here are the elevated PowerShell commands to run to set the virtual directory URLs

The elevated PowerShell commands to verify the settings:

  • Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
  • Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
  • Get-ECPVirtualDirectory | fl internalurl,externalurl
  • Get-OabVirtualDirectory | fl internalurl,externalurl
  • Get-WebServicesVirtualDirectory | fl internalurl,externalurl

Please note that we run a split DNS setup to have the external URL map to an internal IP address while folks are in the office (as per SBS STD).

UPDATE 2014-02-14: Dave Shackelford was kind enough to point out the errors in my copy & paste methodology. The proper syntax for each Set command has been done. :)

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Friday 10 January 2014

Hyper-V: Set Up A Permanent Host OS Flash Drive

All of our Hyper-V hosts whether standalone or clustered 1U/2U nodes have a permanent flash drive plugged into the server.

They also have an Intel RMM, Dell iDRAC Enterprise, or HP iLO Advanced set up for full remote KVM over IP access.

We can then flatten and restore that host to production worthy status in about 30-45 minutes. PowerShell has a lot to do with the ability to make this happen as far as post OS configuration.

Here's how we do it:

  1. DiskPart
    1. List Disk
    2. Select Disk x (flash)
    3. Clean
    4. Create Partition Primary
    5. Select Partition 1
    6. Format FS=NTFS Quick Label=”HV_Node-01”
    7. Active
    8. Assign
  2. Have the host OS ISO mounted and copy its ENTIRE contents to the root of the flash drive.
  3. We then create the following folders in the root of the flash drive:
    1. _Drivers
    2. _Utilities
    3. _Software

What goes into those folders:

  • Drivers = obvious
  • Utilities = things like HVRemote, the bind tools, ETC
  • Software = Server Management software

We _never_ back up the host. Period.

Once the host OS has been set up please make sure that having that USB flash drive permanently plugged in does not interfere with the host's boot process by verifying the boot order and USB boot settings in the BIOS.

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Thursday 9 January 2014

Windows Server 2012 R2 and Two Smaller Servers Over One Big One

Having some thoughts on designing client's IT solutions to provide a relatively simple setup that allows for business to continue on in the event of a hardware failure.

Windows Server 2012 R2 gives us a few more options to facilitate business continuity.

Two smaller servers running their workloads allows for a number of different scenarios for recoverability:

  • Hyper-V Replica
    • For obvious reasons
  • DHCP Failover (built-in, run the wizard after installing the DHCP Role on two systems)
    • Very easy to do and gives clients full DHCP if one box goes down (no need to flip a switch somewhere else to enable DHCP)
    • Shares all Scope Options and Reservations between the two

Some of the benefits of this setup are:

  • AD is covered in the event of a full-stop
    • Hiccups can be taken care of by Burflags and/or AD Recycle Bin
    • AD continues despite one server going full-stop
  • File services and LoBs come back online when replica failover kicks in
  • A good backup regimen with restore tests allow flexibility (ShadowProtect)

Our preference has grown into having two key resources duplicated:
•    AD/DNS/DHCP across two separate VMs (2x servers)
•    Hyper-V Replica for VM hosting files and key LoBs

That folks is a poor man’s/woman’s "Cluster" setup.

Yes, there is a bit of extra cost involved for the licensing side of things. And, there may be a price difference on the hardware side of things.

But, when we look at the lifetime of the solution and take that extra cost we can then draw up a dollar amount per user per month using a 36 or 48 month amortization table (or even 60 month if five year warranty) and justify it as the cost of insurance relative to business stoppage costs. This works for us pretty much every time! :)

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Tuesday 7 January 2014

Some Hyper-V PowerShell Commands for You

Here is the command set to create a vSwitch that does _not_ share the connection with the host OS:

image

  • New-VMSwitch -Name vSwitch -NetAdapterName vSwitch -AllowManagementOS 0

Note the zero to indicate no sharing with the host OS.

The -NetAdapterName value is the name of the team we created for the VMs.

Installing features and forcing the local source files is an important thing to do otherwise one may wait a long time while the node or nodes, or a standalone host, try and pull from Microsoft's download servers only to fail much later in the game.

In this case we are installing the RSAT-Clustering feature (in our snip the -IncludeAllSubFeature is missing as we later discovered).

image

  • Install-WindowsFeature RSAT-Clustering -Source wim:d:\sources\install.wim:2 -IncludeAllSubFeature -Restart

Even with the installer pulling the needed files from the locally attached storage (flash drive) this one takes a while. We know we are successful when the node reboots.

Note that we are indicating INDEX 2 for the installer to pull from. That index is for the GUI version of the the OS. If we try and pull the source files from CORE INDEX 1 we will eventually end up with a failed result. And, given how long this process takes it is rather painful to discover just what the installer was looking for in the first place. :(

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Monday 6 January 2014

Some Thoughts On ARM and Intel Windows 8 Devices and the Windows 8 OS

This is a post to the SBS2K Yahoo List.

OP: Windows and ARM are essentially dead.

My thoughts . . .

I don’t think ARM is dead. Cost wise Intel can’t meet them especially with the new FABs they have built and their ongoing yield issues. There needs to be a cost tier in tech.
 
The ARM/RT/Surface 2 experience is aimed at the iDevice user. Folks that are used to a locked in experience where they need to purchase apps outside of the device to get what they need to be productive. The advantage goes to Surface 2 as it has everything one needs to be fully productive short of Enterprise features like DirectAccess _out of the box_. InTune takes care of the management side of things to some degree to give corporate IT some control over the devices.
 
I like my Surface 2. It’s flaky for sure. It reminds me of the day when we started to see motherboards with the “new” 32-bit PCI slots on them and the industry extolling “Plug and Play” as the new end to IRQs and Jumpers. We called it “Plug and Pray” for _years_ before the tech settled down and started doing what it was supposed to.
 
I believe that the Windows ARM line will, and already is, put a lot of pressure on iDevices and Android devices since users see a device that has their Windows experience out of the box.
 
Kill Microsoft with words over the new Metro/Modern UI and its app environment but Microsoft knows what they are doing. They _know_ user pain moving between different platforms and the cost in lost productivity due to the “where’s my cheese” between them.
 
I can’t count the number of times I’ve been approached with a “my Android device updated and now my stuff is gone or changed how do I get it back” question. That’s one area that Google has totally wrong. It’s not about the devs and their toys it’s about the end-user and their need to stay productive. Windows Phone solves this pain point big time as does iOS as they don’t butcher the user experience between versions.
 
And that is the clincher: As the general public becomes more aware that their PC, tablet, and phone can host the exact same environment in a stable and ongoing fashion, especially through device changes, the Windows platform will grow. The Windows 8/RT platform is relatively stable, provides a methodology to move to new devices and inherit everything, and provides a seamless and similar user experience across ALL devices. That’s Microsoft’s long-term vision IMNSHO.
 
An example: I killed the screen on my Nokia 920. It pancaked on the floor. Box tape is holding the glass together and it still works just fine but seeing through the cracks is painful. So, I bought a new Nokia 1020. It took about an hour after signing in with my Microsoft ID to have EVERYTHING as it was on my 920. The device backup and restore process pulls everything back even my text message threads! I don’t have to plug my phone into a computer or WiFi sync it like the iPhone does (not sure if messaging threads come back with a restore to a new iPhone?).
 
I set up a new Windows 8.1 machine for home based on the Intel NUC. I signed in with my Microsoft ID, set up my app passwords, and pulled down my regular apps from the Store’s “What you purchased” list and I was fully productive. All I needed from there was Office, RD Manager, and Camtasia. Everything else I use is in Metro/Modern UI.
 
If you have not experienced the seamless setup between Windows 8+ systems then you are truly missing out again IMNSHO. I NEED to have every second available to me to stay on top of things. Windows 8 has saved gobs of time over the previous days when I was working on setting up new machines for myself. In fact, after signing into my Microsoft ID (it is 2FA protected so I always need my phone for this step) and setting my passwords into the Mail app (the new PC has all of my Exchange mailboxes ready for a password and to start syncing immediately) I can be productive immediately communication wise.
 
Maybe I’ve drunk the Kool-Aid. Maybe not. But I can tell you the benefits of Windows 8+ far outweigh the cons. Oh, and the Start Button in Windows 8.1 rocks. I did not realize just how much I missed it for managing servers via a windowed RDP/iDRAC/iLO/RMM session. :P
 
One more neat bit: Hit the Start button after setting key mail folders on the Start Menu and the Live Tiles give me an at-a-glance view of all communications. I like that.

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Thursday 2 January 2014

IIS Error: There was an error while performing this operation. A specified logon session does not exist. 0x80070520

We were setting up a test site for our Application Request Routing rule set prior to running things in production and hit this:

image

Edit Site Binding

There was an error while performing this operation.

Details:

A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

Okay, that was right out in left field.

Fortunately search results were right on:

The solution was to delete the certificate and then import it again but this time leaving the Allow this certificate to be exported checked.

image

Once we did that our site went up with no issues.

Philip Elder
Microsoft MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

RD Gateway and RemoteApp Error: Remote Desktop can't connect to the remote computer "RDS.Domain.Local" for one of these reasons:

We just finished setting up a Windows Server 2012 R2 Standard RDS server and began testing the RD Gateway, RDWeb, and RemoteApp features and hit this:

image

RemoteApp Disconnected

Remote Desktop can't connect to the remote computer "RDS.Domain.Local" for one of these reasons:

1) Your user account is not authorized to access the RD Gateway "remote.domain.ca"

2) Your computer is not authorized to access the RD Gateway "remote.domain.ca"

3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

Contact your network administrator for assistance.

The third reason is out while the first two are not applicable since our access policies are set up correctly.

Our search brought us to:

Following Solution 1 we puzzled about trying to figure out where the NPS thing was!

Click on NAP in Server Manager and then right click on the server name. Choose Network Policy Server in the menu.

Once the NPS console comes up right click on the root node NPS (Local) and click Register server in Active Directory.

image

Click OK twice and then test again.

image

Good to go!

Philip Elder
Microsoft MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business