Andrew and I often get asked questions about some of the more basic elements of the job and a question that comes up time and time again is what are the best tools to use for doing X. For me I often get asked how you start to plan a migration, to understand what’s out there in your environment and then to move into deploying Windows. We also get asked all manner of questions around managing AD, around System Center, around security and around clever ways to do something. I thought I’d compile a short list of some of our favourites, hopefully you’ll find some nuggets but share your thoughts in the comments.
MAP The Microsoft Assessment and Planning (MAP) Toolkit is an agentless inventory, assessment, and reporting tool that can securely assess IT environments for various platform migrations—including Windows 7, Windows Server 2008 R2, Hyper-V, Windows Azure, and Hyper-V Cloud Fast Track. I find this toolkit to be a fabulous planning resource which is why it’s top of this list, because it came to mind first. It simply looks at your environment and provides you with reports that with some tweaking you can use to support things like a request for funding or just to work out how far through a migration you are. For example it can look at your desktop estate and tell you how many PCs you have that don’t have hardware capable of running Windows 7. Andrew is also a big fan of the MAP.
OEAT Office Environment Assessment Toolkit is a free downloadable executable (.exe) file that scans client computers for add-ins and applications that interact with Microsoft Office 97, Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, the 2007 Microsoft Office system, and Microsoft Office 2010. You use OEAT during the assessment phase of your application compatibility and remediation project, which is described in detail in Office 2010 application compatibility guide. The following figure shows how OEAT fits into the overall process of assessing application compatibility
MDT The Microsoft Deployment Toolkit is THE tool to use to get any version of Windows deployed within your organisation. It simplifies the process of creating dynamic deployments that can adapt to the hardware or environment into which they are being delivered. If you already use System Center then it integrates very well and the new Beta integrates with System Center 2012 too. MDT also has a task sequence that lets you automatically P2V an XP machine to migrate it to Windows 7 allowing full access to the original XP machine, all it’s apps and data.
USMT User State Migration Tool (USMT) 4.0 is a scriptable command-line tool that provides a highly-customizable user-profile migration experience for IT professionals. USMT includes two components, ScanState and LoadState, and a set of modifiable .xml files: MigApp.xml, MigUser.xml, and MigDocs.xml. In addition, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
IEAK The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment and management of customized Internet Explorer packages. The IEAK can be used to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. WHAT I LOVE about this tool is that it allows so much control over the browsing environment giving you complete manageability where some other browsers give you about 87 settings that don’t do a whole lot, IE gives you 1500+ to ensure it fits your organisation perfectly.
Security Essentials IF your org has less than 10 PCs then this is the FREE antivirus for you, like wise use it at home. Security Essentials uses the same signatures as ForeFront and has won a slew of awards for being very user friendly. You shouldn’t really need to pay to keep safe.
Sysinternals Books have been written about this set of tools, so powerful they help identify and solve serious security and malware issues. Mark Russinovich and friends have created and docuemented an ultra powerful set of tools, some of my favourites are PSExec (which has saved my life and career on many an occasion) BGinfo which tells me all the details I need to identify a server at a glance from the desktop, and Zoom It, which if you’ve ever seen me demo live you’ll have seen.
RDC Man RDCMan manages multiple remote desktop connections. It is useful for managing server labs where you need regular access to each machine such as automated checkin systems and data centers. It is similar to the built-in MMC Remote Desktops snap-in, but more flexible.
Mouse without borders has been an internal tool at Microsoft for along time. It’s an immensely useful tool if you use multiple PCs, it basically allows you to share a single mouse and keyboard across multiple PCs – sort of like a revers RDP. The great thing is that it works perfectly when you have a few laptops to work on at one time as you can use the monitor from each to provide multiple displays.
Some learning tools
Deployment learning portal is the place to learn how to deploy Windows.
MVA is the place to learn how to use the cloud, and virtualisation and tons and tons of other stuff.
Sam is an IT Project Manager who has purchased a large batch of Windows 7 Enterprise licenses without consulting her bosses. They don’t want to move from XP and now her job’s at threat! She needs your help as an IT Professional to convince the board that Windows 7 is worth deploying.
In return there are loads of great prizes available! A free limited edition mug is available for everyone who takes part, and each fortnight the video judged to be the best will be rewarded with one of our fantastic prizes. We have TV’s, a Windows Phone, Slate and Desktop touch devices to give away as well as loads more, so make sure you keep checking back on the blog to discover how you can get your hands on one. But wait… there’s more! The video with the most views at the end of the competition will be awarded a 3D TV and a 3D camcorder to help the winner progress to the silver screen!
Details of where to enter will be available soon, in the meantime here’s the T&C’s as always and a quick guide to entering once the all important details have been published.
Update 19/09 - Ease of Use
Acer Aspire ICONIA TAB W500 this fortnight. Enter here.
This period's entries can be found here.
Update 03/10 - Compatibility
Enter here to win this fortnight’s prize - a Full HD TV, Blu-ray Home Cinema System & Star Wars: The Complete Saga on Blu-ray.
Click here for this period's entries and winner.
Update 18/10 - Security
This fortnight's prize is a Lenovo B320 Multi-Touch All-In-One PC, enter here now!
This period's winners can be found here!
Update 31/10 - Deployment
The prize this fortnight is a 4TB Seagate Network Attached Storage (NAS) Solution and Sonos System in return for the best Deployment tips.
This period's winner is here!
Update 14/11 - Manageability
Win a shiny new Intel Core i3 Dell Laptop by answering this fortnight's question.
Find out who won the laptop over here.
Update 28/11 - Value
The final fortnightly prize is a HTC Titan Windows Phone, more information here!
Here's the final winners!
Terms & Conditions
1. ELIGIBILITY: This competition is open to any person resident in the UK who is 18 years of age or older at the time of entry. Employees of Microsoft or its affiliates, subsidiaries, advertising or promotion agencies are not eligible, nor are members of these employees’ families (defined as parents, children, siblings, spouse and life partners).
2. TO ENTER: Entry into this competition is by response to the question(s) posed by Microsoft on the TechNet UK Blog. Full listings of the correct response links can be found on the TechNet Blog here. The entry method is as follows:
- Video To enter, visit YouTube and register for a free account, if you don’t already have one. Then visit the TechNet UK Blog and navigate to the blog post which contains the relevant Entry Period’s question. The post will contain a link to a YouTube video to which you should post your video as a response.
Maximum one video entry per person, per Entry Period. Only the entrant’s first response will be accepted, multiple answers will not increase the entrant’s chances of winning. All Entries must be posted as specified in the instructions for the Entry Period and received by the close of the Entry Period. All Entries must comply with the YouTube’s Terms and Conditions.
Incomplete, damaged, defaced or illegible entries may be deemed invalid at the sole discretion of Microsoft. Entry constitutes full and unconditional acceptance of these Terms and Conditions. Microsoft reserve the right to disqualify anyone in breach of these Terms and Conditions.
3. TIMING: This competition runs from 09.00:00 am BST on 19 September 2011 until 09.00:00 am BST on 12 December 2011 (inclusive) (The “Competition Period”). The competition consists of six (6) “Entry Periods”:
- Entry Period 1 (19 September 2011 – 03 October 2011) - Entry Period 2 (03 October 2011 – 17 October 2011) - Entry Period 3 (17 October 2011 – 31 October 2011) - Entry Period 4 (31 October 2011 – 14 November 2011) - Entry Period 5 (14 November 2011 – 28 November 2011) - Entry Period 6 (28 November 2011 – 12 December 2011)
Completed entries for each Period must reach Microsoft no later than 09:00:00 am BST on the closing date of the respective Entry Period.
4. USE OF DATA: Personal data which you provide when you enter this competition shall be used for the purposes of this competition only.
5. SELECTION OF WINNERS: The competition winners for each Entry Period will be determined by a panel of 3 judges within five (5) working days of the close of the Entry Period. The panel of judges will include at least one independent member.
The judges will evaluate the entries based on the following criteria ("Criteria"): - The clarity and relevance of the response to the question; - The likelihood that the advice given would ‘Save Samantha’s Job’; - The creativity shown through the response.
The winners will be notified within ten (10) working days of the close of the Entry Period. Entrants submitting written responses will be contacted through the forum messaging system, entrants submitting video entries will be contacted through the YouTube messaging system. If a potential winner cannot be contacted, through no fault of Microsoft, within 5 days after the first attempt, an alternative winner will be selected. The winner may be required to become involved in further publicity or advertising, including but not limited to the use of winning video answers in Microsoft publications.
6. PRIZES: The first 200 responses across the Competition Period that meet the entry criteria will be awarded one complimentary mug, a maximum of one mug per person.
Prizes may consist of more than one item, where more than one item is shown below for one Entry Period below they are combined and treated as a single prize. Six (6) best video prizes are available during the Competition Period in the following categories: - Entry Period 1 (19 September 2011 – 03 October 2011) – Best video answer – Acer Aspire ICONIA TAB W500 (AMD-C50 Dual Core Processor, 2GB RAM, 32GB HDD, Windows 7 Home Premium) (ERP £425) - Entry Period 2 (03 October 2011 – 17 October 2011) – Best video answer – Sony 32” LCD TV (ERP £330) + Samsung 3D BluRay 2.1 Channel Home Cinema System (ERP £150) + Star Wars: The Complete Saga on BluRay (ERP £60) - Entry Period 3 (17 October 2011 – 31 October 2011) – Best video answer – Lenovo IdeaCentre B320 21.5” Multi-touch All-in-one Desktop PC (Core i3-2100 3.1GHz, 4GB RAM, 1TB HDD, Windows 7 Home Premium) (ERP £500) - Entry Period 4 (31 October 2011 – 14 November 2011) – Best video answer – Seagate 4TB Network Attached Storage (NAS) (ERP £235) + Sonos Play:5 (ERP £340) + Sonos Bridge (ERP £40) - Entry Period 5 (14 November 2011 – 28 November 2011) – Best video answer –Dell Inspiron Q15R Switch Laptop (Core™ i3-2310M, 4GB RAM, 640GB HDD, Windows 7 Home Premium) (ERP £480) - Entry Period 6 (28 November 2011 – 12 December 2011) – Best video answer – Windows Phone 7 HTC TITAN (ERP £490)
All video responses that meet the entry criteria will be entered into the competition for best video answer for the relevant Entry Period. Maximum of one best video prize per person during the duration of the competition.
Additionally all video responses that meet the entry criteria, including those awarded best video prizes, will be entered into the competition to win a Samsung 32” LED 3D TV (ERP £500) + Panasonic SD90 Full HD 3D Ready Camcorder (ERP £360) + Panasonic CLT1 3D Conversion Lens (ERP £200) for the most views achieved across the Competition Period. The number of views achieved will be taken as displayed by the YouTube view counter at the time of judging.
Prizes as stated and non-transferable. No cash or other alternatives available. Microsoft reserve the right to substitute a prize of equal or greater value. The prizes will be sent by 21 December 2011. If no entries are received for any particular Entry Period or the received entries are not deemed to meet the judging criteria, the prize will be retained by Microsoft. Prizes may be considered a taxable benefit and winners will be directly responsible for accounting for any tax liability arising on their prize.
7. WINNERS LIST: The winner consents to their first name and surname being made publicly available. The winner’s surnames will be available for a period of 30 days after the end of the Entry Period by emailing Alex Guy at firstname.lastname@example.org.
8. OTHER: No correspondence will be entered into regarding either this competition or these Terms and Conditions. In the unlikely event of a dispute, Microsoft’s decision shall be final. Microsoft reserves the right to amend, modify, cancel or withdraw this competition at any time without notice.
9. Microsoft cannot guarantee the performance of any third party and shall not be liable for any act or default by a third party. Participants in this promotion agree that Microsoft will have no liability whatsoever for any injuries, losses, costs, damage or disappointment of any kind resulting in whole or in part, directly or indirectly from acceptance, misuse or use of a prize, or from participation in this promotion. Nothing in this clause shall limit Microsoft’s liability in respect of death or personal injury arising out of its own negligence or arising out of fraud.
Promoter: Microsoft Limited, Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, England
Recordings from the whole day are available here.
Following on from the success of last year’s Tech.Days Online series, we are back with our new schedule of events. It all kicks off on 27 October with Simon May, Andrew Fryer, Steve Plank and many others for a day of conversation on some of the most pressing topics and exciting developments facing the modern IT industry. There are five subjects across three tracks, so plenty of opportunity to jump between sessions if you wish.
Along with representatives from IT departments around the UK, we will discuss how to embrace the influx of consumer devices into the workplace, the new features available through SQL Server ‘Denali’ and how Windows Azure can help you make sense of your Cloud offering, among many other topics.
Our three main speakers for the conference will be sharing presenting duties with the following guest speakers from Microsoft, the Most Valuable Professional (MVP) and Springboard Technical Expert Panel (STEP) communities:
Guest Speakers for Introduction to SQL Server Denali
Guest Speaker for System Center - It's All About the App
Guest Speakers for Supporting More Than Windows
See further agenda details and register your attendance here.
The LiveMeeting links you'll need for the day are as follows:
Delivering an environment where people are able to bring their own devices into the office and use them is certainly one of the biggest trends of our time and it’s proving to be one of the hardest things to support. To quote Forrest Gump “you never know what you’re going to get”. How do you provide support into an environment where you don’t know what it is that you’re going to be supporting? Do you need Windows skills, Mac skills, iOS skills, Android skills or all of them, the answer is probably all, but you need to concentrate on the managing and supporting the environment and the data rather than the devices.
That of course is easy to say but difficult to do when you bring user expectations into the equation. Do your users expect you to be able to fix every problem that they have? Probably yes, over time that will change and my hunch is that it probably already is and you don’t know it but perhaps it’s going to require a push to get things started. That push will probably come in the form of a win/win approach of changing the depth what you are expected to support in exchange for supporting more breadth of support. Gartner back in July published a paper Best Practices for Supporting 'Bring Your Own' Mobile Devices which I thoroughly suggest reading but without thinking solely about mobile device support and just thinking about device support.
One of the key aspects of support that’s addressed really well by this paper is how you define support. Certainly in my 10 years of hands on experience in the industry I’ve come across two types of support the standard support type of “technically bounded” or break/fix (when it breaks you’re bound to fix it) and “best efforts” (you keep going until you can’t be bothered any more).
Lots of us don’t really take too much time thinking about this because as IT Professionals there is a huge amount of professional pride in fixing a problem – indeed I count problem solving skills as probably the most important skill set of anyone in IT. So we end up doing everything to find a fix and that's what most of our user base has traditionally expected us to be able to do: Fix it. I’d argue that much of our identity as professionals is wrapped up in that too. My experience also leads me to see that most of us have implemented “best efforts” for technologies that have sneaked their way in.
How many people are running their mobile strategy on a “best efforts” approach? I think in smaller enterprises it’s likely to be more prevalent than in larger enterprises but I’m sure there are groups of special case users who get “best efforts” around their odd bits of kit – in house graphics teams using Macs are often in this camp too – again in my experience. I don’t particularly like this approach to support because it’s missing one of the most important aspect of support: reasonable expectation setting for the user. As a user I don’t know where I am.
What I really like is the idea of “Timeboxed” support. This is an idea that is really simple for everyone to understand and Wikipedia does a great job of defining Timeboxing but an example is a great idea to describe it. A football match is a time boxed activity, there’s a start time, everyone knows it’s going to last for 90 minutes and if it’s not won (resolved) at the end of that time there is a contingency for extra time. The beauty of this is that everyone is aware of the expectation in advance and they know what they’ll get out of it. For this reason I love this idea when you consider support of wildly disparate end points.
Of course you cannot use one method in isolation. It would be really hard to do time boxed support of your network, for example, because you own that infrastructure and therefore you are solely responsible as an organisation for it. For that reason it strikes me that time boxed support for Bring Your Own Devices is a great thing, with traditional technically bound support remaining for “owned” infrastructure.
What happens when the time runs out? What a great question and this is where leveraging this as a win/win scenario comes in along with management of your environment. Your technical people need to be able to deal with the most common eventualities of connecting devices into your environment which requires you to major your knowledge around the environment. You have of course allowed the user to select their kit, told them that you’ll spend a maximum of an hour fixing it and when that doesn’t work they will have to consider their position or use a corporate asset.
Which is where one of the more important tactics for a really good BYOC or consumerisation programme comes in – maintaining standard business connectivity devices. You still need a bit of kit that you will guarantee to work at all times that is still covered by your technically bound support option because your business, your users need to run no matter what.
Earlier I suggested I had a hunch that support was already changing and the reality is that access to information is making that happen. Some organisations are seeing users search for an answer for a technical problem first especially so in organisations with some form of BYOC policy and especially in the millennial work force. An example close to home is me. At Microsoft we have a pretty consumerised approach and I can say honestly that I’ve not called our helpdesk in over a year – granted and I’m far more technical than most, but I don’t have access to administer AD in Microsoft. That means I cannot just give myself access to a share or something. Generally if something is wrong firstly I Bing it. Then I check on our internal help and fora. Calling the helpdesk is the last resort and not because they are under skilled, far, far from it, it’s because it’s faster to search for it. Self-help works at my pace.
So in a consumer world self-help is critical, peer or community help is secondary and helpdesk is relegated to tertiary help – generally the place you go when you MUST get it fixed. Should we be insourcing those helpdesks again?
Help doesn’t just exist to fix things of course, help is also where you go for service and as such a self-help service system for moves, adds and changes is a must. Forefront Identity Manager and management of your AD are key to keeping things running smoothly. Again in Microsoft if I want access to something I request access using FIM and if the owner of the asset (usually data of some form) agrees I get it. EVERYTHING is managed through a single point of truth – Active Directory – including my access to cloud services using ADFS, total integration and a very low cost of doing business.
Things to think about
Supporting users in a consumerised environment is just like it always has been. The keys are:
· Set clear expectations
· Provide support options that work on their terms
· Prove access to as much support as you can
· Support what you control: data and environment, devices will come and go
· Maintain a baseline and use it as fall back
If you’d like some help getting to grips with new technologies then give Microsoft Virtual Academy a go
Windows Azure has now been around long enough to be a mature platform for building services on and as such IT Professionals are being asked to look at the service. Of course IT Pros are looking for slightly different things from a platform than others. We’re concerned with how things work, the up time, the resilience and with monitoring and troubleshooting. Lets take a look at the current state of play with the platform, walking through some of the basics and explaining some concepts.
Windows Azure is built from the ground up to be consumed as a service and as a platform with the intention that you don’t need to over engineer or spend too much time on some of the nitty gritty parts of traditional deployments. For example if I were planning and designing a service 5 or 6 years ago I’d have to think about some basics like patching the OS or building in capacity for a disaster recovery or preproduction. Those concerns have somewhat gone away with Windows Azure; because of it’s utility nature you can have as much capacity as you need, when you need it. We patch the Operating System (for the most part) and have built in resilience.
As a result when you think about your architecture it’s far more simplistic, you only need to think about how you want the service to run – what the final service is like. Also, you won’t always need to incur the cost of running your preproduction and disaster recovery environments, unless you’re using them of course, and because they’re not a sunk cost in the hardware it will probably be more cost effective.
So what are the parts and how do they fit together? First and foremost, you don’t have to use any of the following components together, you can take what you need and just use that.
Within Windows Azure we can broadly provide services by creating an instance of one of three roles. The first - Web role, is an IIS web server that’s normally used for hosting a front-end web application which can be built in ASP.net, PHP and a few other languages. The second is the Worker role which allows you to run any custom code on the server and is often used to provide the back end functionality of a web application. The web role is just like a Windows Server running a custom service or application that you might deploy on premises, however commonly it’s an application that has been developed specifically for Windows Azure.
These two roles are delivered to you when you request them, you don’t have to provide a custom build or hard drive – in fact you can’t – and as such they are very easy to support, quick to provision and provide a stable, you-know-what-you’re-getting approach. All that’s required to use these roles is a few clicks, the provision of a package file containing the custom code to run and a configuration file that describes the architecture of the service you’re running.
The third role type is very interesting and highly flexible, but also more limited. The VM role is a custom VHD that you build on premises using Hyper-V server and Windows Server 2008 R2, and as such you can put whatever you like into that image. It’s perfect for deployments where you need to deliver something complicated, like a special bit of software that has an installer that needs lots of clicks. There are some limitations to this flexibility though, firstly it’s stateless. Stateless means that you loose changes between reboots, every time you reboot your VM role instance the first thing it will do is come out of sysprep. This is actually not just a limitation of the VM role, it does in fact affect all instances. However the only place you’re likely to come across that issue is with a VM role, as with the other roles the developers will have built an application that doesn’t have a life-span. A good example is that for this statelessness reason you can’t host a SharePoint site or a Domain controller in Windows Azure.
The second limitation of the VM role is upload time – typically when you’ve built your VHD it’ll be about 30gb and that can take quite a time to upload. I once left a VHD uploading for 3 days. The good thing is that you can test that it’ll work before you upload it and that Windows Azure will be able to host it. Provisioning time can be longer too with the VM role because there’s more custom stuff to do, so when you want to spin up more instances that’s something to think about.
So we have 3 types of roles, but how many of those roles can you have, surely not just one? That’s right you can have many of instances of a role.
If you were going to think of a parallel between instances and traditional, on-prem deployment models an instance would be a server. Actually each instance is a virtual machine within Windows Azure, some of the resources will be shared by many Virtual Machines on the same physical server and some will be dedicated to a particular Virtual Machine. For example an Extra Small Virtual Machine uses shared CPU (just like most hyper visors do on premises, by default) but the other instances have dedicated CPUs. But what does this mean? It means that, for example, a 16 core physical server could host 2 extra Large instances and or 16 small instances. Of course none of this matters to you because you do not care about the physical hardware – that’s the bit we take care of. The following table shows you the differences between the different sizes of instances.
So we have some instances of some roles that can provide some type of service which is excellent, but the next piece of the puzzle that needs to be completed is storage. Obviously you’ll see from the table above that instances have their own storage, but since instances are stateless where does that leave that storage? The answer is that anything that is saved within the instances internal storage may not persist between reboots because the instances themselves are stateless. To overcome this issue we have three different types of storage that do not form part of an instance or role but are a totally separate entity within the service. If you wanted a parallel to an on-prem type of deployment this could be an area of shared storage like a network drive.
There three types of Windows Azure Storage that are optimised to help you achieve different things. The first is a binary large object or a BLOB. BLOB storage can contain anything you like, it could be pictures, music, data files anything you want to put in there. A clever feature of Windows Azure Storage is Windows Azure Drive which allows a page of BLOB storage to be loaded as a VHD file and therefore allows a VHD to be mounted into a Virtual Machine.
Tables are a far more efficient way to deal with large amounts of data that needs some structure, like a list of names and address for example, however unlike a table as you would find in SQL the tables need not be uniform. For example the first line of a table could contain name and address data, the second could contain the number of fish in a bowl. Obviously that example would make the information less useful but it provides lots of flexibility and the idea of rules can be custom built within an application.
Queues are used for communication and are just what they seem, drop on a message and lift it off. They’re very useful for communication between roles and ensure that messages always get delivered.
A very cool element of Windows Azure Storage that has just been introduced is that BLOBs and tables are now replicated between data centres within a region automatically, so in the result of Data Center failure another copy exists within the region. For those concerned by this for Europe that means between Dublin and Amsterdam. The second very cool element is that the data is replicated three times so should a single disk fail or the infrastructure housing the disk (the rack, power supply, etc.) fail there are other copies available. This level of fault tolerance would be very costly to implement on-prem.
Finally, to help improve the performance of your data delivery with an application living in Windows Azure we provide a Content Delivery Network (CDN) which, when enabled, distributes your data to a data centre local to the users accessing your service. So for example if your service is hosted in Europe and you have CDN enabled and a customer in Singapore access data, then a copy of the data is temporarily located near Singapore. When the time out for the data expires the data is removed from the region. The timeout is obviously controllable.
Windows Azure allows you to integrate your application into your organisations Active Directory using ADFS 2.0. This provides you with a secure way to control access based on the same credentials that facilitate logon to your users computers and to much of your on-prem infrastructure, including file shares and other access users take for granted. Deploying this type of authentication helps people to use applications seamlessly but also helps you manage their access. Providing someone with access to a Windows Azure application can be as simple as making them a member of a group in Active Directory.
In addition you can control access using a variety of web providers like Windows Live ID, Google, Yahoo! and Facebook, which are especially useful for publicly accessible services.
Monitoring and troubleshooting
Now we have all the puzzle pieces in place lets think about how we do some of our traditional IT stuff with those roles.
Lets say you want to understand what’s going on in a Windows Azure service that you’ve deployed – something you’ll likely be asked to do if you’ve got any service management ethos in place – how do we do that? Well the first thing to understand is that the roles are just servers running a modified but familiar OS – Windows Server – and second that instances of roles are stateless and changes don’t persist between reboots, which means nor do logs, troubleshooting information or minor changes.
That changes what you need to do to monitor and troubleshoot somewhat. Firstly logs need to be shipped off site to BLOB storage regularly, but not excessively, because storing too much information will start to cost you some money – this is utility computing after all. So with logs you need to ensure that the roles are configured to save just enough information for your needs.
From within the Windows Azure web portal you can launch RDP sessions to your instances running in Windows Azure which, again, requires some up front configuration and the provision of a security certificate as part of specifying the service. From this RDP session there is much you can do but many things that you can’t. You can see Task Manager, view the event log etc. but you can’t fix something. For example, say you have an errant registry entry which is causing an application problem, you edit it, fix it and all is well. Then the instance is rebooted and reporovisioned and your registry change is lost forever. All changes that you want to make that persist to your web and worker roles need to be made as a change to the application package, for the VM role you can also make the changes required to your VHD and re-upload it.
How do we do some more integrated monitoring then? That’s where the Windows Azure Monitoring Pack for System Center Operations Manager 2007 steps in. With this pack you can monitor your Windows Azure service just as you would anything else within SCOM with the ability to create alerts etc. Of course if you’re building a service that is business critical it’s unlikely that you’ve built a service where every aspect is based in Windows Azure. So with SCOM you can monitor your service end to end, building alerts to notify you if say, the Internet connection that joins up your on-prem database service to the Azure Service has a wobble.
Trying it out
Now that we’ve covered some of the basics you’re probably thinking about trying some of this stuff out. The easiest way is with this Azure Monitoring Evaluation which will give you a System Center Operations Manager and Active Directory environment along with a Windows Azure application to deploy, monitor and play with.
Windows Azure is now incredibly deep so you’ll want to learn more including the depths of how CDN works, how caching works, how PKI enables Windows Azures security model and critically how SQL Azure can allow you to place structured data into the cloud.
PowerShell by Thomas Lee (PowerShell MVP)
As many IT Pros already know, unless you have been living in a cave, PowerShell is one of Microsoft’s administrative task automation platforms. It is designed to enable IT Pro’s to manage all aspects of a Windows system. PowerShell first hit the streets in 2003 as a beta, codenamed Monad, and is now loaded by default in both Windows 7 and Server 2008 R2. PowerShell provides a wealth of cmdlets, small programs that do useful things, e.g. getting a user from AD, or removing an Exchange mailbox. Cmdlets, named using a verb-noun syntax (e.g. Get-ADUser or Remove-Mailbox) are object oriented, consuming and producing objects (typical Unix shells just produce text). Additionally, you can string together cmdlets using the Pipeline. Taken together these key features provide a dramatically simpler approach to administrative scripting.
PowerShell comes with a simple command prompt (looking very similar to cmd.exe) and the Integrated Scripting Environment, a light weight IDE to help you develop great PowerShell scripts. PowerShell has a C# like language that enables you to orchestrate the various cmdlets to deliver automation solutions to the hard pressed IT Pro quickly and easily.
Applications, Windows components and the wider community can easily add new cmdlets to provide additional functionality. Applications like Lync Server and Exchange each have over 500 cmdlets. Additionally, these cmdlets provide the basis for the application’s GUI whereby the full administrative experience is delivered by cmdlets and then a friendly GUI provides access to the most common administrative features. Some key things you need to know about PowerShell include:
So how do you learn more about PowerShell? There is an outstanding, rich and vibrant online community out there, including PowerShell.Com, PowerShellCommunity.Org and The Scripting Guys Forum. There’s the official MOC training course as well as some outstanding 3rd party training offerings. And of course, you can find reams of information on TechNet and MSDN not to mention a wealth of blogs by PowerShell MVPs and others.
And for those of you in the UK, I’ll be covering all of PowerShell at the upcoming PowerShell PowerCamp weekend event!
So go out and learn PowerShell. It’s the future of Windows and Windows applications.
This fortnight’s TechNet feature article is from Jessica Meats, Microsoft UK Partner Technology Advisor.
SharePoint Online is a multi-tenant environment, meaning that each customer’s SharePoint deployment might exist on the same servers as someone else’s. This therefore puts restrictions on the level of customisation that they can do to their environment. After all, you wouldn’t want to find your SharePoint environment to suddenly change because someone else had implemented code that affected the server. These restrictions mean that if you want to build custom solutions on SharePoint Online, it makes sense to do as much as possible without code. To that end, InfoPath and custom lists have a lot of power.
InfoPath Designer is a tool for electronic form creation. It allows you to build rich web forms with a lot of intelligence around data and built in logic. When you start it, you get various options for the types of forms you can design. The default, blank form is specifically designed to work with SharePoint, this includes SharePoint Online. This means that the forms you design in InfoPath can be opened by users anywhere in the world using nothing more than an internet browser and a connection to the SharePoint Online service. No software installations required.
The types of forms you create can be hugely varied, from expense claims to holiday booking to contact requests. Here are a couple of ideas.
If you create a custom list in SharePoint Online to store information, you have the option to customise the entry form. For example, you might use a SharePoint list to store customer contact details. You can use the various settings in the list to set simple rules, such as which fields should be required, but InfoPath gives you a lot more power. The Rules pane allows you to apply rules that look at multiple fields, so you might create a rule that shows a validation error if neither the phone number nor email address fields are filled, but will be satisfied with either. Those fields can also use pattern matching to provide visual warnings if the value in, say, an email address field doesn’t match the usual pattern for an email address. There are some pre-built rules that can be applied quickly, such as warning you if a date field shows a value in the future, or you can combine the simple rules to give much more complex behaviour.
You can use these forms to hide the details of the list. You might have a list that stores a hundred columns of information, but only want the majority of users to see and edit a portion of those. You can design the InfoPath form to connect to that list and only show the fields you want in the view you give to most users. You can then use the InfoPath Form web part to display the form in the SharePoint web page. Now your users can access the fields that are allowed through the form without actually going to the list. You can design a simple user interface and hide the details behind the scenes. The screenshot shows a rule that hides fields for users to request more information, unless they select a field to say that they want more information.
You can build multiple views for your forms, allowing you to give a different experience to different users or at different points of a business process. InfoPath gives you the power to create attractive forms connected to your lists of data, hooked into business processes and deployed to SharePoint Online with one click of the quick publish button.
If you want to find out more about InfoPath, go here. If you want to try out SharePoint Online for yourself, get your free trial of Office 365 here.
Partner Technology Advisor
Check out my blog
Check out my books
In this world concerned with consumerised IT where almost everyone is familiar with using a browser of some description and many are bombarded by messages about how “fast” the internet can be if you use browser X, it really is important to keep a clear idea of what matters most to your business. Without a doubt you need a browser that’s fast enough to use the modern web, renders web pages quickly and accurately and that enables the use of java script web-based applications that run as the designer intended.
It’s very important though to remember that whilst getting all this is fantastic you also have a responsibility to ensure the security and manageability of your browsing environment, at the same time as giving users the flexibility they need to do their jobs and keeping maintenance costs down. Browsers that are fast but follow sporadic update cycles present a risk where those updates aren’t managed within your deployment environment, which can lead to a patchy experience for users and a confusing and costly state for your helpdesk services.
Unfortunately not all browsers are created equally and some do better at things than others. IE9 however seems to be doing the best at most things at the moment. There might not be the buzz that exists around using browser X or Y but IE9 has far more to offer in the security and management space than most. Internet Explorer 9 has been noted by NSS Labs to perform better, far better, than any other browser when it comes to detecting and preventing socially engineered malware. To put things into perspective IE9 fails in just 3.2% of cases tested where other browsers fail to detect and prevent around the 86% numbers.
Good security starts with making sure that you don’t have too many open doors into your organisation and with making sure that those doors you do have open are selective enough to only let the right things through. Kind of like having a good security guard on the door. Lots of people suggest that having a service that puts good sites on an allow list and deny lists all others, or that deny lists bad sites and allows all others is enough protection. Hands down they’re wrong, that is only part of the story and you don’t have to look far to find a site that has been hacked, infected with malware and or redirected to a more salubrious destination. This includes high profile newspapers and even IT news outlets, and if they are on your white list and that’s all the protection you think you need then someone just found a hole in your security.
Security at depth
The truth is that you need layers of security in order to ensure you have a secure environment, because you need many levels of security to catch a risk should something penetrate one layer. Allow and block listing are a part of that but so is the ability to detect, highlight and prevent attacks that appear in a more dynamic, on-the-fly, approach. One of the approaches that’s essential to delivering that dynamism and ability to respond to known attacks is a powerful patching mechanism.
This is another of those areas where Internet Explorer 9 excels. Patching is built into the operating system and whilst some feel that patches are pain of management they are in fact a mechanism to respond to a threat and one that is easily managed. Under almost all circumstances Microsoft release patches on the 2nd Tuesday of the month (a.k.a. patch Tuesday) and for those who remember what life was like before patch Tuesday it’s a joy. Imagine the scenario where critical patches are released every other day. Keeping up with that cycle leads to an administrative overhead that takes you down the path of missing the odd update and missing the odd update can come at the cost of something bad happening. I know because I’ve replaced patch solutions in organisations where it has – much of which I had to hand crank with VBScript, but we won’t go there!
What baffles me is why any IT Pro would want to deploy patches on an irregular basis or just leave them to chance when they can be managed in a simple singular way. No other browser has the update capabilities of Internet Explorer and some are so lacking that entire version updates with changes in capabilities can be deployed without any prior understanding of those responsible for support, IT.
Group policy support built in, not bolted on
Management is of course something that we all need to keep an eye on in our estates and sometimes we find that something has to be changed. Sometimes a homepage URL needs changing en masse, sometimes we have to tweak security settings and again Internet Explorer is a tour-de-force in this area with over 1500 settings that can be controlled with Group Policy. The nearest competitor has a shiny 87 or so, which granted are generally good but don’t include the ability to stop the browser “phoning home”, whilst other solutions try to out-fox IT by requiring you to buy additional management software. This disregard for the unique nature of doing business is disappointing at best.
Of course management starts earlier than the on going use of a browser so we have to think about how we deploy the browser in the first place. For this and to enable some highly customised deployments with very flexible requirements we have the IEAK or Internet Explorer Administration Kit that enables the repacking of Internet Explorer for custom circumstances. You can, for example, bake in a set of configurations so that upon first install everyone gets the settings you intend – perfect in a consumerised environment – but as I’ve already written we need more flexibility. For that reason just about every setting that you can alter in the IEAK can be changed through group policy.
For XP users
If you aren’t yet migrated to Windows 7, and millions are, then you are probably running Windows XP. Here the best advice is to be running IE8 because Windows XP cannot support IE9. IE8 might not have all the HTML5 bells and whistles, ultimate speed, compatibility and shear beauty of IE9, it does allow you to do all the management I’ve mentioned above. But why would you want IE8 over IE6? Well the main reason is that IE6 is old. It was released 10 years ago and the web has changed dramatically in those 10 years. Sites we take for granted, Facebook, BBC iPlayer, YouTube and thousands more didn’t exist back then and what people expect to be able to do has moved on. There are still people stuck using IE6, especially in Government in the UK, but there are not really any solid technical reasons for doing so.
Migration to IE8 from IE6 is a smooth process now, it’s a well trodden path and we have ways to circumnavigate most compatibility issues – many for free. If you have a web application that requires IE6 the first thing is to see if it’s just a header issue, where the page stops itself rendering on anything other than IE6. Test the site in IE8 without such a header, get a user to see if everything works OK and test to see if one of the compatibility modes overcomes the issue. There is nothing wrong with using compatibility mode and, you’ll never guess, you can tell your whole estate to use a compatibility mode with a simple group policy setting, still at no additional cost.
Next you can try virtualisation, either with MED-V which is part of MDOP or with P2V for Software Assurance. These two options are going to cost you something if you don’t have Software Assurance in place but the cost is usually small (for example adding SA to a Windows Intune subscription is just 60p per PC per month). The final option is to use RD RemoteApp to provide a remote desktop connection to a browser running on a Windows XP VDI Virtual Machine, hosted in Windows Server 2008 R2 Remote Desktop services or with a product from Quest or Citrix. Here the costs rise dependant upon the complexity you need but it’s time to start weighing in the fact that when XP goes out of support so does IE – so no more patches.
Hopefully this has given you some food for though about your move to IE9, if you are on Windows 7 it’s a total no brainer. If you’re on XP you should think about moving to IE8 and also about getting off of Windows XP within a year.
For the full NSS labs report on socaially engineered malware just follow this link and to learn about deploying Windows 7 and Internet Explorer 9 go complete the relevant sections of the Deployment Learning Portal – you’ll probably find you’ll be rewarded instantly for doing so. Also take a look at these Top 9 reasons enterprises should deploy IE9.
You might remember that not that long ago we ran a competition to find a Windows 7 Migration expert in the TechNet Blog community to present the final slot at the Windows 7 Deployment – Why and How? online conference.
I’m pleased to announce that we have found our expert! Paul Cooke is a Project Manager at Plymouth City Council, implementing hot desking using Windows 7, Office 2010, App-V and Lync 2010 so the council can close buildings and generate savings to avoid job losses. He’s keen to share his experiences of migration in the real world with you all, and we’re just as keen to hear them!
In Paul’s own words the rollout has been “So successful the remaining Depts. are clamouring for a place higher on the schedule”. Click here to register to attend the online conference on 25th October and find out why.
At this time of year our team is heavily into planning meetings. One debate I got into in one of these sessions was the importance of virtualisation to smaller businesses. The general reaction was that this is a technology more relevant to large organisations with large data centres or to hosters and outsourcing specialists supplying lots of compute power to those customers.
However the one consistent trend I have seen when Microsoft has entered a new area of technology is that this drives the cost of ownership down so that it becomes more affordable to the smaller business. A good example close to my own heart is SQL Server, and then the business intelligence offerings that came out with it. This cost of ownership isn’t just about cheap licenses, if that were the case then open source would be the model I would quote. It's about a more holistic approach to that cost:
Applying all of that to virtualisation should mean that this becomes more relevant to small business:
Ease of Use.
Support & Training
Reliability & Credibility
I haven’t mentioned cost. Microsoft's entry into this space in a serious way a couple of years ago has driven down the cost of virtualisation, even though one of the major players has announced some recent changes. What I mean by lowering the overall cost is that Hyper-V is being adopted where there is no obvious value in paying for virtualisation. Our internal research bears this out as we can match the shipments of new servers going to small businesses (the data comes from the hardware vendors) with what small business is buying and using.
Remember you can get some great training around virtualisation at the Microsoft Virtual Academy.