Microsoft Ignite 2017 Thoughts

A few weeks ago I had the pleasure of attending Microsoft Ignite 2017 in Orlando, Florida, one of the best and well-organized conferences I have ever attended. There were a ton of sessions to attend for people of all backgrounds in IT, so I couldn’t hit them all (thankfully they’re posting the sessions on YouTube).

It’s a juggling act at events like this to strike the balance between personal interest and getting information/training to add value to the organization that sends you, so I focused on Windows 10 Deployment, Azure IaaS, and whatever Powershell nuggets I could find. All three topics are too much for one post alone, so I wanted to dump some thoughts on one that stuck out the most: Windows 10 Deployment.

Creeping from the Old to the New: Windows 10 Deployment

Device deployment in the Microsoft world has been dominated by what they call “traditional IT”, which we in the SCCM/MDT world would just call imaging. The “traditional” method of deploying devices often involved a lot of preconfiguration before the device actually reached the end-users, often with BIOS updates/configs and the tried and true method of wipe and load.

Of course, at Microsoft Ignite, you’re going to get proselytized about the company’s newest technology, and the direction Microsoft is transitioning to is something they call “modern IT”. It’s best summarized in this slide from Michael Niehaus’ session on deploying Windows 10:

Traditional IT VS Modern IT

In practice, what this actually looks like is a bit of gradient between on-premise and cloud-based services, but the direction Microsoft is taking is to move identity services to Azure Active Directory, device management to InTune, applications are deployed from the Windows Store, and updates are managed via Windows Updates for Business. The entire process initiated on end-devices after a user logs into a device with their email and password with an Internet connection, removing the need for special provisioning. The entire process is summarized into what Microsoft calls “Windows AutoPilot“.

However, what I took from AutoPilot and all the deployment sessions was that while Microsoft would love for organizations to move their deployments online and sign-up for that recurring revenue, they know this is still a little ways off and doesn’t offer the feature parity of AD/SCCM. So instead, they’ve designed InTune and SCCM to really work in what they call “co-existence”, which comes from using the old and new methods together as a form of transition (to varying degrees): InTune-SCCM-AAD, or InTune-SCCM-AD, or (insert combo). The idea here is to not go full cloud, but transition to it to some degree.

One of the deployment MVPs who represented Microsoft explained it to me like this. Microsoft’s story about centralized Windows management has been largely one-sided for over 20 years: SCCM or nothing. There was no middle-ground between nothing and SCCM (although you could cobble-up some combination of AD, MDT, and scripts). InTune, AutoPilot, Windows Store — the combination of it all presents a middle-ground, a sort of gradient to centralized management. If you want a lot of control over your devices, continue using SCCM; if you want something simple, you have InTune now.

I think what Microsoft has done is make an interesting case for “modern” deployment, but until their on-premise AD component is deployed and fully-tested, I just don’t see a compelling case to even try InTune yet. The current deployment process, while not perfect, works pretty well, so this would have to be hardware that is proven to work well. Past experience makes me skeptical that hardware will work as well and consistently as SCCM OSD does (then again, I’m not working with users across the globe, so maybe there’s a better case to be made in that scenario).

Modern Windows 10 Deployment and Education

Bringing this closer to the industry I currently work in, Microsoft’s case for Windows 10 deployment and management for education is strong and better than ever before. Windows AutoPilot is indeed a great way to deploy devices (no matter which way you approach it), Azure AD and Office 365 are stellar products, OneNote is awesome (best education tool I’ve seen), Microsoft Teams looks amazing (especially with its takeover of Skype for Business and integration with Microsoft Classroom), and Microsoft’s licensing is making a big change. The classroom tools are indeed there, and management is as easy as G Suite (IMO).

However, I can’t help but ask: has the ship already sailed for a lot of K-12 organizations? I mean, Microsoft certainly has this great product for K-12, but a lot of organizations have already made massive investments in their device purchases, the technology choices they’re using in the classroom, and the email/cloud platform that they’re running applications with. These organizations already have inertia in the direction of these choices, so does Microsoft have enough to unbalance this forward motion?

Office 365 vs. G Suite

I personally don’t think so, at least for the G Suite organizations. These organizations chose G Suite (or Google Apps at the time) largely because they could purchase educational devices for cheap, thereby getting more devices into student’s hands, and Google’s services (which users organically learned to use over the years) was free. Around the same time, Office 365 licensing was confusing, and while there were some free options, the service parity for device management just wasn’t there compared to G Suite.

Fast forward to today, and the case for medium and large education institutions moving to Microsoft 365 is more compelling in the context of data security. The new A3 and A5 pricing structures from Microsoft bring with them EMS, thereby allowing greater data loss protection and services. Meanwhile, Google removes feature parity between it’s Education and Enterprise products, requiring organizations acquire the Enterprise suite at $25/user per month for services such as DLP.

Education Desktop Bundling Licensing Changes

Maybe it’s the Microsoft Ignite kool-aid in my system, but Microsoft has a better case for it’s products than Google with it’s licensing combos, or maybe Microsoft is just better at marketing and promoting it’s platform than Google. In the education world, I hardly ever hear from Google themselves promoting their products, it’s always someone doing something randomly. Microsoft constantly makes contact with my org, but Google — not a peep.

Kid drinking Kool-Aid
Yes…give me more…

I’m going to go drink some MDT kool-aid now…

Quick Thoughts: A Little Confused About Windows 10 S in Education

Microsoft recently announced a new version of Windows 10 called Windows 10 S. This new version of Windows 10 is designed with education customers in mind, offering manageability and security similar to that of Chromebooks (which is what this OS is essentially competing with).

Windows 10 S machines are to be managed from Intune/Intune for Education, with programs available only from the Windows Store, and identity management is handled via Azure Active Directory. Windows 10 S machines prices will start around $189, making these machines definitely competitive with Chromebooks.

But why in the world would a school district choose to purchase these devices?

First off, the timing of this announcement seems a little late. Most schools where I live needed to have their budgets turned in long ago, and as a result have made purchasing decisions already. The machines are either already ordered and on their way, and/or the decision has already been made for the summer infrastructure plans and schools are preparing for the changes. Nothing in Windows 10 S stands out enough to stop the process and rethink what machines need to be deployed.

Second, Windows 10 S seems like it’s stuck in the middle of being like Windows, but also some new Windows Cloud OS. It looks and feels just like Windows 10, but behaves like a Microsoft Chromebook, and if an end-user, thinking that this Windows environment is just like any other Windows environment, they’ll probably find unexpectedly that they can’t install applications, are forced to have Edge as their default browser and Bing as their search engine, and probably won’t find Google Chrome in the Windows Store.

This is a huge problem for most mid-to-large school districts because there is a certain paradigm about how Windows machines are to be used, and administrators have designed their entire management infrastructure around this. Windows 10 S has no on-premise Active Directory domain-join, so that also means no group policy, no certificate enrollment for RADIUS authentication, or any other service that ties into the existing on-premise infrastructure.

As a result, Windows 10 S devices live as a fourth type of device to manage, next to Apple products, Chromebooks, and Windows machines. Windows 10 S devices are, in essence, in some other management world, unless, of course, you start tying together your on-premise devices with Intune/Intune for Education, but that assumes you’re not using a third-party MDM, which would complicate this further.

Even if you’re a small school/school district with limited resources, you’ve probably already moved to Chromebooks as your device of choice. Your email, office suite, and even file management are tied into G Suite now. Students, teachers, and staff are all familiar with G Suite and probably don’t care to uproot their files and teaching methods for Microsoft.

Don’t get me wrong: I think Microsoft has some pretty cool services and features in Office 365, but is it enough to for schools to have a complete paradigm shift and start purchasing cheap Microsoft devices? Not yet, but maybe. Microsoft needs to have a more compelling case that targets teachers and principals because people in information technology already understand what Microsoft has to offer, but sysadmins just maintain and expand the services based on the policies of what the curriculum makers decide.

Google has done an excellent job in giving teachers the tools they need, and they were the first to market for cheap, easy-to-manage devices. As a result, Microsoft has a tough hill to climb, and I just don’t think Windows 10 S is going to help enough to propel Microsoft over the hill, let alone up it.

Quick Thoughts: Operating Between G Suite and Office 365

(I’ve decided to change things up a little bit and add some tech opinions every now and then, especially since I’ve changed jobs and I am now working for a medium-large school district. I’m titling these, “Quick Thoughts” that I’m going to write during my lunch breaks. Perhaps first of many…)

As a systems engineer for a school district, one of the tasks I have is to assist in the configuration and maintenance of our end-users working with whatever tools are offered by and Microsoft and Google. At our school district, we are primarily a G Suite shop, with students and staff working within the G Suite apps, but what about the tools that Microsoft offers with Office 365 such as OneNote, Microsoft Classroom, and others? How do we, as the administrators of such tools, give these users the ability to work with whatever tools they want?

It seems a bit difficult at times because each platform, G Suite and Office 365, appear to really rely on their email services to leverage alerts and messaging, so if you miss a conversation in Skype for Business, you’ll only receive the email within your Exchange email, but you won’t receive it on the Gmail side. I’m not entirely sure this is a two-way street on the Google side, as I’ve seem to have no problems logging into services like Meetup.com with my G Suite account, but receive my emails from the account on my Office 365 account.

It seems like Google is playing fair with their services, but Microsoft certainly doesn’t seem that way. So do we move email services to Office 365, and will this provide our users a better experience?

I’m not sure, and of course I don’t make those decisions, but I do think about it.

Maybe the more accurate question is “How cleanly can users operate in both worlds?” Sadly, while Google appears to behave better than Microsoft, this behavior actually hurts them a little bit for organizations like ours that want to use both services, as it forces us to consider using Exchange services for email to make the overall user experience better.

Microsoft seems to be the bad actor in this situation because they’re services don’t behave well with email systems other than Exchange. Even on-premise Exchange takes a bit of work to get working with Office 365 services.

Microsoft really wants all the business and tries to push organizations that way, but Google plays better with others, and Google’s platform seems to be more easily adopted by teachers than Microsoft’s (especially evident by how much marketing Microsoft has to do for education).

Of course, I’m assuming Google does play nice, but I haven’t tested every Google product, but Google has shown signs of not playing nice too, like dropping XMPP support for Hangouts, but that’s another conversation, and I’ve got to head back to work.

AudioCodes Mediant 1000 One-Way Outbound Audio on SIP Trunk

Had a strange issue recently when I was setting up a SIP trunk between two Mediant 1000s (M1K for shorthand). The SIP trunk was causing one-way audio issues in which I could receive media/RTP from the other side, but from the new M1K, I wasn’t sending any RTP packets whatsoever. It was the most odd thing because this SIP trunk didn’t have anything special about it since it was within a secure layer 2 network (no auth, no TLS).

I had to engage AudioCodes about the issue because I was completely puzzled. This isn’t complicated (relatively speaking); point the SIP trunk to the next hop, and assuming the network configuration is correct, there shouldn’t be an issue. When you did a Wireshark capture, it showed SIP traffic, but no RTP whatsoever:

audiocodesm1k_nortpout

After going through the initial process of getting the usual responses from AudioCodes to adjust IP profile, adjust this, adjust other things that I’ve already done or are non-consequential to the issue I’m having, they finally set a remote support session.

Within minutes, the tech identified the issue.

The network card that you purchase from AudioCodes comes with four ethernet ports, and those are configured in two-pairs for redundancy, which in my case was GE_7_1 and GE_7_2 as one pair, GE_7_3 and GE_7_4 as another pair. In my situation I reconfigured port 7_1 and 7_2 to be independent ports operating in what AudioCodes calls ‘Single’ mode.

Here’s the problem: in version 6.8 of the M1K software, you can configure the ports to operate this way in the GUI, but the software doesn’t actually support this function.

Why would the software allow you to configure it one way, but not support it in the back end? No idea. I’ll chalk it up to the same reason why you can use the ‘Search’ button on the top left, find settings that you actually don’t have support for and can’t find by just clicking around, configure those settings, and those settings won’t actually work.

audiocodessearchbutton

Anyways, here’s the solution: you can either stick with 6.8 and just move the ethernet group to use GE_7_3 (or any other odd-numbered interface on a network card), or upgrade to 7.0 that actually supports this configuration.

My configuration ended up looking something like this:

audiocodesethernetgroups

Hope that helps someone out there.

Exchange 2016 Updates: Don’t forget to activate the components!

I’ve done a number of Exchange and Skype for Business server deployments over the last year, and recently I moved to Exchange 2016 versus 2013 just to get the deployments up and running on the latest. However, after performing my upgrade to Exchange 2016 (per these instructions), my EWS connections between Skype for Business and Exchange were not working correctly. Of course, Exchange isn’t fully running for anyone, I’m still testing things out, so not a big deal, but still. What the hell is going on?

In S4B, when I run Test-CSExStorageConnectivity, I’m getting “Test-CsExStorageConnectivity : ExCreateItem exchange operation failed, code=50043”.

testcsexstorageconnectivityerror

The standard response, and search result in Google, for a 50043 error is to check and make sure that your “ExchangeAutodiscoverUrl” property after running Get-CSOAuthConfiguration is configured for the Exchange server’s autodiscover metadata json URL (“https://<exchangeAutodiscover>/autodiscover/metadata/json/1”). But what happens if you’ve already checked that? The URL is correct and you’re good to go, so what changed?

Wait, didn’t I say I upgraded to the latest Exchange 2016 CU (CU3)? Did I completely follow the instructions?

Hmm..let’s check the Exchange server components (something new, AFAIK, to Exchange 2016):

Well. Guess I didn’t the follow instructions at the end that states you to have run the following:

followtheinstructions

I’m going to start tagging moments like this as ‘ya dummy’ moments.

Now, let’s check the component status:

get-servercomponentsactive

And then running Test-CSExStorageConnectivty works, and all is well.

So I guess one thing to look at if you’re getting a 50043 error and your have the Metadata URL correct is to verify that EWS is running on your Exchange box.

Audiocodes IP Phone Manager Custom Placeholders

Audiocodes, Audiocodes…oh, Audiocodes. I continually battle with your poorly written documentation for your excellent products. It’s either you write your documentation poorly, I’m just a terrible reader of technical documentation, or maybe it’s somewhere in the middle. Usually I blame myself, but I really think it’s you this time.

AudioCodes Logo

A great example of this is AudioCodes IP Phone Manager Express, a centralized management server for AudioCodes VoIP phones that is free for the first 500 phones purchased. The program sits on top of IIS, installs and utilizes SQL Express, and leverages option 160 (custom option) from DHCP for directing phones for registration. These guys have an excellent write-up on how to install it (just don’t have two option 160s like I did, for some stupid reason).

So you get it installed, phones are registering with it, the wind is against your back, and now you want to customize options. If you follow the administrative manual that comes bundled with the download (or just download it here), you might think you’re limited to just the placeholder values that come with it. Page 21 in the manual demonstrates how to enter the values for the placeholders, but it doesn’t show you where. The manual for the IP Phone Manager (non-express, download it here), has more information to explain what’s going on, but even it lacks some clear, explicit directions for creating those placeholder values.

This is my biggest complaint about AudioCodes documentation: instructions and documentation isn’t always clear and straightforward, written from the perspective of someone installing this stuff.

So how do you create those placeholders? Turns out it relatively simple, and makes sense once you connect the dots.

To create placeholders, you create the variable values in the configuration templates. Go to Phones Configuration > Templates > select the phone template you want to adjust:

IPP Template

In the above example, I’m creating a multicast group for paging. Also, I kept the naming scheme consistent, but you don’t need to include “ITCS_” for the variable, as long as it matches later. (09/22/16) Correction: you do need to keep the naming scheme the same, at least from what I can tell in setting region placeholders. When you enter the placeholder name, IPP appends the name with “%ITCS_<yourPlaceHolder>%”.

Then, you can create your ‘Regions’ for customizing configurations, and then add your customized values to each region like this:

IPP Region Values

Next, change the region of the phone(s), if you haven’t done this already:

IPP Phone Options

Finally, update the phone configurations. Go to Users > Manage Multiple Devices, add the devices you want to update, select the action “Generate IP Phones Configuration Files” or “Update Configuration File”, then click “Generate IP Phones Configuration Files”:

IPP Update Config

Generating will restart the phone, updating will not. I prefer generating, but you may not want to avoid the phone restart.

That’s it.

AudioCodes has a great system here, and it’s pretty cool that it comes free. The only hiccup I’ve encountered with the program so far is that I have some phones that I can’t issue commands to for some reason. There are some users that I can’t put in regions or update configurations, and when I try, IPP tells me that the user is not approved, but when I try to approve the user, it says the user is already approved. It’s very strange, and thankfully I don’t worry about it much because the users are in the default region, but I could see this being an issue for sure. I haven’t reached out to AudioCodes yet for support, but I’ll update something here when I do.

Happy phone managing!

Skype for Business/Lync Server and Exchange UM: Errors with Event IDs 1079 & 1136

During a recent Skype for Business-Exchange 2013 deployment, I tried running all calls to a DID, then to an Exchange 2013 UM Auto Attendant. After some hiccups I had it working, but painfully, dialing by extension and transfers did not work from the Auto Attendant. After doing some investigating, the Skype server wasn’t giving me an errors, and my syslog from the Audiocodes gateway was indicating calls were transferring.

However, the Exchange server gave me two errors regarding unified messaging: 1079 and 1136.

1079:

exUMError1079

1136:

exUMError1136

I tried lots of solutions, tested my environment numerous times, but nothing was working. If you look these errors up when doing a Skype for Business server deployment, you’ll often see Microsoft KB 3069206 come titled, “Exchange UM Auto Attendant cannot transfer calls to a phone or extension number in Skype for Business Server 2015“. Looks great and promising…

…but I’ve already updated the server to the latest CU.

With more Google-fu, I found my solution: I needed to change my certificate for the Exchange server.

According to this TechNet thread, the certificate assigned to the UM services on the Exchange server needs to have it’s subject name be the same as the Exchange UM server’s name. I had used the same UCC-SAN cert for UM services that I set up for the Skype for Business Edge server, and added all the subject alternative names needed.

The fix: perform a new certificate request from the internal CA, apply the certificate to the UM services, then restart the UM services on the Exchange server..

After that, call transfers worked!

Hope this helps someone.

 

Skype for Business: “Prerequisite installation failed: MSSpeech_TTS_pt-BR_Heloisa”

While doing a Skype for Business deployment, I encountered this strange error that was preventing the S4B server components from installing: “Prerequisite installation failed: MSSpeech_TTS_pt-BR_Heloisa”.

The log file showed the following:

languageErrors

After doing some Googling, the consensus was to find the MSI file and replace it.

The file was located here: C:\ProgramData\Microsoft\Skype for Business Server\Deployment\cache\6.0.9319.0\setup\speech\pt-BR\

However, the question was where to get the speech files. I tried getting them from the ISO, but it appeared the files on the ISO were corrupted, so I had to get the files here:

Microsoft Speech Platform – Server Runtime Languages (Version 10.1)

I ended downloading what I needed, but subsequent MSI files were also having problems, so I ended up just replacing MSIs in the the directories “pt-BR” through “zh-TW” just to be safe.

The installation then continued successfully as expected.

Hope this helps someone.

Update (06/07/16): Had this problem again (forgot to replace ISO), and I found out that if you keep the S4B ISO mounted or DVD in the system, then S4B will re-download the bad packages from the ISO/DVD. Dismount or eject the media, then copy the MSI files.

Update 2 (09/20/16): You can also just re-download the ISO. Problem solved. 😀

Virtualbox VLANs in Ubuntu

Wanted to add quick note about VLANs, VirtualBox, and Ubuntu.

Virtualbox does VLANs a little differently on Ubuntu than other hypervisors. In order to get a VLANs working for a Virtualbox VM, you have to create a subinterface that is for a specific VLAN (of course, assuming your NIC supports 802.1q tagging). To create a subinterface in Ubuntu, follow the instructions here:

https://wiki.ubuntu.com/vlan

Then in Virtualbox, you set the network interface to ‘bridged mode’, then select the subinterface. Assuming your new subinterface is permanent, the VM will use that subinterface and be within that VLAN.

I’m not entirely sure how to accomplish this for Virtualbox on Windows. It would seem like you would need a separate physical interface, especially for Windows 10 and probably others.

Unrelated note: Virtualbox on Windows 10 is horrible, and so is the native Hyper-V, but that’s for another post, maybe.

Edit (20180705): A few years later, and I can honestly say VirtualBox on Windows 10 is stable now, and has been for awhile. Felt the need to update this. :-p

Setting Up a Separate WSUS to Work with SCCM Environment

Sometimes I feel thick-headed.

This is especially true, sometimes, with SCCM — but c’mon, it’s SCCM, so it comes with the territory.

The issue I was having was that I didn’t quite understand what the role a separate WSUS server would play in an SCCM environment. I thought it would be configured something like this:

sccmWsus1

I didn’t quite understand how the WSUS server worked with the SCCM environment. I knew SCCM managed WSUS, but it didn’t make sense to me how. Why wouldn’t I just configure WSUS and SCCM on the same box if I had to have the WSUS role already on the same system? This setup would cause the WSUS role on the SCCM primary site to be managed, but it tried to get updates from a WSUS that wasn’t doing anything, and I would have to manage updates from it, PLUS manage the updates in SCCM for deployment.

This seemed ridiculous to me, and super-redundant. Well, that’s because it is ridiculous and super-redundant.

In reality, it should be something like this:

sccmWsus2

Basically:

  • WSUS console is installed on SCCM Primary Site
  • WSUS server has the WSUS role installed, but nothing else
  • No group policy configured for the WSUS server to point to an internal box
  • In SCCM, configure the WSUS server as a ‘Site System’ with the Software Update Point role configured.
  • Your software updates for WSUS then get their updates from Microsoft, unless you have another WSUS upstream server.
  • Then all updates come from the WSUS server.
  • Note: if you’re running a single SCCM server, the WSUS can be installed on it as well, you just need to make sure you have beefy server.

I kind of feel like a bonehead for this, but hey, I get it now!

More info on the process here (although my setup is a little different):
Installing a remote Software Update Point in SCCM 2012 R2

(Update 20190702 – Made a note to clarify that the role can also be installed on single servers if desired).