Working as a Happy Cloud Company

One of the first projects I took on when I started with my current employer a year ago was to “get our stuff to the Cloud”. Inova Solutions is a Microsoft Gold Partner “Licensing Solution Provider” and my CEO aimed to have 50% of our resources in the Microsoft Cloud within a year. It all went a bit faster than that so we’ve been working with Office365, Intune, CRM Online and Azure for over half a year now. We are used to it, we don’t even wonder about it anymore, it is business as usual. And, there is a bunch of features available we still have to discover and implement, which will take us some time. Business as usual. Happy CEO.

But every now and then we become aware again that it is extraordinary that our entire organization runs all of its business completely in the Cloud.

We have seen this huge decline in IT Costs, be it investments or maintenance. Things don’t break anymore. Our offices on Aruba, Curacao, Jamaica and Trinidad do not rely on site-to-site VPNs anymore. We are always on at a constant low cost. Happy CFO.

When we meet with customers, with partners and even with Microsoft, people are astonished that we actually work like that! All of it, all the time. We do not only Walk-the-Talk, we are actually “Being what is Next” for a lot of organizations. Customers like that and they want that. Most of the time it’s not the IT Manager that makes the decision, it’s higher Management that asks how long it will take us to build them that. It is becoming strategic instead of tactical, increasing productivity while decreasing costs. Doing events and showing off our own dog food makes the audience dribble (have to make sure we have tissues). Happy Customers, Happy Sales People.

And in the meantime we can work anywhere, from hotel rooms, lounges, airports, airplanes, home, and we can work anytime. I tend to wake up very early, like 4 AM, every now and then I meet my colleague who tends to be a night worker on Lync: “Morning Jasper”. “Go to bed Shawn”. We get our stuff done. Without any servers. If the Internet connection breaks we go to Starbucks and work on. If lightning strikes and we lose power for a couple of hours we do the same. We still get our stuff done. Coffee gets cold because we are getting stuff done all the time. Happy Mobile Workers.

Isn’t it amazing? We are a Happy Cloud Only Company, that is what we preach, that is what we practice. Mobile First – Cloud First: Happy CTO!

Are you next to be Happy?

Inova Solutions NV: Moving EVERYTHING to the Cloud

A lot has happened since my last post. My wife and I moved to Aruba in The Caribbean and I found a great job as Solutions Architect for Inova Solutions NV. Inova Solutions NV is a Microsoft Gold Partner in Licensing, formerly known as LAR (Large Account Reseller), nowadays it’s called LSP (Licensing Solutions Provider). One of my roles is that of IT Manager for our own IT and that is what this blog is about.

As a true Caribbean Company we are scattered across a couple of islands: Aruba, Curacao, Trinidad & Tobago and Jamaica and we have customers on those and a lot of other islands. The Network Infrastructure consists off some site-to-site VPNs and Client VPNs so we can reach our resources located on Curacao where ever we are.

The CEO had a goal for me to achieve by putting 50% of those resources in the Cloud by June 30th 2014. Soon I discovered that we actually only use applications that are available in the Microsoft Cloud already: Exchange, SharePoint, Lync and CRM. My goal now is to have all that migrated to the Online Services by the end of the year.

Plus some extra wins: we don’t really need Active Directory, authentication also goes to the Cloud. That means our PC’s and laptops can no longer be managed by AD and GPO’s. For that we will leverage Windows Intune. And finally we have this RDS Server that hosts 2 applications, neither of which relies on AD, we will just rebuild that RDS Server as VM on Windows Azure.

My Christmas wish list (here on Aruba you can already buy your Christmas stuff):

  • Office365
  • CRM Online
  • Windows Intune
  • Windows Azure AD
  • Windows Azure Network
  • Windows Azure VM

Sounds like we have a plan! By the 1st of January 2014 we can start decommissioning our whole Onprem Infrastructure, all the site-to-site VPNs and oh boy, all that Client VPN stuff (I do not understand that companies still deploy that, don’t we have DirectAccess at our disposal?).

The bet is on, I have 2 months from now to make it so.

Hopi Bon!

TechEd Europe 2013 SCVMM R2 Session

After joining a session on ConfigMgr and Intune, which brought me nothing new, I joined a session on System Center Virtual Machine Manager 2012 R2 (http://channel9.msdn.com/Events/TechEd/Europe/2013/MDC-B357#fbid=hBjzVKd6xg9 ).

There is some interesting new stuff in SCVMM2012R2:

  • Apart from SC AppController for Self-Service there is the Windows Azure Pack. WAP gives the look and feel of Azure but is targeted at your Private Cloud.
  • Cisco now provides a Virtual Nexus 1000 Switch (http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns955/ns963/solution_overview_c22-687087.html ) for Virtual Networks based on Hyper-V.
  • VMM R2 will provide a Gateway out-of-the-box with the Border Gateway Protocol.
  • There will be Service Templates for all System Center Components (sounds like a deeper development of the Powershell Deployment Toolkit)
  • Guest Cluster can now use a VHDX as shared storage (as long as the VHDX resides on a CSV Cluster).
  • VMM R2 can manage Physical Switches.
  • I already mentioned in yesterdays’ Blogpost the Azure Hyper-V Replica Manager for orchestrating a failover to a DR Site.

Pretty neat features for a R2 release!

I’ll be back tomorrow.

TechEd Europe 2013 My Keynote Highlights from Madrid

Although TechEd North America finished some three weeks ago I would like to mention a couple things from the, mostly the same Keynote as 3 weeks yonder. They have not become less worthwhile in that short period of time.

And, there was a great announcement! The bits of a lot of upcoming stuff are available as of today as Preview:

  • Server 2012 R2
  • System Center 2012 R2
  • SQL 2014
  • Visual Studio

Here comes the summer J.

As an IT Pro I focus on what was said concerning this line of IT Business. A quote I really liked: “BYO is not a privilege, it is a right.” Such is the perception of users. Out of that Identity Management is a major thing and Microsoft proposes to leverage Azure Active Directory with the Onprem Active Directory (no-brainer for Office365 en Intune admins). The same goes for leveraging Windows Intune with SCCM! SQL 2014 Management Studio can connect to SQL Azure

Extending stuff to Azure with the Windows Azure Pack, gives the look and feel of the Azure Portal to both your Private Cloud and the Azure Public Cloud. The MSDN accounts on Azure are now calculated per minute (as per hour in the “old” days), making it easier for Devs to test their Apps.

A super Server 2012 R2 feature is “auto-tiering” of storage where you can mix SSD with JOBD and the OS will find out what to store where, now that is cool!

Azure now has a Hyper-V Recovery Service with which you van Orchestrate Data Center failovers….. pffff.

A demo of Windows 8.1 showed us “workplace connect” en “worker folders”. I like the Wrker Folders (on Server 2012 R2 that is); it syncs and secures ordinary fileshares over hhtps to any user-device…. Very very neat!

The rest of my 1st day was filled with assisting as Microsoft Certified Trainer so no details from me on the breakout sessions which you can see on http://channel9.msdn.com/Events/TechEd/Europe/2013?wt.mc_id=homepagetop#fbid=CJ-2jXdm1ag

Enjoy, I’ll be back with more!

Exchange 2013 Hybrid Deployment on Office365 leveraging Azure

With all the new releases of Servers, Services and Devices, I thought it was time to build a Hybrid Deployment using Exchange 2013 Preview and Office 365 Preview.

I set out to do everything on Server 2012 but unfortunately that didn’t work out. So I had to cheat a little (making it more interesting though); my onprem environment consists of Server 2012 machines only. The Win2k8R2 machine I needed runs on Azure. The AD FS Service required for Single Sign On with Office 365 does not (yet) run on Server 2012. As the High Available AD FS Service is a constraint for a lot of customers to go for SSO, this might be good option anyway. Have your AD FS Servers in the Cloud, you could even force geo-redundancy and stuff like that.

So, I first need to acknowledge Office 365 MVP Jethro Seghers (http://jethroseghers.blogspot.nl/ and @jsegehrs) from Belgium who already set up this config but has had no time yet to describe it.

Secondly I used a great blogpost from Paul Cunningham on installing Exchange 2013 on Server 2012 (http://exchangeserverpro.com/install-exchange-2013-pre-requisites-windows-server-2012 .

And Trevor Smith for getting DirSync to run on Server 2012 http://community.office365.com/en-us/forums/613/p/63806/243279.aspx

I also acknowledge myself J for my earlier posts on setting up a Hybrid Deployment (been there, done that, got the certifcations….. no t-shirts though).

Okay, that being said, let’s get going.

Here is my Bill of Materials:

And you need a couple of rainy Sunday afternoons to set it all up. It’s not that hard but we all met Mr.Murphy, he’ll check in every now and then.

Onprem Configuration

I have a lack of resources so I only used 3 VMs in my “Private Cloud”: a Domain Controller, an Exchange Server and a Windows 8 client. It’s certainly no best-practice to put the Directory Synchronization tool on the Exchange server but it works.

It’s all straight forward configuration work, the certificate tool in Exchange 2013 works great. Just make the request, go to your certificate provider to submit the request and import the certificate. This is what it looks like:

 

 

 

I added the “sts” so I can use this certificate on the AD FS Server as well.

Create some users, dynamic distribution groups and mailboxes and start mailing, scheduling and stuff like that. There should be something in there before we start moving things to Office 365.

Then you do ALL of the tests in the Exchange Remote Connectivity Analyser (https://www.testexchangeconnectivity.com/ ):

 

 

 

 

 

 

….. and fix any issue before proceeding (keeps Mr.Murphy away).

 

Azure Configuration

The new Azure Portal is a real pleasure to work with, everything is in the place where you expect it to be. First we have to do some networking so that the VMs running on Azure can connect to the Onprem environment, using also your Onprem DNS Server. On Azure you have to create a so called Gateway Network and private subnet, name them as an Affinity group. Tick the Checkbox that you want to use this Gateway Network to connect to you Onprem environment.

Azure gives you the Gateway IP Address and there’s a button that will show the Pre-Shared Key to use when setting up your IPSec LAN-to-LAN VPN Tunnel. On my Draytek Router (running from my HAN, Home Area Network) that was a quick one. Although the default time-out was too low (300 sec), I adjusted it to 1500 secs. The result (in the pic even my two VMs are already spinning):

 

 

 

 

 

 

 

I set up 2 VMs on Azure, just pick them form the Gallery, I took a Server 2012 for a Read-Only-Domain-Controller (it only serves authentication purposes out there) and a Win2k8R2SP1 for the AD FS Server. When the Networks are properly configured the machines obtain the appropriate IP Addresses. A RDP Endpoint is automatically created so you can manage the machines through RDP. I created an additional Endpoint for the AD FS Service.

I did the dcpromo wizard to create the RODC (the Azure Neworking gave it the right IP settings, including my Onprem DNS Server) and I also joined the AD FS Server to the domain.

 

 

 

 

Office 365 Preview Configuration

The steps to take in the Admin Portal are the same as they are in the current version, it is still very important (keeps you out of trouble) to do thing in the right order.

So, assuming that all is set to go, working and tested, this is the order:

  • Set up Single Sign On by installing AD FS 2.0 and configure it with the proper commandlets in de MSOLPowershell Module.
  • The previous step asks that you must add a TXT Record in DNS for validation, after doing that you re-issue the last commandlet
  • Verify the addition of your domainname in the Portal
  • Enable Directory Synchronization, it’s just a button in the Portal. It says it might take 24 hours, my experience is it takes about 30 minutes.
  • When you see that DirSync is enabled you can run the configwizard prompting for both Online Admin credentials and Onprem (Schema) Admin credentials
  • Verify Directory Synchronization in the Portal, your Onprem AD Users should be listed there
  • Verify SSO by logging in to the Portal with a Synchronized user

All this is necessary because a Hybrid Exchange Deployment uses only Federated Users, thus AD FS and DirSync.

 

Exchange 2013 and Exchange Online Hybrid Deployment

Finally, we’re getting there. Getting the 2 Exchange Organizations talk to each other, allowing for Calendar Sharing, mailbox moves, complete GALs , etc, etc. I was not that enthusiastic about the wizard in Exchange 2010 SP2. It takes away the deeper level insights of what is actually happening. In my Trainings I still do it the manual way and if time permits I let my students do the SP2-Wizard.

So I’m quit curious about the Exchange 2013 “Exchange Administration Center” and the Wizard in there…..

As soon as you hit “Hybrid” in the al new Exchange Admin Center, a button appears with “Enable”, then it asks you to logon to Exchange Online so you end up in the Exchange Admin Center …… online! As soon as you hit Hybrid in there, a button appears with “Enable”. Looks like that way you have enabled Hybrid Deployment on both sides.

 

 

 

 

 

That looks very promising! YES! The next one looks familiar from the “old” Hybrid Deployment, proof of ownership for your domain:

 

 

 

 

 

 

 

I go to GoDaddy to do just that. Oeps, slight error in the “Copy to clipboard”, it also takes the domain name field… do NOT put that into your DNS Tool!! GoDaddy is fast, I could continue right away.

 

 

 

 

 

 

Centralized Mail Transport allows for mail flow from Exchange Online to the Internet to be routed through your Onprem mail servers (Compliance, Journaling or whatsoever). The Edge Role does not exist anymore (as TMG will soon) so I choose Hub Transport.

 

 

 

 

 

Easy choice, I only have one server deployed…. It should be an Internet facing CAS Server though, Hybrid Deployment is leveraged by Exchange Web Services found through Autodiscover. I skip the next screenshot, it’s the same but now it’s about the Sending Server.

 

 

 

 

I have set up my Exchange Certificate real good! Exchange Online recognizes it right away. And asks me for the SMTP Address of my Onprem server:

 

 

 

 

 

 

No surprise here (I’ll keep that for myself J):

 

 

 

 

This looks almost too easy to be true:

 

 

 

 

 

 

 

Checking Onprem, checking Tenant, checking prerequisites ….. a

All the manual steps from the good old times come by….. and yes indeed, this used to be the case all the time….

 

 

It used to be a matter of time-outs, so I’ll just cancel it (changes made are already there) and do some manual stuff, but not after running the wizard for a third time (Mr.Murphy please leave).

 

 

Let’s see what there is to modify….. hmmm, not much, exactly the same Wizard with the same results L.

 

 

Hey, I’m on Wave 15! This appears when I look at the Node “Organization”.

Here’s the FIX!

 

 

 

 

I added my namespace not from the Online Interface but from the Onprem Interface! That seems to be working perfectly! Just passed all the nodes and settings and it looks okay…. Time to move a Mailbox to Online, I guess.

The usual credential stuff (I’m triggering the Move from Online):

 

 

 

 

The Wizard does it wrong again…. As in Exchange 2010 SP2, the automatically configured endpoint is my local FQDN, which is of course not resolvable from Online. I manually enter the webmail.domain.domain endpoint and of we go.

 

 

 

 

YES! There he is! Note the very, very, very small arrow pointing to “Office365”, took me some minutes J, by that time the move had already completed (just 2 items).

Last checks for now:

  • mailflow Onprem-Online and vice versa                                   check
  • mailflow Online-Internet and vice versa                                    check
  • Calender sharing                                                                       check
  • That all will double check the AD FS Deployment as well J    check

Great!

Been there, done that, now I want the T-Shirt!

Thanks for reading and don’t hesitate to comment or to contact me!