Office 365 Setup and Windows Server 2012 Essentials

Something which I’ve never really talked about here is email. Me and my family currently consume Outlook.com via Windows Live Domains on both my blog domain richardjgreen.net and our personal domain name. Windows Live Domains really feels like something out of a Land Before Time movie these days. It hasn’t seen an update in years and frankly, I wonder what the shelf life of it is going forwards, leaving me to think that the options will be Outlook.com, Office 365 or bust. Not wanting to be stuck on a potentially end of the road email platform, left trying to move the mail service for my family on day zero, I started looking at options a few months back.

With Windows Live Domains being free, if I was going to pay for email, I needed it to not cost the earth, as low as possible really. At the same time, I didn’t really want anything more from a feature set than I get with Outlook.com via Windows Live Domains.  All I want is a flat service to match that of Windows Live Domains and Outlook.com. With me being such a softie, the option was really only going to be Office 365, it was just a question of what tier and flavour of it.

Windows Server 2012 Essentials which I use to run our home environment has native integration for Office 365 which means it would be super easy for me to manage which for me is great as the less time I spend managing our home solution, the more time I can spend blogging, working on other things and spend more time with the family themselves.

Exchange Online vs Office 365

This really confused me when I started looking into Office 365 and using the Windows Server 2012 Essentials integration features for Office 365 sometime ago. For me and my family, I am only interested in email. I’m not after Lync or SharePoint services as we just wouldn’t use them. I was concerned that if I signed up for Exchange Online Plan 1 which was my target option that the integration wouldn’t work. As it turns out, you just need to think of everything as Office 365. Exchange Online, Exchange Online Protection, Lync Online, Enterprise Plans; all of them fall under the banner of Office 365 so I now knew that Windows Server 2012 Essentials wasn’t going to care if I was on Exchange Online Plan 1 or if I was on an Enterprise 4 agreement.

Extending the Windows Azure Tenant into Office 365

Because I use Windows Azure Backup to backup our data from Windows Server 2012 Essentials already and because this blog is hosted on Azure, I already had a tenant setup on an onmicrosoft.com domain which I wanted to reuse so I needed to extend my tenant so the one tenant would work across Windows Azure and Office 365 services. To do this, I logged into office365.com using the account which I setup as the tenant global administrator when I configured Azure Backup on Server 2012 Essentials. I was greeted with a message that I didn’t have any licenses or any domains setup, but the login worked most importantly.

Buy a Service Plan

Before you can credibly do anything, you need a plan. I wrote this post after I set it all up and lucky I did really. When I first went through the motions, I added a domain richardjgreen.net and was wondering why I couldn’t do anything with it, not even validate it. It looks like you can’t even validate a domain to start configuring users until you have at least one license available to use.

As it’s just me on my blogs domain right now, I paid up for a single license of Exchange Online Plan 1. This gives me a 50GB mailbox, all of the Exchange features I want like OWA and Exchange ActiveSync and at £2.60 a month per user excluding VAT, the price is sweet enough for me also.

To buy a license or more, all you need to od is to hit the Purchase Services link on the left navigation. This presents a whole host of options for Office 365, Exchange Online services to buy and some add-on services also such as Exchange Online Protection and Exchange Online Archiving. Add a credit card detail on file, click buy and it’s as simple as that.

Adding Custom Domains

Adding a new domain is a simple matter of clicking Domains from the left navigation and then clicking the Add a Domain button then follow the instructions which follow into setting up DNS. I had both of my domains added within a matter of a couple of mouse clicks and keystrokes.

Configuring the DNS Settings

As part of the process of adding the domain, you need to do two things:

  • Verify you own the domain for starters
  • Add DNS records for your services

The first step is verification which in my case, I completed by adding an MS= TXT record in my providers DNS management console. I tried to do this but I received an error “richardjgreen.net has already been verified for your account, or for another Microsoft Online Services account.”. I new I was going to see this but not quite at which stage.

This is caused by the fact that my richardjgreen.net domain was currently configured to use Windows Live Domains for email service. I logged into domains.live.com, deleted all of the mailboxes in Outlook.com for the domain and then deactivated the service. This was the most nerve racking part of the process as I’ve read that other users doing the same thing have had issues rattling on for months to get this to clear out of the system properly.

In my usual style, I kept trying the Office 365 portal to verify the domain and 15 minutes after deactivating Windows Live Domains, Office 365 pinged into life, allowing me to verify the domain.

With the first step now done, I needed to configure the service records as directed. I needed three records for my Exchange Online service: An MX record for mail delivery, a TXT record for the SPF (Sender Policy Framework, required to allow receiving servers to trust the Sender ID of outlook.com and Office 365 to deliver email on my domains behalf) and a CNAME record for Autodiscover to allow devices to be configured automatically for my mailboxes in Office 365.

If you use a DNS management agency which Microsoft have steps with then you can get direct instruction for doing this if you are little uncomfortable with DNS or if you are with GoDaddy then there is the option for an automated setup through some kind of API channel with Microsoft.

After adding the records to my DNS, it took about 10 minutes for Office 365 to pickup the new records and complete the domain setup.

Enable Office 365 Integration in Server 2012 Essentials

From my Windows Server 2012 Essentials machine, this part should have been really easy but it turned out to be a nightmare.

From the Essentials Dashboard, click Email from the home screen and then select Integrate with Microsoft Office 365. The dashboard will open a wizard for you to enter your Office 365 Tenant Global Administrator account if you already have an account as I do otherwise you have the option to initiate a free trial using an E3 subscription.

The Office 365 integration with Server 2012 Essentials is neither DirSync nor is it ADFS. If you elect to use Office 365 with Lync and SharePoint you will not get the AD FS Single Sign-On (SSO) experience as you would with a full deployment. The integration here I would describe as light. When you provision users on-premise, make changes to Office 365 licenses or mailboxes through the Dashboard, the changes are pushed up to Office 365 via a web channel which you can see from the logs (explained later).

Password synchronisation does occur so that your on-premise password and Office 365 password are in alignment however. I found this happened really quickly and my Windows Phone would report a password change required on the Office 365 email account on the phone within about a minute or so of the password change on-premise.

When you enable the integration, one of the things that occurs is that it forces you to enable Strong password mode on-premise which results in passwords at least eight characters in length and passwords using symbols and all the tricks in the book. Whilst I agree this is something you should be doing, if you are a small business or a home user availing of the services of Office 365 like myself, this isn’t perhaps going to be ideal. Luckily, the password policy in Office 365 is actually less strict than this. I have gone under the covers using Group Policy Management Console (GPMC) in my setup and slightly amend the Default Domain Policy GPO and all my passwords sync okay still.

The Office 365 Integration Service Gone Bad

After I ran the initial setup integration for the first time, I stopped getting any data in the dashboard. I thought it may have been a result of some pending Windows Updates so I installed those and restarted but it was still broken. I found that the problem was that the Office 365 Integration service was stopped. I started in manually and it stopped immediately with a stack trace error in the Application event log which wasn’t particularly cool.

I tried to disable the integration so that I could then re-enable it, but it appears that any operation regarding the integration requires the service to be functional. I tried to re-run the configuration but I was informed that it was already configured and I would need to disable it first which didn’t help me.

The way I got around this was to force the service to be disabled via the registry. Open Registry editor and navigate to HKLMSOFTWAREMicrosoftWindows ServerProductivity. From here, delete the key MailService and then restart the dashboard application. Doing this makes it think that the Office 365 Integration is disabled even though the dashboard will show the green tick to indicate that it’s configured. Simply re-run the configuration wizard at this point and all appears to be working now.

The Office 365 Integration Service Gone Bad Mark II

After the above happened and it all looked like it was working, I wasn’t getting password sync up to Office 365 although the Dashboard was functional to a point of allowing me to configure mailboxes. I found that the Password Sync service generates a log file in C:ProgramDataMicrosoftWindows ServerLogsSharedServiceHost-PasswordSyncProviderServerConfig.log.

Upon reading this file, I was seeing WCF errors and unhandled exceptions every few seconds which hinted to me that even though I had been able to repair the integration as far as the service health and the Dashboard were concerned, something was still amiss. I opted to this time, use the Dashboard to disable the integration, restart the server and re-configure the integration as I was now able to do this with the service for the Office 365 Integration running okay.

After removing it all and adding it again, everything worked as intended.

Configure Users

You can either do this via the Windows Server 2012 Essentials Dashboard or directly in Office 365. I’d recommend doing it in the Dashboard if you are using Essentials otherwise you have a second step to link the cloud mailbox to the on-premise user account.

To setup a user, very simply, go to the Users tab in your Dashboard. Click the user you want to activate for Office 365 and select the Assign Office 365 Account option from the tasks on the right. Pick the email address for the user using either the onmicrosoft.com or the vanity custom domain you have configured and then click Next. If you have a license available to allocate to the user, it will be setup for you. If you don’t have a free license slot then you’ll need to buy one from the site office365.com.

One thing worthy of noting is that once you enable a user for Office 365 in this way, Windows Server 2012 Essentials will set the change password on next logon flag for the user to force them into a password change with a new password for the cloud which can then by synchronised up to Office 365 for that single password login experience.

ExRCA is Your Friend

Through all of this, testing everything is working is critical. Office 365 does a good job of telling you when you’ve got things configured properly, but ExRCA or the Exchange Remote Connectivity Analyzer is better as it’s a tool dedicated for the job. Visit http://exrca.com and click the Office 365 tab and run any of the tests you like to make sure things are working. Some tests need only your domain name to verify settings such as DNS records whereas others need a credential to simulate a synthetic transaction to a mailbox or account.

I found when testing my setup that everything is reported as working but Autodiscover fails every time. When you drill into more information this is caused because the certificate name presented by the CNAME redirect from autodiscover.richardjgreen.net to autodiscover.outlook.com means that the outlook.com certificate doesn’t have my domain name on it. My Outlook and Windows Phone clients still Autodiscover the service correctly so I think this is a by-product of the Office 365 configuration and not a problem as I’ve found literally hundreds of other people asking about failed Autodiscover tests on the TechNet forums.

Client Experience

One thing I discovered which isn’t hugely clear in the documentation is that I wasn’t able to configure Outlook 2013 or my Windows Phone for ActiveSync until after I had logged in for the first time at office365.com using the account I issued my license to and configured the mailbox. You are prompted with a couple of questions such as confirming your name and time zone logging in for the first time.

After doing this online piece, Windows Phone started to sync the mailbox using ActiveSync okay, and Outlook 2013.

What’s Next

Well first I have some mail service consumers to address. I’ve got quite a few family members using Windows Live Domains with Outlook.com on our personal family domain name which I don’t fancy paying for Office 365 for so I’m going to have those tough conversations over do they want to pay for their own Office 365 mailbox or do I help them move to Outlook.com natively using a non-vanity domain. Whichever way it happens, I’m going to be looking at manual mail migrations out of Outlook.com to Office 365 for these users as there isn’t a migration path for this right now.

One thing I will be doing once I move my personal family domain over to Office 365 is implementing the Outlook Group Policy .admx files to allow Outlook to auto-configure the email address from Active Directory on first-run so that my wife and, in the future, kids don’t have to manually enter those details. It’s something I have come to expect from enterprise environments so I feel I owe them that simplicity factor enterprise computing can bring.

The kids have mail addresses right now but they aren’t live, they are aliases on our mailboxes as parents so I’m going to be looking at shared mailboxes for these to make them one step closer to full service mailboxes and I’m also going to be looking into settings up some MRM policies in Office 365 to apply to our mailboxes to keep them trim and reduce the amount of overwork we have to do to maintain the storage of it although frankly, with a 50GB mailbox, do I care?

Longer term, I may look at the option to spend an extra 65 pence a month per user and sign up to Exchange Online Protection to stem the flow of nasty emails as not everyone is as savvy as someone in IT and that’s why these services exist. It’s another one of those things for me where 65 pence per month could potentially lead to hours and entire evenings saved, not having to repair a PC after a virus got installed via an email attachment.

In more posts to come, I’ll show how I’m configuring some of the features and settings in Office 365 and I’ll talk about how I plan to upgrade my estate to Windows Server 2012 E2 Essentials to get some of the new integration and management features for Office 365 in the dashboard along with other new features.

 

Windows Azure Backup Errors for Roaming Profiles

I was checking some of the logs of my Windows Server 2012 Essentials server last night and discovered that recently my Windows Azure Backup logs were reporting errors for the backups.

The errors weren’t serious but it was flagging that several files couldn’t be backed-up to the service. A normal person could accept this, but me having a little bit of offensiveness about things like that I needed to resolve it.

It transpires that the issue is temporary files generated by Facebook games and Flash video files in the roaming user profile. To resolve the warnings, modify the backup schedule on the server to the Exclusion Settings. Under Exclusion Settings in the Backup Wizard, define *.tmp *.swf and *.sol as exclusions for the root directory of your roaming profile share and set the Subfolders option to yes.

Tonight’s Windows Azure Backup completed without warnings.

Enjoy

Windows Server 2012 Essentials and the Failed Migration

Last week, I took a day out of the office as annual leave to migrate my home setup from Windows Home Server 2011 to Windows Server 2012 Essentials, taking in all of the blog posts I have written over the previous months’ about how I intend to use some of it’s new features.

Suffice to say, it wasn’t a success, but I have completed the lessons learnt and I am now preparing for a second attempt.

The main protagonist in the failure was the recently acquired 3ware 9590SE-12ML multilane SAS/SATA RAID controller. After installing the card about a month ago to verify it’s functionality, I saw the message “3ware BIOS not initialized” and the 3ware site left me comforted in the fact that this was due to the fact that I had no drives connected to it. When I connected my two new Intel 520 Series SSD drives to it to create a RAID1 mirror for my new OS drive, I saw the same message still even though the drives we detected okay. I installed the 3DM2 software in Windows Home Server 2011 and I was able to manage the card via the web interface (which is really nice by the way), however after creating the volume unit, the controller began to initialize the disks and the system froze instantly. I left a it a minute or two just in case, but no joy. A hard power off and restart then left the controller completely missing from the POST and startup with even the BIOS not showing it as connected. After trying a few different things, I was able to intermittently get the card to be detected, but not without causing major stability issues and it still wouldn’t properly initialize the BIOS during POST. A colleague leant me an Adaptec card for a day to test and this card was detected okay, allowed me to create a volume and the volume was detected within Windows okay, so I had it down to a compatibility issue between the motherboard and the 3ware card.

I decided that the issue with the motherboard compatibility could be related to the fact that it is a Micro ATX motherboard with the AMD Brazos chipset and the AMD E-350 ultra-low power processor and that the card could perhaps not be able to draw sufficient power from the PCI Express 16x (4x Mode) slot so I began looking at some other options. The processor has actually been one of the things I wish I had done differently of late. When the server was first built and put online it was great, but as I began to utilize the Home Server for more backend centric tasks, I began to notice the 1.4GHz Dual Core processor struggling and some tasks would timeout if they happened their timing happened to collide with other simultaneous tasks.

With the Ivy Bridge 3rd Generation Intel Core family CPUs, Intel released a line of CPU appended with the letterT. This family of CPUs are low power compared to their letter-less or K processors with the Core i5-3470T being the most efficient, pipping even the Core i3 T variant to the peak TDP and performance titles. Compared to the 18W peak TDP of my AMD E-350 chip, the Intel Core i5-3470T consumes a peak TDP of 35W, however it gives in exchange 2.9GHz Dual Core processing with Hyper-Threading allowing Windows to see two additional virtual cores, however because it is an i5 chip and not the lower specification i3 chip, it features TurboBoost which allows the CPU to boost up to 3.6GHz under high load. Using data from cpubenchmark.net, the AMD E-350 produces a score of 774, whilst the Intel Core i5-3470T produces a score of 4,640.

Investing in Ivy Bridge is more expensive then investing in the 2nd Generation Sandy Bridge which also offers some T branded chips for energy efficiency, however the CPU benchmark for the Sandy Bridge vs. the Ivy Bridge speaks for itself not to mention the fact that the Ivy Bridge reduces the TDP by 7W, the extra few pounds between the chips is worth the money.

To support the Ivy Bridge Socket 1155 Core i5 processor, I was going to need a new motherboard. I like ASUS as their are the market leader in motherboards in my view, and I decided upon the ASUS P8Z77-V LX board for several reasons. It’s a step up from the Micro ATX board I have previously been using, up to a standard ATX board.

The benefits of this are it avails me 4 memory modules in a dual channel configuration whereas I only previously had two slots with a single channel. The slot count isn’t an issue as I upgraded about six months ago from my originally purchased Corsair Value Select 2x2GB DIMMs to 2x4GB Corsair XMS3 DIMMs. The new DIMMs allowed me to make use of the higher DDR3 PC3-12800 1600MHz speeds, doubled my memory ceiling as due to running SQL Express on the backend for the MyMovies database I was hitting very close to 4GB daily and gave me a theoretically more stable system as the XMS3 memory is designed for overclocking and high performance cooling with it’s head spreaders, so running them at a standard clock should make them super stable. The other benefit is the increased PCI Express slot count. The new board gives me 3x PCI, 2x PCIe x1 and 2x PCIe 16x, one of which is a true 16x PCIe 3.0 slot and the other a PCIe 2.0 slot with 4x bandwidth.

The other reason for selecting it was the Z77 chipset. The Z77 set affords me the widest range of slots, interfaces and is also the best bang for buck having the best power consumption for the chipset out of all of the full feature chipsets (ignoring the Q77 chipset as although this adds Intel vPro, you lose a lot of slots through it).

All told, with the pair of new SSD drives for the OS mirror, the new Core i5 processor and the new ASUS motherboard, my overall power consumption will increase by what equates to £10-15 a year. When you consider the performance uplift I am going to see from this (the hint is worlds’ apart), it’s £10-15 a year very well spent.

The T variant of the Ivy Bridge supports passive cooling which aligns with my previous mantra of keeping it quiet, but I have come to the conclusion over the last year that this is unnecessary when I have a Cisco 2950T switch and a Cisco PIX Firewall making way more noise than a server would and the fact that it is all racked in my garage, out of earshot of the rest of the house for the one to two hours a month I many spend in the garage, it’s just not worth the thermal though process trying to engineer it quiet and cool. I have also been getting concerned lately of the drive temperatures on the Western Digital Green drives, stacked up inside the 4U case, so I’m switching to active. I selected he Akasa AK-CCE-7101CP. It supports all nature of Intel chipsets including the Socket 1155 for Ivy Bridge and has variable fan speed and decibel output. It’s rated up to 95W TDP for the quad core i5 and the i7 family chips, so running it on the 35W T variant of the i5, I’m hoping it will run at the quiet end of it’s spectrum, putting it at 11.7dB which is silent to the passing ear as it happens anyway.

To assist with my drive cooling problem and also an on-going concern about what I would do to deal with a drive failure or upgrade in a hurry (currently, it’s shutdown the server, drag and keyboard, mouse and monitor to the rack from my study to access the console session, open the case and connect the new drive cables etc) I decided to invest in the X-Case 3-to-5 Hot Swap caddy’s. These caddy’s replace the internal cold swap drive bays which require manual cabling and drive screwing with an exterior access, hot swap caddy system. All the drives in a block of 5 are powered via two Molex connectors, reducing the number of power connectors I need from my modular PSU, and the five SATA data ports on the rear of the cage are to be pre-connected inside the case allowing me to hot add and remove disk without powering down the server or even having to open the case. Each caddy also features a drive status and a drive access indicator so that I can readily tell if a drive fails which drive is the one in question, making fault resolution much easier. This is all the more important and useful with Windows Server 2012 Essentials. The cage also incorporates an 80mm fan which draws air out of the drive cage to keep the disk temperatures down.

To summarize then, I’m doing the following:

  1. Upgrading the ASUS AMD Brazos Motherboard to an ASUS P8Z77-V LX Motherboard
  2. Upgrading the AMD E-350 Dual Core 1.4GHz CPU (774 Score) to an Intel Core i5-3470T 2.9GHz Dual Core CPU (4,640 Score)
  3. Gaining an Extra Memory Channel for my Corsair XMS3 2x4GB DIMMs
  4. Adding X-Case Hot Swap Drive Caddies
  5. Gaining a Bit of Active Cooling

I’m still waiting for a few of the parts to arrive but once they do, it’s going to feel like the Home Server is going to be getting it’s 18 month birthday present in the form of several serious performance and ease of use and management upgrades. I’m really looking forward to it and in a sad kind of way, I’m glad that the upgrade didn’t work out the first time, otherwise I wouldn’t have invested in these parts which I know I’m not going to regret buying.

Once I’ve got everything installed, I’ll run another post to show the images of it and I will hotlink to my old pictures to do a little before and after for comparison, then it’ll be hot trot into Windows Server 2012 Essentials I hope.

 

Hardware Compatibility for Windows Server 2012 Essentials

Following on from my spate of posts relating to Windows Server 2012 Essentials, I am working hard to test my configurations in a Hyper-V 3.0 VM on my desktop to ensure that I can migrate to Windows Server 2012 Essentials successfully without any hiccups.

Migrating my data on the current Windows Home Server 2011 is the biggest task, but not the biggest challenge. For me, ensuring that my hardware will work as I need is the biggest challenge because of my extremely bespoke build.

The first item on the agenda is the CPU. The system requirements from TechNet state that a 1.4GHz single core or a 1.3GHz dual core is required. Lucky, as I have a 1.6GHz dual core AMD E-350 Hudson processor. I’m a long way from the recommended 3.1GHz multi-core processor, but my primary target is still energy efficiency, so the E-350 processor exactly achieves that with an 18W TDP. If I find over time that CPU is my bottleneck then I will need to consider using slightly more watts and upgrade to something like the 35W TDP Intel i5 Mobile chipset but that will need a new motherboard too, so would cost a load to upgrade.

Next up is the memory; I currently have 4GB of the stuff. The minimum is 2GB but the recommended is 8GB. I know based of my current usage that my Windows Home Server 2011 machine that I am using about 70% of the physical memory, and with Windows Server 2012 being of more modern gravy, it is designed around lower I/O and more memory (as memory is super cheap these days), so I’ve decided to upgrade to 8GB, replacing my 2 x 2GB 1066MHz Corsair Value Select with 2 x 4GB 1600MHz Corsair XMS3. This new memory is faster than my current as at build time, Corsair didn’t sell the Value Select memory in anything above 1066MHz, and because the XMS3 memory is designed for gamers and overclockers, features like variable voltage, improved CAS latency and builtin heat spreaders should all help improve overall system performance and stability.

Next up is the network. This one could be interesting. I wrote a post back in August 2011 when I first built the new home server around circumventing the fact that the Intel drivers wouldn’t install on Windows Home Server 2011 (based on Windows Server 2008 R2) because I am using one of the older generation PCI-X cards which were discontinued. The driver physically works in Windows Server 2008 R2, shows as WHQL in Device Manager and all of the ANS features work too, but the .msi blocks it. I’m betting on the fact that by using the updated version Intel driver, designed for Windows and Windows Server 2012 that the same hack will work. In Windows Server 2012, I won’t be using the Intel ANS teaming driver for creating my 2Gbps SLA team though, but I will be using the native features in Windows Server 2012 which is one of the amazing new features. If that fails, then I will be using the onboard Realtek 1Gbps NIC for the short term while I acquire a replacement, more modern PCI-E dual port Intel NIC to replace my PCI-X one which run for about £40-£60 on eBay these days.

The final and most pivotal part of the build, the one which could ruin it all is the Leaf Computer JMicron JMB36x based SATA RAID controller. In Windows Server 2012 Essentials, I am re-modelling my storage architecture. This is the primary reason for my move to Windows Server 2012 Essentials so that I can take advantage of Storage Pools and Storage Spaces. After some debate and discussion with @LupoLoopy at work surrounding SATA IOPS and protection levels for data, we both agree my current setup of RAID10 for the data volumes is seriously wasting two of my 2TB disks and I am arguably wasting another two of them on the OS volume. I will be posting in full later to discuss and expose my storage strategy.

Back to the controller though, using my Windows Server 2012 Essentials Hyper-V 3.0 VM, I installed the driver using the Install Legacy Hardware option in Device Manager, and the latest driver version from the JMicron site installed successfully, without warning and still bears the WHQL mark even though it is a Windows Server 2008 R2 driver.

Am I happy? Very. With the exception of possibly the Intel NIC if my hack for the .msi restrictions doesn’t work and I need to buy a new one (although secretly, I would like to replace it with a PCIe one at some stage anyway), all of my hardware looks set and happy for Windows Server 2012 Essentials. So much more to do before I can start any work, but progress is progress after all.

Partners on Exchange in Windows Server 2012 Essentials

Reading some of the comments and views on Windows Server 2012 Essentials this evening, it appears that quite a number of partners aren’t very happy with the lack of Exchange as was previously found in Small Business Server (SBS).

I think this is short-sighted of these partners making these comments. If you are a partner, what makes you more money? New deployments or supporting existing ones? I would hazard a guess that it is the new deployments. SBS made Exchange easy, really easy, which meant that the amount of work to configure Exchange to work was limited. The hardest part was migrating any existing mail systems into Exchange.

Windows Server 2012 Essentials is designed around feature integration with Office 365. This means that you can offer your customers not only Exchange, but also Lync and SharePoint (yes, I know SharePoint was in SBS too, but it wasn’t the greatest of configurations). What’s more, how available and accessible is a single SBS server verses Office 365? Yep, Office 365 is better. So by giving your customers Windows Server 2012 Essentials and Office 365, are they not getting a better product, giving them more functionality and most likely a better customer experience, translated into happier customers?

All this, leaves you as a partner more time to focus on upsell, selling the customer more, varied products or trying to break into new customers or verticals and spending less time answering to menial support incidents, and lest not forget that moving to Office 365 isn’t a walk in the park by itself. If a customer is currently using SBS then their existing messaging environment will likely need to be updated to support some kind of temporary co-existence while users are migrated, and all of this is professional services work, work that frequently carries a big price tag and has high margins on it.

The moral of this story is that cloud is happening and I think that those partners who embrace it will succeed. Those who oppose it will likely find themselves losing work to people who do embrace it and for me personally, what sounds better as a job title? Systems Implementation Engineer or Cloud Solutions Integrator or Cloud Solutions Architect?

Azure Backup for Windows Server 2012 Essentials

Last night, I posted saying that I think Microsoft had missed a trick in not taking advantage of the Windows Azure Cloud Backup features in Windows Server 2012 Essentials, and today it looks like I must eat a slice of humble pie.

After some reading on the subject this evening, it appears that Microsoft are actually incorporating it, but not natively. To access the feature, you need to install a plugin. A blog post on the Small Business Server TechNet Blog details the installation steps to get the plugin installed and working (http://blogs.technet.com/b/sbs/archive/2012/09/18/windows-azure-online-backup-and-windows-server-2012-essentials.aspx).

Users of Windows Server 2012 Essentials can get a free six month trial for the service, however information on pricing is hard to find and understand: There is nothing on the trial signup page which offers an insight into what you will pay beyond the trial? Using the extremely complicated (and for good reason due to its capability and scale) Azure Pricing Calculator gives you a hint as to what you will pay but I think Microsoft need to provide some confirmation around the storage options.

Storage is offered in two different flavours: Geo Redundant and Local Redundant with the former seeing your data replicated throughout the Azure global infrastructure and the latter seeing your data only being replicated within your geographic region, but I can’t seem to find anything that states whether either option is valid for the backup service, or if you must use a particular option? Geo Redundant storage is £7.58 per month for 100GB, while Local Redundant is £5.64 per month for 100GB to give it some context.

The two storage types will have implications on your views on the United States and their laws such as the Patriot Act. If you are precious about your data (you should be) and don’t want these authorities to be able to view it under law without your consent which is essentially what the Patriot Act boils down to, then you may want to consider against the Geo Redundant option as after all, Local Redundant still gives you way more availability than your single on-site server. The region that your data is stored in is determined by the country you select during registration, so make sure you set it correctly.

Compare the above prices to those of one of the most popular Windows Home Server cloud backup solutions, Cloudberry and Azure directly looks good. For the same 100GB of storage, you will pay $9.30 a month for Amazon S3 or $12 a month for Google Cloud Storage, plus a $29.99 license cost for the Cloudberry product.

The thing to be conscious of, is this small catch: retrieving the data. Azure provides free unlimited inbound (upload) traffic so you pay nothing to upload your backups, but download is priced per gigabyte per billing cycle. If your server was to fail and you need to pull down your 100GB of data back to the server once it is recovered, then in a single billing period then you will pay £6.55 for 95GB (the first 5GB is free), but the key to remember is that this is a one time cost if and when the server fails. This price also will vary based on your geography. The price I’ve shown is for US and European egress data. If you like in another location, then the price is £10.37 instead, so bear this in mind.

Looking at this as a home user and not an SMB, I think paying £5.64 a month is a very small price to pay for piece of mind that all of my family pictures and important documents can be protected to a much higher degree than I can do at home with a Mirror Storage Space and an external USB or eSATA disk on-site backing up the server. From the perspective of an SMB then your data is your business so only you can value what your data is worth, but I would guess a lot. If you are an SMB without the luxury of a full time IT professional or a well managed agreement with a Microsoft Partner for supporting your environment, then I would guess that this service could one day prove invaluable.

Windows Server 2012 Essentials Storage Spaces Vs. RAID

In Windows Server 2012 Essentials as with the whole Windows 6.2 kernel family, Storage Spaces and Storage Pools re-invent the concept of Drive Extender from Windows Home Server v1. With several options for resiliency in Storage Pools, I thought I would touch on what bang you will get for your buck with each protection level and compare it to physical RAID levels.

For all the examples, I will be using 2 500GB disks unless the example requires more such as RAID 5 or 10 where I will use the minimum number required to achieve the set. If you are using 1TB, 2TB or greater sized disks, then simply multiply the figures here to work out your gains.

RAID 0 (Stripe – No Resiliency in Disks, Two Disks Required)
1TB Raw / 1TB Usable

RAID 1 (Mirror – Single Disk Resiliency, Two Disks Required)
1TB Raw / 500GB Usable

RAID 5 (Stripe with Parity – Single Disk Resiliency, Three Disks Required)
1.5TB Raw / 1TB Usable

RAID 10 (Mirror of Stripes – One Disk in Either Stripe or Both Disks in One Strip May Fail, Four Disks Required)
2TB Raw / 1TB Usable

Storage Space Simple (Equivalent to RAID 0 – No Resiliency in Disks, One Disk Required)
500GB Raw / 500GB Usable

Storage Space Two Way Mirror (Equivalent to RAID 1 – Single Disk Resiliency, Two Disks Required)
1TB Raw / 500GB Usable

Storage Space Three Way Mirror (Equivalent to RAID 1 with a 2nd Mirror – Two Disk Resiliency, Three Disks Required)
1.5TB Raw / 500GB Usable

Storage Space Parity (Equivalent to RAID 5 – One Disk Resiliency, Three Disks Required)
1.5TB Raw / 1TB Usable

The thing to be clear on Storage Pools and Storage Spaces over traditional RAID is that RAID consumes the entire disk, obscuring it to the physical operating system and limits you to the capacity of the underlying disk subsystem. This makes adding new disk to an existing RAID set and extending it’s capacity challenging unless you are using RAID 5 whereby you can simply add disk and extend capacity. Storage Pools and Storage Spaces are different in that the Pool amalgamates the capacity of the underlying disks together, then pools overlay the disks to provide the availability. This allows you to do clever things like use three disks in a single Pool to provide both a Two Way Mirror to provide protection to read/write files such as documents and a Parity to provide protection to read only workloads such as video or music files, maximising the yield from your disk investment. With RAID, so achieve these separate protection levels, you would need five disk instead of three.

I think the only challenge with Storage Pools and Storage Spaces is going to be to calculate the capacity requirements and optimising the use of the disks: In my scenario I have 6 2TB disks and trying to decide what levels to protect the different content types at and whether to split each workload type into a dedicated Storage Space or whether to Pool Spaces between workloads is interesting as I want to make sure that my content is protected as effectively as I need it, but at the same time, as a consumer, I can’t afford to blow £150-£200 on new disks all the time so I need to maximise my investments.

The core advantage of Storage Pools and Storage Spaces for me over RAID is that it does allow you to fine-grain control your disks making the most out of them, thin-provisioning (over provisioning as it actually should be called) allows me to design the disks for future expansion ahead of time and it allows me to add disks and expand pools (online) without complicated RAID array configurations, changes and scary thoughts of migrating RAID levels (if you have a controller which supports such a thing).

I’ll be doing another post in the coming days on my options for Storage Pools and Storage Spaces, and where I am leaning and why.

Windows Server 2012 Essentials Initial Admin Thoughts

I spend my days working with Windows Servers and more increasingly Windows Server 2012. Whilst I may not know everything there is to know (and who does after all), I like to think I know quite a bit on the subject and therefore my understanding of what’s good and proper is generally sound. Once the installation of Windows Server 2012 Essentials completed I was drilling through some of the back-end interfaces to dig up parts of how it worked and was strung together and these are my opinions based on those views as an administrator.

Active Directory Domain Services (ADDS)

As we know, Windows Server 2012 Essentials unlike Windows Home Server 2011 creates a domain. It does this with the greatest of ease for the end-user driving the install, but with ease, you lack control, evident here.

The domain is created with a Windows Server 2012 Domain and Forest Functional Level which is good, however the Active Directory Recycle Bin feature, added in Windows Server 2008 R2 ADDS is disabled which I think it should be to help people out who accidently delete users or computer accounts.

The domain is created with a .local domain suffix which for me is not nice as they can end up causing you problems depending on what you are trying to do with the domain environment. If you read some of the literature for Office 365 they don’t support federation using ADFS with .local domains.

The case sensitivity of the installer has big implications on the domain name created. I personally like to see a lowercase domain name (FQDN) with an uppercase Pre-Windows 2000 domain name (NetBIOS) but the installer uses the same name for both. From my previous post on installing Windows Server 2012 Essentials, whatever you type in the Internal Domain Name text field will be used for both, so be careful with that. You can change the Pre-Windows 2000 domain name using Active Directory Users and Computer (ADUC) or the PowerShell Cmdlets, but whether this will have implications for the Dashboard and other Essentials functionality is not clear without testing.

When new users and computers are added/connected to the domain using the dashboard and the client computer connector software, the new objects are placed in the Users and Computers containers respectively. I tried using redirusr and redircmp to move the new object creation to an OU, but this didn’t work and everything still hits the containers. Manually moving the objects later seems to cause no issues, but I think it’s very bad that the installer doesn’t at least create initial OUs for these objects as objects in containers can’t be linked to GPOs.

In Active Directory Sites and Services, no IP Subnets are configured to link to the site and the site is left with the standard name of Default-First-Site-Name. I don’t see any problems in renaming this and adding the subnets.

DNS

The DNS role is installed as a requirement for ADDS. The installation is basic, very basic. One Forward Lookup Zone is created for the DNS domain name specified in the installer, but no Reverse Lookup Zone. No Forwarders are configured so all recursive lookups will be hitting the Root Hints servers unless you are configuring the Essentials server to use the ISP router as its DNS server, which brings the next point, linked to DHCP. Clients will be receiving DHCP leases normally from a self-bought or an ISP router which will be configuring the clients with itself as the sole DNS server.

Unless the connecter client does something very nasty like configure a static DNS server on the NIC in use for the Essentials server, how will it be able to resolve DNS records on the server as it will be relying on the records from the router?

Lastly on DNS is that Scavenging is disabled, so if you do use DHCP and have your clients leasing addresses directly from the Essentials server (which I would recommend) then the stale records won’t get cleaned up.

Certificate Authority (CA)

The installer configures an Enterprise Root CA on the server which is an online root and issuing CA in this instance. Anyone who knows PKI knows that an online root CA is bad news. I know it’s the only option as you can’t expect people to drop two servers, one to remain powered off for it’s life as an offline root CA, but doesn’t stop it from being horrid.

The most annoying thing here is the name that the CA is given. [DomainName]-[ServerName]-CA. This is totally unfriendly and looks ghastly in any of your certificates. The CA isn’t configured to grant the account you specify as the administrator account during the installer as a KRA or a DRA so hope that nobody in your house or office tries to be clever and EFS encrypt their documents before losing the private key to open them.

Network Access Protection (NAP)

This role is installed to assign policy for the VPN and Remote Web Access. The administrative console for it is not installed to keep your blind to its configuration, but you can easily install this using Server Manager by adding the RSAT Feature for NAP.

Remote Desktop Services (RDS) Gateway

This component is used for the Remote Web Access. As with NAP, the console is not installed to keep you in the dark, but you can again install this using Server Manager by adding that RSAT Feature for RDS Gateway Tools.

Oddbox

Other random bits and pieces I noticed whilst poking around where as follows:

  • Memory Usage for the base install is 1.4GB and CPU Usage while idle was 4% on my Hyper-V 3.0 VM from my Core i3 desktop PC. It will be interesting to see how my physical AMD E-350 Zacate Home Server processor handles it or how the processor in the HP Microserver would fare?
  • No Group Policy Objects are configured aside from the two default domain policies. Do not rename either of the default policies as options in the Dashboard update the configuration of the policies and if the dashboard is looking for them based on name and not GUID, then you will hit problems.
  • The Server Backup feature  within the dashboard relies on a dedicated and assigned local disk. There is no option for making use of Windows Azure Cloud Backup which is now supported in the Windows Server 2012 iteration of Windows Server Backup. I think Microsoft are missing a trick here as there are other 3rd parties already cashing in on the cloud backup market a la Windows Home Server 2011, such as Cloudberry.
  • Deleting any of the default server shares such as Recorded TV or Company (if you aren’t a company and you aren’t using Media Center for Live TV Archiving to the Essentials Server) for example causes warnings of missing folders in the Dashboard and causes Critical status alerts in the alert panel. There is a workaround for this courtesy of  Philip Churchill at http://www.mswhs.com/2012/09/remove-default-shares-in-ws2012-essentials/.

Windows Server 2012 Essentials Installation Screenshots

I took an hour out today to do an installation of Windows Server 2012 Essentials inside a Hyper-V 3.0 VM so that I could familiarise myself with it a little before I consider porting my existing Windows Home Server 2011 install over. I’m not a Windows Server 2012 virgin as I’ve been working with it for a while in my capacity at work so I was primarily interested in the experiences of the Essentials edition compared with the Standard and Datacenter editions for enterprise.

Before you begin anything, it’s worth checking the system requirements at http://technet.microsoft.com/en-us/library/jj200132.aspx. The biggest point here is a minimum of a 160GB disk for the operating system installation which can be partitioned into a 60GB operating system volume and a 100GB data volume. This is a bummer for some people who may have taken the decision to run their OS on SSD as one of the most common sized SSD drives around and at an affordable price is a 128GB drive. I think Microsoft should have lowered the disk requirement to cater for this 128GB SSD market, but that’s just my opinion as the majority of people will likely be using 1TB or greater disks in their builds to get the storage capacity and density.

After being asked the usual language questions and if you want to modify the disk partition layout, the installation is complete pretty quick as is with new Windows releases and the Essentials Setup Wizard commences.

After the updating and preparing your server phase, the server will reboot twice. One of these will almost certainly be to bring online the Active Directory Domain Services role, but the other I’m not sure what causes that? The quick observers among you will also notice that very briefly, the server logs on automatically as the Administrator account, displaying the Modern UI Start Menu, before once again, the Essentials Setup Wizard resumes. Once complete, you will see a final screen of the wizard, hopefully with a nice green tick stating that the installation is complete and the server is ready to be used. The URL for connecting clients and the usernames you specified are confirmed here too.

It’s worth pointing out that at the phase where you are asked to provide a username, you cannot use the username Administrator. It appears that Windows Server 2012 Essentials keeps this one up it’s sleeve for it’s own use and you aren’t told the password for it at any stage. Once the installation completed, I took a quick dive through all of the screens in the Windows Server 2012 Essentials Dashboard to see what options are available and configured as default. These are all shown in the image gallery below.