Life after….

On August 4, 2019, in news, by susan

Also posted here: https://www.askwoody.com/2019/patch-lady-life-beyond/

Look for more posts here and on askwoody.com regarding choices and decisions.

Life beyond Small Business Server

This is a community post about the options and opportunities you have when moving clients from Small Business Server 2011 to newer Microsoft-based solutions. This is a post authored by the community, not by Microsoft, and thus the solutions and recommendations put forth in this post do not represent the official opinion of Microsoft. Instead, consider that this is guidance from the Small Business Server Community to the Small Business Server Community.

As you probably know by now, Windows Server 2008 R2 and Exchange 2010, two key foundational products of Small Business Server 2011, reach their respective end of support milestones in 2020. In fact, Windows Server 2008 R2 reaches end of support in January of 2020. If you have not already moved your clients to other platforms, you should now do so urgently. It is the time to reach out to your clients to discuss their options.

To the business decision maker – if you are reading this and your business is still on Small Business Server 2011, now is the time to review your choices and reach out to consultants who can help you in the transition to a supported platform.

What does end of support mean?

In January of 2020, Windows 7 and Windows Server 2008 R2 will no longer receive security updates without having an expensive Enterprise support contract. This places businesses at risk for security issues, for lack of support from line of business software vendors, and to upcoming points in time where software that is purchased cannot be installed on the servers and workstations that are present in the office. It places the business at risk of non-existence. If a firm cannot afford to upgrade to a supported technology, it’s a sign that the firm may be at risk and may not be a going concern. A firm’s owners are putting their businesses at risk if they choose to stay on unsupported, unpatched, and increasingly insecure platforms. Further, ongoing investment in business technology is required to stay current in today’s technological landscape. Finally, if a business chooses to stay on unsupported platforms, that business risks being out of compliance with industry standards and regulations such as HIPAA, Sarbanes-Oxley, and SAS-70. Discuss these issues with your client.

Making decisions

There are three key elements in most Small Business Server 2011 deployments: email, file sharing and remote access to the users’ desktops. All of these can be kept to an on-premises style of deployment solution. Alternately, a business can look to new methodologies such as online email or online file storage to solve their particular needs. But first you need to evaluate what solutions the business is using, what line of business applications are needed in day-to-day operations, and look to how these line of business applications are moving and changing – this may impact the decisions made.

For example, take a traditional accounting application. One can migrate an on-premises accounting application to an online-only accounting application without a major loss of key functions and features. You will first need to determine if the businesses are using stock (out of the box) applications or if they have customized the application. Often, businesses that have customized their accounting application have stronger and more specific needs. You may need to reach out to the application vendor to gain a better understanding of the requirements and the future plans for the application and the platforms on which they are based. Sometimes, decisions may not be based on the needs of the business, but on the perceived risks of a given platform. There are business owners who refuse to move to “the cloud”. Other business owners are happy to move computing resources out of their office to allow “someone else” to worry about maintaining those resources.

“The cloud” is constantly in the news. Some major company had a breach here and another major company had a breach there. These things are going to happen. But realistically, they also happen in on-premises environments. And comparatively, it’s far more likely that Microsoft will do a better job with their multi-factor authentication solution and their Office 365 Advanced Threat Protection solution than you can afford to provision into your on-premises environment. Thus, the business owner can afford to use – in the cloud – solutions that they could not afford in an on-premises environment.

Taking control of DNS

Regardless of the technologies chosen by a company for moving forward, a key component that supports all of these technologies is DNS – Domain Name Services. This is such a simple phrase, short but obtuse. However, DNS is truly one of the foundational support technologies which underlie the internet. At its core, DNS has a trivial job – take a name, such as www.microsoft.com – and turn it into an IP address (at my location for just a few minutes that IP address is 23.49.13.56). But DNS has been enhanced to control so much more than that. Now, to verify your domain to Office 365, you add a DNS record. To verify your domain to Google, you add a DNS record. To set up SPF or DMARC or DKIM – you need to add DNS records.

Without direct control of DNS, the business owner or consultant is often required to open tickets with an ISP or with a web hosting company, and this complicates everyone’s job. Certain DNS changes can take 24 to 48 hours to propagate over the internet, so timely application of changes can be critical.

If you are a business owner, your DNS needs to be in either your hands, or that of a trusted and competent partner. If you are a consultant, you need to be that competent partner.

If you do not know who control DNS for a given domain, you can use mxtoolbox.com or several other tools available on the internet to review who might hold the domain records. Don’t be surprised to see that it may be your website designer! From there, you will probably want to make a plan to move DNS control to somewhere you can use a web-based console to make all necessary changes. It is likely, whether today or next month, you will need to add CNAME, A, TXT, or other records to your DNS.

 

  • Real world recommendation: Consultants have had good luck with the vendor Enom and it’s recommended to start the transfer to enom using these instructions.
  • If you plan to use Azure IAAS, you may want to consider the benefits of Azure DNS services.       You can purchase a domain name through Godaddy via Azure web services and then be able to control the DNS you need for IAAS in the Azure portal.

Server 2016 Essentials versus Server 2019 Essentials versus Server 2016 versus Server 2019.

In determining what options you have in recommending server solutions, there are some differences you need to keep in mind that make choosing the right foundation key for your clients. The first thing to realize is that Server 2016 Essentials and Server 2019 Essentials are two different products with two different focuses. Server 2016 Essentials provides built in client backup for workstations, remote access to workstations, but does not give you good options to connect to the various Azure and Office 365 offerings. You cannot install Azure AD Connect on a Server 2016 Essentials.   Server 2019 Essentials does not have the Azure AD Connect limitation and in fact it’s fully supported to install Azure AD connect on it. It provides for the ability to link and hook into all supported Azure functions, whereas Essentials 2016 primarily functions to link into Office 365. However, it does not have a built in backup solution for client PCs, nor does it provide remote web access to workstations in the network. Thusly it’s important to understand the differences so you can choose the version that will provide you the options you need for your client.

As stock of Windows Server Essentials 2016 starts to be depleted from distributor and OEM inventory, you will still be able to exercise downgrade rights from Windows Server Essentials 2019, but in order to do this the customer must already have the media and product key for the earlier version. These downgrade rights do apply to OEM product, contrary to what many commonly believe to be true. What’s important to note if you do continue to exercise this downgrade right in the future is that this is a product that was released in late 2016, so it is already almost two and half years into its mainstream support period.

Businesses that rely on on-premises solutions may also be able to store files on a non-Windows based network attached storage device. You will need to check with your client’s vendors as to what they will support for file storage. Many vendors are changing to support not only non-Microsoft NAS solutions but also cloud storage in light of all of the technology changes. It’s important to note that you will want to ensure that the solution you recommend or deploy supports user and group based permissions, and that these are synchronized automatically with the cloud solutions you choose to use alongside it. If password synchronization is not possible, then a network deployment of a password manager program like LastPass teams may be an option.

Windows Server 2016 provides the ability to install the Essentials role which has the same limitations as Server 2016 Essentials: that is, Azure AD connect cannot be installed on it. It does provide Remote Web Access, but in order to be licensed for it, you will need to purchase Remote Desktop cals. Note this requirement is only needed when Essentials is installed as a role, not when it installed from the SKU.

Windows Server 2019 does not provide the ability to install Essentials role, and thus normal solutions should be recommended when using Standard Server 2019 including the use of RDgateway to provide a means for remote access to desktops using Remote Desktop. This solution will need Remote Desktop cals as well to properly license the ability for remote computers to use Remote Desktop to access their desktops remotely.

Now comes the meat of this blog post. Once you’ve decided your plan of action, here are the resources you’ll need to look at to propose your migration plans:

Migrating from Small Business Server 2011 to on premises platforms

If your client determines that they want to stay with all on premises solutions and they want to stay with on premises mail server options, they can then either choose to go with Windows Server Standard 2016 and Exchange 2016, or Windows server 2019 with Exchange server 2019. I would recommend moving away from physical hardware solutions to virtualization based solution whereby you will deploy a Windows Server 2016 or Windows Server 2019 as the host and then set up your virtua al servers underneath the HyperV host. This will provide you with more flexibility and growth in the future.

First move the Exchange and mailboxes to your new Exchange solution. You will need to determine to choose Exchange 2016 or 2019. For Exchange 2010 to Exchange 2016, it’s a single hop migration as it’s supported to go from Exchange 2010 to 2016. If you plan to migrate to Exchange 2019, you will need to either do a two hop migration (first to Exchange 2013 or 2016 and then to Exchange 2019) or to use a third party solution to migrate the data directly without the hop.

Microsoft support documentation exists to migrate from Exchange 2010 to Exchange 2016 which provides the overall guidance, but you may also want to review community guidance in the following blog posts:

Real world migration recommendations:

 

To migrate the domain controller functions from Small Business Server 2011 to Windows server 2016 or Server 2019 I would recommend following this excellent advice on Robert Pearman’s blog on migration.

To provide your clients with remote access to their workstations, there are several options you can recommend. Firstly you can deploy a VPN solution either from the server or from the edge firewall and deploy VPN to the remote workstations. The clients can then enable VPN and then launch remote desktop to gain access to their workstations. Alternatively you can install the RDgateway role on the Server and then use the advanced settings of the RDP app to gain access to desktops remotely. For more resources on Windows Server, you can visit the Server TechCommunity.

  • Real world migration support and advance:       Please note that if you are looking for more support and direct migration advice for the entire project, Mariette Knap has a site that sells migration documentation and support. Also Amy Babinchak’s remote support firm of www.thirdtier.net can provide you with guidance and support during a migration process.       Both of these solutions are not free, and are not endorsed by Microsoft, but mentioned here as additional resources should the need arise.

Migrating from Small Business Server 2011 to a mixture of on premises and cloud solutions

In our next recommended solution, you separate out the migration of email and the file server. The first step to do is to determine where, and what level of email you want to provide to your customer. As a consultant, you’ll want to reach out to your distributor and review their Microsoft CSP (Cloud Service Provider) options.

I personally would recommend either choosing Office 365 plus Office 365 (Advanced Threat Protection (ATP), or choose Microsoft 365 Business. Microsoft 365 Business in particular includes both on premises versions of Office desktop software, as well as Exchange online and advanced phishing protection.

In order to migrate email to Microsoft 365 Business, there are several ways to migrate email. You can use a cutover method to migrate from Exchange 2010 to Office 365. Alternatively you can move the email using a third party tool (examples include Bittitan or Skykick) to migrate.

  • Real world recommendation: Don’t overlook the need for backups once you migrate to Office 365. Some vendors such as Veeam provide lower priced or free versions for low number of users using Office 365.

Once you have migrated email from the SBS server to Office 365 you can once again follow this excellent advice on Robert Pearman’s blog on migration to move the domain controller and file server functions to a supported platform.

You can also add two factor authentication to on premises deployments of Remote Desktop Deployments using Azure Active Directory. You must have Azure ADC and a 365 subscription that includes Azure AD. The two factor method has to be application based or using a voice callback to better protect the Remote Desktop implementation.

  • Real world tip: Robert Crane has several courses and resources that you can purchase that will jump start your journey to online options for your clients. If you need guidance for licensing issues with Office 365, I recommend reviewing Alex Fields guides.

Migrating from Small Business Server 2011 to all cloud

Depending on your clients’ needs they may be able to move more of their assets to online. But don’t just look at their existing servers and think they are candidates for Azure virtual machines as often that’s not the most efficient way to move to the cloud. Instead look at how their line of business applications are moving to alternative platforms. For example, rather than upgrading to the latest version of desktop Quickbooks review instead online QuickBooks. The advantages include being able to share the Quickbooks with their accountant easier and more securely as well less issues with multi-use.

Then also question if the client truly needs active directory infrastructure. Many firms are moving to workgroup and away from Active directory. Instead of using group policy, instead they are using Intune or their Anti-Virus/Management console to deploy registry entries to control workstations rather than group policy settings. Many of the group policy settings can be moved to registry entries.

Microsoft 365 Business provides SharePoint which is used by many firms as a file repository. You will need to review the needs and line of business requirements in order to determine the best sort of file storage. Many vendors now support cloud only file repositories as well as traditional file sharing technologies. Azure Active Directory can also be used with Conditional Access to ensure that the firms information and computer assets are not accessed by anyone not authorized to do so.

  • Real world tip: At this time it’s recommended to implement Microsoft 365 Business and Azure Active Directory P1 (one license only) in order to enable conditional access for the Administrator account. Then once the customer sees the value in conditional access, you can add more options. This provides both Office 365 Advanced Threat Protection for the email phishing risks but also enables protection from risky sign in locations on the admin account.

Upcoming Microsoft releases include Virtual Desktop which will allow for hosted desktops on Azure (in preview at this time, not yet released).

The road ahead

Bottom line there are many ways and options to move needs, roles and solutions to various cloud technologies. If you are looking for more resources, there are various venues and Partner resources. To learn more about Azure there are various learning spaces you can review. There are also various twitter accounts and blog sites to keep an eye on to help you identify and create new solutions. Here are some recommended sites and twitter accounts to follow:

Yammer group for SMB insider
Yammer group for Modern workplace technology
Microsoft 365 Tech Community

 

SpiceWorks Office 365
SpiceWorks Windows Server
SpiceWorks for SBS/Essentials
Experts Exchange
Microsoft 365 roadmap
Microsoft Learn
Pluralsight
CIAOPS Patron Program

Microsoft 365 What’s new alert – Make sure you set delivery via email in Message Center in the Admin portal

https://www.itpromentor.com/
https://blog.ciaops.com/

https://twitter.com/intunedin?lang=en
https://twitter.com/pndrw?lang=en
https://twitter.com/rharbridge
https://twitter.com/pcollingemsft
https://twitter.com/mealiffe?lang=en
https://twitter.com/gregtaylor_msft
https://twitter.com/vanvfields
https://twitter.com/docsmsft
https://twitter.com/12Knocksinna
https://twitter.com/Microsoft365
https://twitter.com/MSIntune
https://twitter.com/MSFTMobility
https://twitter.com/Office365
https://twitter.com/Microsoft365
https://twitter.com/msft365status?lang=en
https://twitter.com/directorcia?lang=en

 

It’s time to totally reevaluate your solutions and no longer install a solution that may be overkill for their needs. The old way of installing a Small Business Server whether it was a good fit or not, isn’t a good thing for your clients. Take the time now to discuss options and solutions with your client. Rest assured, you aren’t alone in your journey. Many more have already made the transition and are now seeing the benefits of ensuring their clients are supported in their software journey in the future.

 

Got WSUS 3 on SBS 2011?

On March 16, 2019, in sbs2011, by susan

For those of you still using SBS 2011 and still using the WSUS 3.0 SP2 with it… keep reading.

If you want to keep using WSUS 3.0 sp2 on SBS 2011 after June, you will need to install an update that adds SHA-2 support (it’s the digital signature on the patching files) to the server so it can handle these.

https://support.microsoft.com/en-gb/help/4484071/windows-server-update-services-update-kb4484071?fbclid=IwAR2GLiNBmAu92tJ8XKlhADWNudQTGkYVpvgfmc-qJhMiNcA4YvFYtw0eEQ0

This update WILL NOT come down on MU. It is only offered up from the catalog site.

This update has been tested on the SBS 2011 platform and is fully supported on it.

(anyone else that has long since said goodbye to that platform, congrats, one less patch to worry about)

Windows 7 is also in the process of getting updates to support this as well, look for them in the coming months:

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus?fbclid=IwAR0yFqmw3JJ1EDgXSQEW-KnPDyG5K49fYC6QAWLU_YKwLUqjMYi9awQ4E1A

 

MSPs now targeted in attacks

On February 19, 2019, in Best Practices, by susan

Recently I did an article on CSOOnline about how MSP’s have been targeted lately in attacks in order to gain access to clients.

If you haven’t already done so, make sure you have MFA on your admin accounts as phishing attacks sent to admin accounts is a key way that attackers gain a foothold into systems.

 

Just a reminder…. 1809 is coming out

On October 2, 2018, in Essentials, by susan

And when it gets installed on computers in your 2016/2012R2 Essential networks, remember to reboot several times after the install of 1809.  Don’t try to reinstall the client/uninstall the client or do anything else but reboot.

 

So what’s next?

On September 7, 2018, in news, by susan

By now you’ve probably seen the announcement that for all purposes the Essentials server sku is dead.  The 2019 version is not the same as the 2016 version.

To be crystal clear it does not have remote web access nor client workstation backup.  Thereby getting rid of pretty much the only two reasons that anyone deployed it anymore.

I wanted to make one other thing clear.  The statement was made that

Furthermore, we recently collaborated with the MVP community and other influencers to listen and get a deeper understanding of the transition that our small business customers are going through.

To be clear we asked Microsoft to fix the issues with the Essentials 2016 server.  We asked them to have it support AD connect.  We asked them to allow it to be a workgroup not just demand that small businesses have a domain.  We asked them to still include remote web access in the 2019 version.  We wanted client workstation backup.

The only feedback that was taken was that this new sku fully supports AD connect.  The rest of our suggestions and feedback from the MVP community were certainly not “collaborated” on and in my personal opinion, the resulting Essentials 2019 does not demonstrate an understanding of what small businesses need in this era of transition.  Many of us are not fully cloud based and still need options such as workgroup servers as well as domain controllers as our options.  While yes, we can stand up standard windows server, once upon a time it was acknowledged and embraced that small businesses not only needed packaged solutions, they didn’t have enterprise budgets, nor did they have the ability as large enterprises do to bargain with large companies and negotiate pricing.  We get the manufacturer’s retail price tag, and we often get the Windows 10 releases faster than Enterprises do because we don’t have the Enterprise sku in order to defer such patching cadence.

If your customers rely on remote access you will need to investigate other options such as third party solutions or standing up another server with the RdGateway role.   You can also consider solutions like LogMeIn (not cheap these days), or Splashtop or Screenconnect or other solutions.  If you rely on client workstation backup, you’ll need to look at other solutions such as Macrium reflect to a NAS, Veeam backup to a windows server or other solutions.

Also in my personal opinion it also means that technology is going to be more expensive for small businesses to consume.  It’s all subscription models now and the wizards of old are gone.  Cloud solutions often need multi-factor security in the mix and this isn’t as easy (in my opinion) to deploy as it should be.  That’s probably a good thing for consultants, but it also means that you need to be thinking about what solutions you can be putting together yourself to assist your clients, because the pre-packaged solutions and wizards from Microsoft are no longer available.

As Robert put it….. https://windowsserveressentials.com/2018/09/06/introducing-windows-server-2019-essentials/

With the release of Server 2019 Essentials, the end of an era has been reached. Gone are the wizards and tools designed for the small business owner.

Gone is the Remote Web Access feature.

Gone is the Essentials Connector.

Gone is Client PC Backup.

Gone is Office 365 Integration.

Gone, is the Dashboard.

Gone, indeed, is the Essentials Role.

All that remains of Essentials, is the name Essentials and the licensing limits of the Essentials SKU, of 25 client access licenses.

What we are presented with, is now more in line with Windows foundation server from several years ago.

Tagged with:  

Partner support forums shut down

On August 10, 2018, in Rants, by susan

So I recently logged into the customer support forum venue that is … or rather was… set up for Microsoft partners and saw this:

This Partner Support Community will retire on 30th August 2018

In order to improve the partner community experience, we are streamlining our existing forums to ensure you engage with the most suitable community and to get answers to your questions. From 30th June 2018, members will no longer be able to post questions and content in this Partner Support Community however all the current content will remain accessible until 30th August 2018. After this date, this community will be retired, and partners can go to TechNet for technical product support and to the Microsoft Partner Community for partnership and membership topics.

https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/this-partner-support-community-will-retire-on-30th/6ecde7bc-6c6d-4d2b-97cc-a318afc03fb9

Lovely.  Fellow partners have indicated some success with the Partner yammer venue.  Others recommend going back to the distributor as they often have better support channels.  What are you using for Microsoft support these days?  (well besides www.thirdtier.net  …)

 

 

Dashboard issues and Essentials

On June 5, 2018, in Essentials, by susan

Just a fyi tracking some side effects with updates and alerts on the dashboard.  As Mark posted in the partner forum here https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/cannot-ignore-dashboard-alert-on-essentials-2012/8869377d-1fed-4e19-b300-1d9bf38501d7 and posted here:  https://www.mcbsys.com/blog/2018/02/essentials-2012-r2-dashboard-fails-with-net-4-6-and-4-7/  Essentials 2012 R2 fails with .NET 4.6 and 4.7

Peter found that Essentials 2016 doesn’t like the recent Windows server 2016 update:

May 8, 2018—KB4103723 (OS Build 14393.2248)
Content provided by Microsoft
Applies to: Windows 10 Version 1607 Windows Server 2016
https://support.microsoft.com/en-us/help/4103723/windows-10-update-kb4103723

Once he removed that, the issues with clicking to ignore alerts went away.  Obviously keeping updates off machines is not a long term fix, so this is still under investigation.

Tagged with:  

1803 and Essentials follow up

On May 9, 2018, in Essentials, by susan

1803 and issues with Essentials

Follow up to this

  1.  If the multiple reboot trick doesn’t work, try the following:  “Lost the connector altogether on several systems after the 1803 update and subsequent connector re installation attempts failed. Reapplying Windows10.0-KB2790621-x64 on Windows 10 Version 1803 allows the Server Essentials Connector to successfully install.”
  2. The issue with VPN got fixed with the May 8th update for 1803  https://support.microsoft.com/en-us/help/4103721  Addresses an issue that prevents certain VPN apps from working on builds of Windows 10, version 1803. These apps were developed using an SDK version that precedes Windows 10, version 1803, and use the public RasSetEntryProperties API.
 

Tracking another issue – this time only with Server 2016 Essentials.

Impact to Azure integration and Office 365 integration:

Microsoft cloud integration did not succeed.  And the account used is an Admin.

Microsoft alerted, hang loose.

 

1803 and issues with Essentials

On May 2, 2018, in Essentials, by susan

From

https://social.technet.microsoft.com/Forums/en-US/b75d2462-0716-4af7-b763-605c02336412/windows-server-2016-essentials-connector-will-not-install-after-windows-10-1803-upgrade?forum=winservergen

https://social.technet.microsoft.com/Forums/en-US/70b91420-6c5f-496f-b3b6-ec98911e0c54/windows-server-2016-essentials-client-connector-stops-working-with-windows-10-1803?forum=ws16essentials

1. When upgrading/updating Windows, the Connector sometimes loses its connection to the server and needs to have ClientDeploy run to get it reconnected. This happened with the update to 17115.

[Solution:  reboot at least three times and that should reconnect back up]

2. ClientDeploy fails on Windows 10 1803 (certainly on the versions I’ve specifically tested) when Anywhere Access VPN connection is enabled. This is a more major issue, and a potential blocker for people who will want to upgrade to 1803.”

It appears 1803 feature update won’t work if VPN is setup in the server.  No workaround at this time other than to disable VPN and then reenable it.

Hang loose while we get Microsoft to fix.