Life after….

On August 4, 2019, in news, by susan

Also posted here: https://www.askwoody.com/2019/patch-lady-life-beyond/

Look for more posts here and on askwoody.com regarding choices and decisions.

Life beyond Small Business Server

This is a community post about the options and opportunities you have when moving clients from Small Business Server 2011 to newer Microsoft-based solutions. This is a post authored by the community, not by Microsoft, and thus the solutions and recommendations put forth in this post do not represent the official opinion of Microsoft. Instead, consider that this is guidance from the Small Business Server Community to the Small Business Server Community.

As you probably know by now, Windows Server 2008 R2 and Exchange 2010, two key foundational products of Small Business Server 2011, reach their respective end of support milestones in 2020. In fact, Windows Server 2008 R2 reaches end of support in January of 2020. If you have not already moved your clients to other platforms, you should now do so urgently. It is the time to reach out to your clients to discuss their options.

To the business decision maker – if you are reading this and your business is still on Small Business Server 2011, now is the time to review your choices and reach out to consultants who can help you in the transition to a supported platform.

What does end of support mean?

In January of 2020, Windows 7 and Windows Server 2008 R2 will no longer receive security updates without having an expensive Enterprise support contract. This places businesses at risk for security issues, for lack of support from line of business software vendors, and to upcoming points in time where software that is purchased cannot be installed on the servers and workstations that are present in the office. It places the business at risk of non-existence. If a firm cannot afford to upgrade to a supported technology, it’s a sign that the firm may be at risk and may not be a going concern. A firm’s owners are putting their businesses at risk if they choose to stay on unsupported, unpatched, and increasingly insecure platforms. Further, ongoing investment in business technology is required to stay current in today’s technological landscape. Finally, if a business chooses to stay on unsupported platforms, that business risks being out of compliance with industry standards and regulations such as HIPAA, Sarbanes-Oxley, and SAS-70. Discuss these issues with your client.

Making decisions

There are three key elements in most Small Business Server 2011 deployments: email, file sharing and remote access to the users’ desktops. All of these can be kept to an on-premises style of deployment solution. Alternately, a business can look to new methodologies such as online email or online file storage to solve their particular needs. But first you need to evaluate what solutions the business is using, what line of business applications are needed in day-to-day operations, and look to how these line of business applications are moving and changing – this may impact the decisions made.

For example, take a traditional accounting application. One can migrate an on-premises accounting application to an online-only accounting application without a major loss of key functions and features. You will first need to determine if the businesses are using stock (out of the box) applications or if they have customized the application. Often, businesses that have customized their accounting application have stronger and more specific needs. You may need to reach out to the application vendor to gain a better understanding of the requirements and the future plans for the application and the platforms on which they are based. Sometimes, decisions may not be based on the needs of the business, but on the perceived risks of a given platform. There are business owners who refuse to move to “the cloud”. Other business owners are happy to move computing resources out of their office to allow “someone else” to worry about maintaining those resources.

“The cloud” is constantly in the news. Some major company had a breach here and another major company had a breach there. These things are going to happen. But realistically, they also happen in on-premises environments. And comparatively, it’s far more likely that Microsoft will do a better job with their multi-factor authentication solution and their Office 365 Advanced Threat Protection solution than you can afford to provision into your on-premises environment. Thus, the business owner can afford to use – in the cloud – solutions that they could not afford in an on-premises environment.

Taking control of DNS

Regardless of the technologies chosen by a company for moving forward, a key component that supports all of these technologies is DNS – Domain Name Services. This is such a simple phrase, short but obtuse. However, DNS is truly one of the foundational support technologies which underlie the internet. At its core, DNS has a trivial job – take a name, such as www.microsoft.com – and turn it into an IP address (at my location for just a few minutes that IP address is 23.49.13.56). But DNS has been enhanced to control so much more than that. Now, to verify your domain to Office 365, you add a DNS record. To verify your domain to Google, you add a DNS record. To set up SPF or DMARC or DKIM – you need to add DNS records.

Without direct control of DNS, the business owner or consultant is often required to open tickets with an ISP or with a web hosting company, and this complicates everyone’s job. Certain DNS changes can take 24 to 48 hours to propagate over the internet, so timely application of changes can be critical.

If you are a business owner, your DNS needs to be in either your hands, or that of a trusted and competent partner. If you are a consultant, you need to be that competent partner.

If you do not know who control DNS for a given domain, you can use mxtoolbox.com or several other tools available on the internet to review who might hold the domain records. Don’t be surprised to see that it may be your website designer! From there, you will probably want to make a plan to move DNS control to somewhere you can use a web-based console to make all necessary changes. It is likely, whether today or next month, you will need to add CNAME, A, TXT, or other records to your DNS.

 

  • Real world recommendation: Consultants have had good luck with the vendor Enom and it’s recommended to start the transfer to enom using these instructions.
  • If you plan to use Azure IAAS, you may want to consider the benefits of Azure DNS services.       You can purchase a domain name through Godaddy via Azure web services and then be able to control the DNS you need for IAAS in the Azure portal.

Server 2016 Essentials versus Server 2019 Essentials versus Server 2016 versus Server 2019.

In determining what options you have in recommending server solutions, there are some differences you need to keep in mind that make choosing the right foundation key for your clients. The first thing to realize is that Server 2016 Essentials and Server 2019 Essentials are two different products with two different focuses. Server 2016 Essentials provides built in client backup for workstations, remote access to workstations, but does not give you good options to connect to the various Azure and Office 365 offerings. You cannot install Azure AD Connect on a Server 2016 Essentials.   Server 2019 Essentials does not have the Azure AD Connect limitation and in fact it’s fully supported to install Azure AD connect on it. It provides for the ability to link and hook into all supported Azure functions, whereas Essentials 2016 primarily functions to link into Office 365. However, it does not have a built in backup solution for client PCs, nor does it provide remote web access to workstations in the network. Thusly it’s important to understand the differences so you can choose the version that will provide you the options you need for your client.

As stock of Windows Server Essentials 2016 starts to be depleted from distributor and OEM inventory, you will still be able to exercise downgrade rights from Windows Server Essentials 2019, but in order to do this the customer must already have the media and product key for the earlier version. These downgrade rights do apply to OEM product, contrary to what many commonly believe to be true. What’s important to note if you do continue to exercise this downgrade right in the future is that this is a product that was released in late 2016, so it is already almost two and half years into its mainstream support period.

Businesses that rely on on-premises solutions may also be able to store files on a non-Windows based network attached storage device. You will need to check with your client’s vendors as to what they will support for file storage. Many vendors are changing to support not only non-Microsoft NAS solutions but also cloud storage in light of all of the technology changes. It’s important to note that you will want to ensure that the solution you recommend or deploy supports user and group based permissions, and that these are synchronized automatically with the cloud solutions you choose to use alongside it. If password synchronization is not possible, then a network deployment of a password manager program like LastPass teams may be an option.

Windows Server 2016 provides the ability to install the Essentials role which has the same limitations as Server 2016 Essentials: that is, Azure AD connect cannot be installed on it. It does provide Remote Web Access, but in order to be licensed for it, you will need to purchase Remote Desktop cals. Note this requirement is only needed when Essentials is installed as a role, not when it installed from the SKU.

Windows Server 2019 does not provide the ability to install Essentials role, and thus normal solutions should be recommended when using Standard Server 2019 including the use of RDgateway to provide a means for remote access to desktops using Remote Desktop. This solution will need Remote Desktop cals as well to properly license the ability for remote computers to use Remote Desktop to access their desktops remotely.

Now comes the meat of this blog post. Once you’ve decided your plan of action, here are the resources you’ll need to look at to propose your migration plans:

Migrating from Small Business Server 2011 to on premises platforms

If your client determines that they want to stay with all on premises solutions and they want to stay with on premises mail server options, they can then either choose to go with Windows Server Standard 2016 and Exchange 2016, or Windows server 2019 with Exchange server 2019. I would recommend moving away from physical hardware solutions to virtualization based solution whereby you will deploy a Windows Server 2016 or Windows Server 2019 as the host and then set up your virtua al servers underneath the HyperV host. This will provide you with more flexibility and growth in the future.

First move the Exchange and mailboxes to your new Exchange solution. You will need to determine to choose Exchange 2016 or 2019. For Exchange 2010 to Exchange 2016, it’s a single hop migration as it’s supported to go from Exchange 2010 to 2016. If you plan to migrate to Exchange 2019, you will need to either do a two hop migration (first to Exchange 2013 or 2016 and then to Exchange 2019) or to use a third party solution to migrate the data directly without the hop.

Microsoft support documentation exists to migrate from Exchange 2010 to Exchange 2016 which provides the overall guidance, but you may also want to review community guidance in the following blog posts:

Real world migration recommendations:

 

To migrate the domain controller functions from Small Business Server 2011 to Windows server 2016 or Server 2019 I would recommend following this excellent advice on Robert Pearman’s blog on migration.

To provide your clients with remote access to their workstations, there are several options you can recommend. Firstly you can deploy a VPN solution either from the server or from the edge firewall and deploy VPN to the remote workstations. The clients can then enable VPN and then launch remote desktop to gain access to their workstations. Alternatively you can install the RDgateway role on the Server and then use the advanced settings of the RDP app to gain access to desktops remotely. For more resources on Windows Server, you can visit the Server TechCommunity.

  • Real world migration support and advance:       Please note that if you are looking for more support and direct migration advice for the entire project, Mariette Knap has a site that sells migration documentation and support. Also Amy Babinchak’s remote support firm of www.thirdtier.net can provide you with guidance and support during a migration process.       Both of these solutions are not free, and are not endorsed by Microsoft, but mentioned here as additional resources should the need arise.

Migrating from Small Business Server 2011 to a mixture of on premises and cloud solutions

In our next recommended solution, you separate out the migration of email and the file server. The first step to do is to determine where, and what level of email you want to provide to your customer. As a consultant, you’ll want to reach out to your distributor and review their Microsoft CSP (Cloud Service Provider) options.

I personally would recommend either choosing Office 365 plus Office 365 (Advanced Threat Protection (ATP), or choose Microsoft 365 Business. Microsoft 365 Business in particular includes both on premises versions of Office desktop software, as well as Exchange online and advanced phishing protection.

In order to migrate email to Microsoft 365 Business, there are several ways to migrate email. You can use a cutover method to migrate from Exchange 2010 to Office 365. Alternatively you can move the email using a third party tool (examples include Bittitan or Skykick) to migrate.

  • Real world recommendation: Don’t overlook the need for backups once you migrate to Office 365. Some vendors such as Veeam provide lower priced or free versions for low number of users using Office 365.

Once you have migrated email from the SBS server to Office 365 you can once again follow this excellent advice on Robert Pearman’s blog on migration to move the domain controller and file server functions to a supported platform.

You can also add two factor authentication to on premises deployments of Remote Desktop Deployments using Azure Active Directory. You must have Azure ADC and a 365 subscription that includes Azure AD. The two factor method has to be application based or using a voice callback to better protect the Remote Desktop implementation.

  • Real world tip: Robert Crane has several courses and resources that you can purchase that will jump start your journey to online options for your clients. If you need guidance for licensing issues with Office 365, I recommend reviewing Alex Fields guides.

Migrating from Small Business Server 2011 to all cloud

Depending on your clients’ needs they may be able to move more of their assets to online. But don’t just look at their existing servers and think they are candidates for Azure virtual machines as often that’s not the most efficient way to move to the cloud. Instead look at how their line of business applications are moving to alternative platforms. For example, rather than upgrading to the latest version of desktop Quickbooks review instead online QuickBooks. The advantages include being able to share the Quickbooks with their accountant easier and more securely as well less issues with multi-use.

Then also question if the client truly needs active directory infrastructure. Many firms are moving to workgroup and away from Active directory. Instead of using group policy, instead they are using Intune or their Anti-Virus/Management console to deploy registry entries to control workstations rather than group policy settings. Many of the group policy settings can be moved to registry entries.

Microsoft 365 Business provides SharePoint which is used by many firms as a file repository. You will need to review the needs and line of business requirements in order to determine the best sort of file storage. Many vendors now support cloud only file repositories as well as traditional file sharing technologies. Azure Active Directory can also be used with Conditional Access to ensure that the firms information and computer assets are not accessed by anyone not authorized to do so.

  • Real world tip: At this time it’s recommended to implement Microsoft 365 Business and Azure Active Directory P1 (one license only) in order to enable conditional access for the Administrator account. Then once the customer sees the value in conditional access, you can add more options. This provides both Office 365 Advanced Threat Protection for the email phishing risks but also enables protection from risky sign in locations on the admin account.

Upcoming Microsoft releases include Virtual Desktop which will allow for hosted desktops on Azure (in preview at this time, not yet released).

The road ahead

Bottom line there are many ways and options to move needs, roles and solutions to various cloud technologies. If you are looking for more resources, there are various venues and Partner resources. To learn more about Azure there are various learning spaces you can review. There are also various twitter accounts and blog sites to keep an eye on to help you identify and create new solutions. Here are some recommended sites and twitter accounts to follow:

Yammer group for SMB insider
Yammer group for Modern workplace technology
Microsoft 365 Tech Community

 

SpiceWorks Office 365
SpiceWorks Windows Server
SpiceWorks for SBS/Essentials
Experts Exchange
Microsoft 365 roadmap
Microsoft Learn
Pluralsight
CIAOPS Patron Program

Microsoft 365 What’s new alert – Make sure you set delivery via email in Message Center in the Admin portal

https://www.itpromentor.com/
https://blog.ciaops.com/

https://twitter.com/intunedin?lang=en
https://twitter.com/pndrw?lang=en
https://twitter.com/rharbridge
https://twitter.com/pcollingemsft
https://twitter.com/mealiffe?lang=en
https://twitter.com/gregtaylor_msft
https://twitter.com/vanvfields
https://twitter.com/docsmsft
https://twitter.com/12Knocksinna
https://twitter.com/Microsoft365
https://twitter.com/MSIntune
https://twitter.com/MSFTMobility
https://twitter.com/Office365
https://twitter.com/Microsoft365
https://twitter.com/msft365status?lang=en
https://twitter.com/directorcia?lang=en

 

It’s time to totally reevaluate your solutions and no longer install a solution that may be overkill for their needs. The old way of installing a Small Business Server whether it was a good fit or not, isn’t a good thing for your clients. Take the time now to discuss options and solutions with your client. Rest assured, you aren’t alone in your journey. Many more have already made the transition and are now seeing the benefits of ensuring their clients are supported in their software journey in the future.

 

Leave a Reply

Your email address will not be published. Required fields are marked *