SBSDiva Mobile

So how do we license that thing?

So how do we LICENSE that HyperV replica.

Good question.... that everyone seems to be tap dancing around and not answering.

For the children, it appears that you do not need to purchase two licenses -- but I'm going to bet that you will need cold server rights in order to make this legal. 

http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/1dd6e719-7693-4a41-bed7-f2e415a91943

"According to Microsoft licensing policy you can do failover with Hyper-V replica so you don't need to buy TWO licenses for VM for primary and secondary site. But you cannot run both of them @ the same time. "

Now how do you license the HyperV parents.  Now you can use the non gui HyperV core.  But I'll be dead honest and say that even with an annoying Metro interface with swipes and charms, I'm just still way more comfy with GUI.  Now my question is.... could you as a partner - buy Server 2012 standard for your clients, install what you want to, then for your license for the parent to get a full GUI - can you buy a Server 2012 via SPLA and SPLA license the replicating parent?

And I really hate it when the answer in the forum flagged as an answer is "call Microsoft licensing".  Gahhh... can't this be stated in black and white in a document please?

http://www.aidanfinn.com/?p=11419 and I'm going to disagree with the really good blogger of Aidan Finn in this case where he says "One of the cheapest around and great for the SMB is replication by System Center Data Protection Manager 2010.".... I don't think it's cheap enough for the SMB space I'm thinking of.

Want to know how to set up replica?

Check out Boon's post:

How to set up Hyper-V Replica for Small Businesses | PowerBiz Solutions:
http://blog.powerbiz.net.au/hyperv/how-to-set-up-hyper-v-replica-for-small-businesses/

Want to now how to set up replica?

Check out Boon's post:

How to set up Hyper-V Replica for Small Businesses | PowerBiz Solutions:
http://blog.powerbiz.net.au/hyperv/how-to-set-up-hyper-v-replica-for-small-businesses/

Getting a bit of a wired connection where there was none

Amazon.com: Western Digital WD Livewire Powerline AV Network Kit: Electronics:
http://www.amazon.com/Western-Digital-Livewire-Powerline-Network/dp/B003VWY0VY
Western Digital WD Livewire Powerline AV Network Kit Review - Watch CNET's Video Review#!:
http://reviews.cnet.com/bridges/western-digital-wd-livewire/4505-3304_7-34161837.html#!

So I have my cable modem installed upstairs and wanted a wired connection downstairs.  While there is an ethernet jack on the back of the Motorola digital set top box downstairs, it's not a live ethernet connection.

So I ordered a Western Digital WD Livewire and voila, my problem is solved.  I now have a wired connection downstairs that connects to a computer so I can watch streaming computer stuff on the TV.

Connecting Win8 to SBS 2008 after the install of the latest update rollup

Couple of tips to get the Windows 8 to connect to the server using the connect wizard.

1.  Don't use the metro browser to connect computers to the server, use the traditional old fashioned IE 10.

2.  You'll need to enable .net 3.5 to get it to work

3.  Go into programs and features and click on the .net 3.5 button

4. Make sure your Win8 has an internet connection as it has to download .net 3.5

5.  Add connect as a trusted site (seems to work better that way)

It should now see the win8 as a connect-able machine (this is on SBS 2008 where it offers up the "Vista" page on connect.  You'll see Launcher.exe be offered up.

Hit the UAC prompt

And you should be on your way...

EMET part three - doing the startup script

http://technet.microsoft.com/en-us/library/cc779329(v=WS.10).aspx

Following this... we build a start up script for our EMET to take effect

Group Policy object/Computer Configuration/Policies/Windows Settings/Scripts (Startup/Shutdown)

Pick Startup

1. In the details pane, double-click Startup.
2. In the Startup Properties dialog box, click Add.
3. In the Add a Script dialog box, do the following:
   
   
   • In Script Name, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller.

I just clicked on new text file and wrote this in notepad and saved the file as EMETstart.bat

The location of the emet_conf.exe file is in Program Files (x86) in a 64bit machine, the folder is called EMET (Tech Preview)

Save the file as a .bat file

Browse to our saved script

And the result looks like this

And the group policy script section like that.

Now let's reboot my PC and see if this worked... I have it set to just apply to my workstation at this point in time.

More good reading here while we're waiting for a reboot -- http://rationallyparanoid.com/articles/microsoft-emet-3.html

Another way to do EMET

If you want another way to deploy EMET sign up for this "mid market" techtarget journal and see how they do it:

Buffer overflow prevention: Add apps to Microsoft EMET with command line configuration:
http://searchmidmarketsecurity.techtarget.com/tip/Buffer-overflow-prevention-Add-apps-to-Microsoft-EMET-with-command-line-configuration

EMET part two - setting up the group policy files

So we've installed EMET on one computer.  We then take the EMET files from the following subdirectory

And we place them in the following directory up on our server

The EMET.admx file goes in c:\Windows\PolicyDefinitions folder

The EMET.adml goes in the c:\windows\policydefinitions\en-us

Now we go into Group policy console and find our EMET settings.

Launch group policy management.  Now go to the top of the group policy structure, right mouse click on the domain name and click on "Create a GPO in this domain, and link it here".  Call the GPO EMET so you know what it is.  Click OK.  Right mouse click on EMET that built itself in your group policy listing and click edit.

Drill down under Computer configuration

On mine set up at home I specifically added iexplore.exe application to the EMET protection.

System wide I opted into DEP, SEHOP and ASLR

So lets see if we can do likewise via group policy.

The first group policy setting is ASLR

Let's set it to enabled and application opt in

Let's skip over application settings for a moment and hop over to DEP

Let's set that for DEP always on

Let's hop over the SEHOP

Let's set that to application opt out.

Now let's choose the default protection for Internet explorer

Now the next step is you have to deploy the EMET package to all the workstations you want covered by this.

Because it's a MSI download - you can follow this - http://www.advancedinstaller.com/user-guide/tutorial-gpo.html 

The final step to enable the settings I just set up is that you have to run the EMET command line tool and type in EMET_Conf --refresh

You can run this command at startup or logon time.

hmmmm okay is there a better way to do that other than to do a logon script - which I really don't want to do in the Vista and later era?

Hang on for part three of EMET via group policy.

Deploying EMET via group policy.

First off,  I think we're acting like Chicken Littles a bit.  Once we patch for the latest zero day, there's nothing preventing another one popping up the next day.  On any browser.  On any platform.  So I think we need to step back and bit and think about how we're protecting machines.

Are they still XP?  This one is being targeted to XP machines.

Are they still local admin?

Are we just relying on patching?

How about we investigate this EMET thing they keep talking about.

http://blogs.technet.com/b/srd/archive/2012/09/19/more-information-on-security-advisory-2757760-s-fix-it.aspx

"Using EMET mitigations

We also observed that the Enhanced Mitigation Experience Toolkit offers a good set of additional mitigations for Internet Explorer that can thwart many of the attacks in the wild. Enabling HeapSpray, MandatoryASLR and EAF mitigations for Internet Explorer will make reliable exploitation of this vulnerability more complicated. Users testing EMET 3.5 Tech Preview can use also the new set of mitigations able to break ROP-based exploits, which is also a recommended setting in the current situation."

Firstly we need to install the EMET 3.5 tech preview as that's the one that works to protect in this instance. 

Once we've installed it on one machine - there's an EMET user guide document ... it says "EMET 3.0 comes with group policy support. When you install EMET, EMET.admx and EMET.adml files are also installed to the “Deployment\Group Policy Files” folder. These files can then be copied onto \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US folders respectively. Once this is done, EMET system and application mitigation settings can be configured via Group Policy."

There are three sets of policies that EMET exposes. Below is a description of each. More information can be found at the policy editor for each policy.

1. System Mitigations: Named ASLR, DEP and SEHOP, these policies are used to configure system mitigations. Please note that modifying system mitigation settings may require a reboot to be effective.

2. Default Protection Profiles: There are three: Internet Explorer, Office applications and other popular software. Protection Profiles are pre-configured EMET settings that cover common home and enterprise software. Apply these policies to enable them.

3. Application Settings: This leads to a freeform editor where you can configure any additional applications not part of the default protection profiles. The syntax is application executable name followed by an optional list of mitigations you don’t want to enable. If you don’t specify any mitigation, all seven EMET application mitigations will be enabled.

Once you enable EMET Group Policies, they will be written out to the registry at HKLM \SOFTWARE\Policies\Microsoft\EMET. To make them effective in EMET, you have to run the following command using the EMET Command Line Tool.

EMET_Conf --refresh

Please note that when you apply a Group Policy in Windows, there is often a short delay before Group Policy writes them out to the registry.

You can run this command separately, at startup or at logon time according to your deployment strategy.

To view the Group Policy controlled EMET settings, run the following command using the EMET Command Line Tool.

EMET_Conf --list

There's also a forum - http://social.technet.microsoft.com/Forums/en-US/emet/threads

Okay so the first thing of note -- I still see that you'll need to install this somehow to all of your machines.  All the group policy does is control the settings as I see it.

Hang loose while I figure this out.

Office 365 for SMB Jump Start video recordings released!

Office 365 for SMB Jump Start video recordings released!

 Thanks again for attending the live Jump Start sessions on August 29-30, 2012.
Chris Oakman, Stephen Hall, and Microsoft Learning appreciate your time and focus on Microsoft public cloud offerings. We wish you success on Exam 74-324: Administering Office 365 for Small Businesses.

The HD-quality video recordings have been made available for your review—FREE—on the
Microsoft Virtual Academy (MVA).

To access the videos please register, or login, and then select the Office 365 track from the Tracks page.

No, really, the SBS premium add on stops being sold on 12/31/2012

Let me make sure that everyone understands this.  I made no typo on the last post

http://msmvps.com/blogs/bradley/archive/2012/09/13/october-31-2012-is-when-the-pao-is-sold-to.aspx

The premium add on - not the SBS 2011 standard - but the Windows 2008 R2 and SQL 2008 r2 for Small business bundle - also known as the Premium Add on or PAO is only sold until December 31, 2012 for OEM, and OCTOBER 31, 2012 for all other channels.

http://go.microsoft.com/fwlink/?Linkid=257790

October 31, 2012 is when the PAO is sold to

If you want PAO - and it's without software assurance you only have until 10/31/2012 to get it:

Okay I must have been asleep again

Q: How long will customers be able to purchase the Windows Small Business Server 2011 Premium
Add-on?
A: The Windows Small Business Server 2011 Premium Add-on will remain available through the OEM channel until
December 31, 2012, and will remain available in all other current channels until October 31, 2012.

We only have until 10/31/2012 -- see the pdf linked in this blog.

http://blogs.technet.com/b/sbs/archive/2012/07/05/windows-small-business-server-essentials-becomes-windows-server-2012-essentials.aspx

I found an RSS feed for Office 365 service health notifications!

Hey!

I found an RSS feed for Office 365 service health notifications!

http://rss.servicehealth.microsoftonline.com/feed/en-US/AA23D93D86BAA98841423D3CEB5FBCA5/pqt52y/7mawu2/71vnc-/r3f9z6/gk1n7d/c8mfak/x9duf_/n-dbvo

Go into your own Office 365 console, down to Service Health and in the top right corner there's an RSS icon.

Ars Technica's article on Windows 2012 Essentials

A server for the rest of us: hands-on with Windows Server 2012 Essentials | Ars Technica:
http://arstechnica.com/information-technology/2012/09/a-server-for-the-rest-of-us-hands-on-with-windows-server-2012-essentials/

1. Server Essentials is intended as a “first server”—and by “first,” I mean “only.” It comes with two installation options, both of which end with the server being the master of its domain.

As a long time "SBS can only have one DC, SBS is the only server" I'm wincing to see this myth start up again with Essentials.

No you can have additional DCs, additional Servers, it can be the root, it does not have to be the ONLY server.   It does have to hold the FSMO roles, it does have to be a domain controller and not a workgroup.  But it does not have to be the "only" server in the domain.

2. Essentials as a hosted server

It has also drawn the interest of several companies looking to provide Server Essentials as a hosted service, according to a Microsoft spokesperson. But it’s unlikely that many will follow through. That’s because, unlike the full version of Server 2012, Server Essentials has no reduced-GUI “Server Core” installation option. (Part of the reason for the full GUI is that Server Essentials uses Windows Terminal Services’ RemoteApp feature to allow remote administration of the server using Server Essentials’ Dashboard.) And you don’t just get the full GUI version of Server when you install Server Essentials—you get the full Windows 8 experience, including the Windows 8 app store.

While you'd prob want a multipoint server to host desktops, this can't be a parent HyperV.  You put full GUI servers UNDER HyperV parents.  So I don't get this bit about how it's unlikely that this server will be hosted because it doesn't have server core.  Dude, it's not the HyperV hosting parent.  It's meant to be the client/child.  And what Win8 app store is he talking about?  I'll have to go look.

TechSoup no longer sells SBS 2011 standard

Ouch.

http://forums.techsoup.org/cs/community/b/tsblog/archive/2012/07/26/microsoft-retires-small-business-server.aspx

    -------------------------------------------

    Microsoft has officially retired its line of Small Business Server
    products. Future versions of Small Business Server Essentials will
    be included in the Windows Server 2012 family of products under a
    new name, Windows Server 2012 Essentials.

    On August 1, 2012, TechSoup will also discontinue all Microsoft
    Small Business Server products from its catalog, except for Small
    Business Server Essentials 2011.

I did not know that.  If I had, I would have blogged that a long time ago.

Office 365 for SMB Jump Start videos posted

Office 365 for SMB Jump Start (01) | Office 365 Overview & Infrastructure | TechNet Video:
http://technet.microsoft.com/en-us/video/office-365-for-smb-jump-start-01-office-365-overview-and-infrastructure.aspx

What's after ISA?

So if you are finally getting around to migrating and you are losing ISA... well I have even more bad news for you.

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

TMG is now dead as well.  And UAG is not SMB friendly.

And Sonicwall has gone to the evil empire of Dell.

So what would I recommend right now?

On my short list is Calyptix (www.calyptix.com ) because of the features and functions it has and the easier config interface.

I'm mad at Harry.

I'm mad at Harry.  Well, I really can't be mad at Harry.  I mean with his wife's accident and all I really feel I can't be mad at him but I want to be mad at him.  I'll explain why.

I'm kinda annoyed at his "pivot or perish"' stuff and his "SBS was a crutch" he's been sayiing lately. 

Case in point this article - http://www.itchannelinsight.com/2012/08/small-business-server/

"According to Harry, many solution providers, while they love Small Business Server, it really has served as a crutch to their business. They have depended on it for such a long time and have been riding the SBS wave. Unfortunately, many are now stuck in a predicament of aging SBS servers and no clear migration path, well no clear path unless you just hand your clients over to Microsoft and potentially reduce your margins greatly."

I don't think Consultants are stuck.  I think we have the problem of too many options. 

Option one, jump on that cloud bandwagon, hop on hosted Exchange or online email and blend it with either an on-premise server or a hosted server or a full virtualized infrastructure.

Option two, jump on that terminal server bandwagon and stand up terminal server boxes, or multipoint servers and start deploying thin clients.

Option three, determine that your client still wants a fixed price option and spec out a SBS 2011 standard and migrate and this will keep them sitting pretty for about 4 years.

Option four, determine if Windows 2012 Essentials married with hosted exchange or an on-premise Exchange makes the best fit.

The problem as I see it is not that there's no clear migration path, the problem is that there's tons of migration paths, too many in fact. 

Yesterday's Godaddy incident - either a security one or a failure in hardware - showcases that as we jump on that cloud bandwagon we have to look for our single points of failure we just put ourselves into.  SBS used to get slammed for putting all of our eggs in one basket, Godaddy is that single basket for many of us.  So just as we worried about the single point of failure of SBS, we need to be aware of the single points of failure we might be building in our future deployments. 

The early bird discount for SMBnation's fall Vegas event is coming up fast.  If you want to walk up to Harry, tell him that you want him to give his wife a hug on your behalf, but then tell him - in person - that he's dead wrong  - that you aren't planning to perish, but survive and  thrive in this post SBS world of ours, you don't have too many days yet to get that discount. - http://fall.smbnation.com/

The early bird expires this Friday.

Team Mini Cooper!

When you have friends in lots of places..... you ask them to ship you things you can only buy overseas

Olympic toys from London 2012...which of course... naturally... are Mini Coopers.

Action pack licenses

"With the availability of Windows 8 Professional, Windows 7 Professional is now in grace period. The grace period for Windows 7 Professional will end on August 31, 2013. This 12 month grace period is intended to provide your organization time to upgrade to Windows 8 from Windows 7. During this grace period, the total combined number of Windows 7 and Windows 8 licenses in production may not exceed your total Windows 8 license entitlement granted through the program. If your organization requires Windows 7 licenses after August 2013, the licenses will need to be acquired through the appropriate channel."

https://partner.microsoft.com/download/global/40166509

Of interest - the SQL included in the Action Pack is

And two licenses of Windows Server 2012 Standard.