Longneck Consulting

Over the past 8 months or so I have been doing a bit of work with Microsoft Online’s Business Productivity Online Services or BPOS offering.  For those not familiar with it, it is essentially a hosted Microsoft Exchange, Microsoft Sharepoint, Microsoft Office Communications Server and Microsoft Live Meeting solution that customers can buy on a per user basis for either $10usd or $16.95AUD per month.

For small businesses, this means that all the normal maintenance and support tasks like backup and patching are taken care of, and all they need to worry about is setting up user accounts, managing passwords and keeping their internet connection up.

The piece that is overlooked though is the basic need for file and print sharing that most offices have. Sure, hosted sharepoint provides some great collaboration features, but doesn’t quite cut it when it comes to things like roaming user profiles, home folders, or even redirected folders.

To leverage that, what you ideally want is a Windows Server box that will give you Active Directory and then group policy, file and printer sharing.

Some will argue that depending on the size of the business, a simple NAS box will suffice for this, and if all you are dealing with is a few pcs that need to share files, then this may indeed be the case. Historically Microsoft’s focus for the small to medium business (SMB) market has been Windows Small Business Server.  Depending on the version, this solution comprises a single server that runs a version of Windows Server with Microsoft Exchange and Sharepoint installed that are then wrapped up in a simplified installation and management experience.  For many though, the thought of looking after their own Exchange and Sharepoint instances was not a welcome one, especially if something went wrong.  This then lead to some avoiding the product all together and instead opting for simpler Network Attach Storage (NAS) solutions. The downside to these though becomes security, administration and recovery, of both the NAS box itself as well as the workstations on the network.

For those clients of mine who have wanted to go down the NAS path, I have always been a strong advocate of Windows Home Server (WHS) . WHS first appeared about 4 four years ago and is designed to be run as a headless server (i.e. you manage it remotely without a locally attached monitor, keyboard or mouse). Hewlett Packard has been one of the highest profile OEMs to jump on the WHS bandwagon with their MediaSmart range of servers.  The MediaSmart servers are a great solution that can take upto 4 internal 3.5” SATA drives as well as a number of external drives. WHS then allows for the creation of user accounts which can then be used to assign permissions to folders. It is configured automatically with a number of standard shared folders and also allows for the creation of additional shared folders.(This means that the business owner can prevent the office junior from accessing the core sensitive documents for the organization.) WHS also provides web based remote access to both the server and the workstations on the network, as well as files on the server. The bit that then makes it even more compelling for me though is the backup feature. Using WHS you can backup all the workstations, as well as the server itself, automatically, and then if required, perform bare metal restores with nothing more than a boot cd and about 5 mouse clicks.

The downside to WHS though is that it is aimed squarely at the home or small home office market.  So that means you can support a maximum of 10 clients, it doesn’t like being joined to a domain, and it can’t be a DC either.

Therefore, if you want to do BPOS, have less than 10 workstations, and don’t want to use Group Policy to manage your workstations, it’s ideal.

But what if you do have more than 10 workstations, or you do want to use group policy and Active Directory? What then?

Well that is where the new version of WHS enters the fray.  Currently in a public beta, the new version will be offered as two products.  The traditional offering, codenamed “Vail” and the new business orientated version named “Aurora”.  Both editions are built on the Windows Server 2008 R2 operating system and through the use of the desktop experience feature provide a Windows 7 look & feel.  The advantage of Aurora for this scenario though is that it supports 25 users and runs Active Directory.  What this means is that SMBs will have the ability to manage all their workstations centrally, leverage folder redirection, roaming profiles, and of course group policy. What you also get is the great backup and recovery functionality that WHS is known for.

After doing some recovery testing with Aurora this week, I am looking forward to this product getting out the door.  I have a number of customers who are running SBS 2003 today on some older ML 110 & ML 115 hardware and that I have already migrated across to Windows 7 and BPOS.  Aurora will provide these customers with the advantages of Windows Server 2008 R2s 64 bit performance and improved network stack, whilst also simplifying the recovery procedures for both the server and all the workstations in the environment.

Office 2010 recently hit the RTM milestone and is now available for download via a couple of different channels.  For admins looking at deploying it, one of the biggest changes they will see relates to license keys & activation.  For previous office deployments, enterprises would establish a volume license agreement with Microsoft and then they would receive a volume license key (VLK).  They would then download a volume license (VL) edition of office, create a custom answer file, using the custom installation wizard or the Office customization tool depending on the version, run the setup with the answer file and be done.

For Office 2010 the process changes a little. The good news is that if you have deployed Vista or Windows 7, your pretty much set as Office now uses Volume Activation 2.0.  For those who haven’t though, a little time will need to be spent preparing your environments for Volume Activation.

KMS & MAK

The first question that needs to be answered is whether you will be using KMS or a MAK key. First let’s translate the acronyms into real words. KMS stands for Key Management Service while MAK stands for Multiple Activation Key. Now what’s the difference? MAK is like the traditional VLK, the difference being that the MAK still requires an initial activation that can be done over the internet, over the phone, or by using the Volume Activation Management Tool. The alternative is to use a KMS key.  The KMS key can be thought of a little like DHCP.  Activation clients discover a KMS host and get a license that is good for 180 days.  After 7 days the client will check back in with server and get it’s lease renewed.  If the client can’t contact the KMS host after 180 days then it falls back into an unlicensed state and the user will be notified that they need to activate their copy of office.

The decision on KMS vs MAK is going to hinge on a couple of factors.

1. Network connectivity – KMS requires that a client is able to contact the KMS host once every 180 days over TCP port 1688 (the port can be changed).
2. Activation limits – KMS requires a minimum of 5 clients to contact the KMS host before activation is successful.

The rule of thumb is generally if you have less than 50 machines to activate, go for MAK, more than 50 then go for KMS.

KMS Setup

If you decide to go down the KMS path then you will need decide what sort of machine will act as your KMS host.  The recommendation is that if you already have a KMS host deployed, then you should deploy the office KMS onto the same machine. This however raises a new concern.  The supported platforms for the office KMS host are

• Windows Server 2003 or with any service packs
• Volume license editions of Windows 7
• Windows Server 2008 R2

You may notice that there are a couple of omissions from that list, primarily Windows Server 2008 or Windows Vista.  The deployment guide specifically states that neither of them are supported, irrespective of the service pack deployed.  So this may force some organisations to either transition their existing KMS to a new machine, or alternatively deploy a new KMS host.  The reality of this though is that it is a fairly minor process.

1. Download the Office 2010 KMS Host License Pack
2. Run the executable to install the KMS host server
3. Enter your KMS license key and activate over the internet
4. enable a firewall exception for TCP 1688

And your good to go.  Well you are provided that your machine has internet access and your DNS supports SRV records and dynamic updates.

If your machine doesn’t have internet access you will need to activate the key over the phone, so to do that

1. open a command prompt and run the following command to get your installation ID (the guid is the activation ID for Office 2010)

   cscript slmgr.vbs /dti bfe7a195-4f8f-4f0b-a622-cf13c7d16864 

2. Then run this command to get the phone number for your region
   

   slui.exe 4 

3. Choose the option to activate your KMS key and enter the installation ID you got in Step 1. You will now get your 48 digit activation code, so it’s probably a good idea to write it down.  Also don’t make the mistake of using the installation ID you see in step 2.  It’s the windows installation ID and won’t help.
4. To finish the process, return to the command prompt and enter the command below, replacing ############ with the activation code you got in step 3
   

   cscript slmgr.vbs /atp ############ bfe7a195-4f8f-4f0b-a622-cf13c7d16864

The other component I mentioned above was DNS. KMS clients can discover KMS hosts in one of two ways.

1. Check for registry keys (here is the source)

   • SKU-specific value in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatformAppIDSKUIDKeyManagementServiceName REG_SZ registry value

   • AppID-specific value in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatformAppIDKeyManagementServiceName REG_SZ registry value

   • Global value in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatformKeyManagementServiceName REG_SZ registry value

   • SKU-specific cached KMS host (This is the cached identity of the host used in the last successful KMS activation.)

2. DNS SRV records and specifically an SRV record in the format of _VLMCS._TCP.contoso.com where contoso.com is the domain to which the client belongs.

If you only have a single KMS host in your environment and DNS that supports dynamic updates, then you are done.  If you have multiple DNS domains or multiple KMS hosts then there are a couple of extra steps you need to be aware of.

• Multiple KMS Hosts – Only the first KMS will successfully register as the SRV record will be owned by that server, so you need to create a new security group and add all the KMS hosts to that group, then change the permissions on the SRV record so that the group has permissions to modify the SRV record
• Multiple DNS domains – By default the KMS host will only register an SRV record in the domain to which it belongs, so you need to create a multi string registry value name DnsDomainPublishList under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSoftwareProtectionPlatform key then restart the Software Licensing Service to get it to create the SRV records.  If you then look in the Application event log you should see an event ID 12294 indicating that the records have been successfully created. (for more details on this look here)

MAK Setup

MAK setup is really a bit of a misnomer as there is not much in the way of infrastructure required for MAK activation.

The simplest method of using MAK activation is to manually install office, enter the key then manually activate.

Obviously this won’t scale too well, so the next option is to create a custom install. To do this create a deployment share (i.e. copy the install CD to a network location) and then run the office customisation tool by running setup.exe /admin and then entering the MAK key on the licensing screen under the Enter another product key section (by default office 2010 is configured to look for a KMS server).

You would then install office and when it is opened for the first time, the timer for the activation grace period is started.  The user will then get 25 days before they are prompted to activate their copy of office.

This is a screenshot of what a user will see (have a look at this blog post by Ted Way from the office engineering team to get more on this process).

For MAK activation, there are three options, activate via the internet, over the phone, or through proxy activation. Unlike KMS which requires a one time activation per KMS host, MAK activation requires that each and every copy of office connect to the Microsoft activation servers.  Each MAK key has a specific number of activations associated with it.  If there is a significant change to the hardware on the machine, then Office will need to be reactivated. When the client reactivates, then this will also decrement the activations available for that key.

For the activation methods, internet & phone are both self explanatory, proxy is not quite.  Proxy activation refers to the use of the Volume Activation Management Tool or VAMT. The VAMT is used to query a machine, via WMI, for its unique ID (Client Machine ID or CMID) and the machine that is running the VAMT is then used to contact the Microsoft activation servers on behalf of the client.  This means that you can have machines that are located on an isolated subnet, but still activate them.  Using the VAMT you can also export the list of CMIDs to a file which can then be activated on another machine.

Volume activation tools

Office 2010 also includes a couple of new tools that can be used to manage activation on a client machine.

OSPPREARM.EXE

OSPREARM.EXE is used to rearm an office installation prior to imaging a machine for deployment.  Rearming is effectively the process of resetting the timer that office activation uses to work out when the grace period has expired and to notify the user.  If you don’t rearm your office installation prior to imaging, the first time a user opens office on an imaged machine, they will receive an activation notification.

OSPP.VBS

OSPP.VBS is the Office Software Protection Platform script and is the office equivalent of SLMGR.VBS of the Windows Software Licensing Management Tool.  Running this script from an elevated command prompt gives you the ability to do a whole bunch of things, the big ones being

• activate office
• show activation status & keys
• install or remove activation keys
• manage KMS host settings

So that’s the basics of Office 2010 volume activation. To get the full story check out these links

• Plan for volume activation of Office 2010
• Office Activation overview poster
• Deployment guide for Office 2010 download
• Volume Activation 2.0 for Windows Vista and Windows Server 2008  

This post may seem a little backward to some, given the newer alternatives such as Powershell or even vbscript, but the past couple of weeks have seen me playing a with script that has turned out to be pretty useful and I figured I would share.

The origins of this story then, I have a small customer who runs SBS 2003 premium in the office. Occasionally they would give me a call and complain that they couldn’t access the internet and that the server was offline.  They would then look at the console and it would be alive and they would be able to login without issue. I would get them to have a look at the services and they would report that the firewall service was not running.  They would then start it manually, then it would run like a champ and they would be happy.

The logs weren’t showing any major errors and the fact that once the service was started it all ran fine, we went with the easy option of creating a script that would check to see if the service was running, and if it wasn’t then to start it up.

Like any scripting solution, this could have been done a number of ways.  The simplest being to create a script that starts the service irrespective of its current state and then schedule to run at regular intervals.  To do this, you would open notepad, then type in the following

net start fwsrv

save that as a file named fw.cmd then schedule it using the AT.EXE command to run once at 11pm day by using this command

at 23:00 /every:M,T,W,Th,F "c:fw.cmd"

As a solution, this works, but it could be described as being a little base in its approach.  It works well for a single service, but if the service is already running, then there is not much point in trying to start it again.  So what if we could check the status of the service, and then if it is running, we’ll leave it be, but if its not, then we can start it? The first thing we need to do then is check the state of the current service, and as we’re trying to script this, opening the services console is not an option, we need something that will work from a command prompt and give us an output. This is where SC.EXE helps (that link is for the Windows Server 2008 version of the tool, so if you are using an earlier OS, be aware that the tool has evolved so check the help for the OS you are on).

To query the status of the firewall service, you run the command

sc query fwsrv

The problem with the output of this command is that the data we’re interested in, is on the 3rd line down, so we need a way to isolate that line so we can process it.  For this we can use the FINDSTR.EXE command.  In this instance, we need to find something unique on the line so we can query for it.  In this example I used STATE. So the next command we need is

findstr /i "state"

The /i switch is used to ignore the case of the word we are looking for.  I could have searched for “STATE” and not used the /i switch, it is just a habit that I have gotten into.

The next step then is to make a decision based on the state of the service. To do this, I use the FOR.EXE command.  If you have a look at the link, it can be a little daunting and it may not be immediately obvious as to how it is useful in this situation as the primary examples look at stepping through a file, so I’ll save time and show you the command and its output.

for /f "tokens=3" %i in ('sc query FWSRV ^|findstr "STATE"') do echo %i

The entry as displayed executes a command (‘sc query FWSRV ^|findstr "STATE"’) then looks for the third object in the output /f "tokens=3" and then assigns it as a variable named %i. In the example I have then used the ECHO command to see the value.

It is worth noting a couple of points regarding the format of the SC command within the brackets (‘sc query FWSRV ^|findstr "STATE"’).

1. The entire string needs to be placed within single quotes. If you don’t you’ll receive an error stating that “The system cannot find the file sc.”
2. The caret ^ is required before the pipe | or you will receive an error stating that “| was unexpected at this time.”

This now gives us a way of getting the numerical value of the current state of the service.  Having a value for the service means that we can then use an IF statement to make a decision on whether or not to start the service. From the output of the SC query above, we can see that a value of 4 means that the service is running (here is a link to a list of the seven possible values). What we need though is a way to pass the numerical value of the service state to the IF command, and for this, we can use an environment variable.  The command then now looks like this

for /f "tokens=3" %i in ('sc query FWSRV ^|findstr "STATE"') do set FW=%i

Putting all the pieces together then we end up with a script that looks like this.

:Query
for /f "tokens=3" %%i in ('sc query FWSRV ^|findstr "STATE"') do set FW=%%i
if (%FW%) EQU (4) goto :END else goto :start 

:start
net start fwsrv
goto :query 

:end 

As you can see, there are couple of formatting tweaks that are required to use the commands within a batch file. 

1. I added a couple of labels (:Query :start :end) to the script to support the use of the GOTO command.  The logic behind this is to provide a means to confirm that the service has started successfully and then to provide a means to jump out of the script.
2. The use of the double percantage (%%) is required when using a % within a script.

With the script complete, the next step then is set it up as a schedule task. I could use the AT command I showed you above, but in this instance I decided I would kick off the script once every two hours, so for this I used the scheduled tasks command line tool SCHTASKS.EXE.  The reason for using SCHTASKS.exe is that it offers more flexibility than AT.exe.

schtasks /create /SC HOURLY /MO 2 /TN CHECKFW /TR c:scriptsfwqry.cmd /ST 12:00

In this example, I saved the script as a file named c:scriptsfwqry.cmd and scheduled it to run once every 2 hours.

And that is it.  A script which will check once every two hours to see if a single service is running, and if its not, send a start command to the service.

But what if there is more than one service? This provides a great example of how you can take an existing script and with a little work, rework it for a new task.

For this scenario, I had a virtual machine setup that was running Office Communications Server 2007 R2 for a lab environment.  The vm in question was running as a standard edition server, and as such, had about 10 individual services that needed to be running in order for the server to operate correctly. In this instance, all the services have a prefix of RTC so this time the SC command is a little different

sc query state= inactive |findstr /i "RTC"

The command this time looks for all services that have a state of inactive (ie not running) and then we parse the output looking for the names of the services that start with RTC (e.g. RTCSRV).

When this is then rolled into the script, it looks like this

:Query
for /f "tokens=2" %%i in ('sc query state^= inactive ^|findstr /i "RTC"') do set SVC=%%i
Echo %FW%
if (%SVC%) == () goto :END else goto :start

:start
net start %FW%
SET FW=
goto query

:end

Like before, we need to modify the formatting to get it to work within a batch file

1. percent symbols (%%) need to be doubled
2. equal (=) and pipe (|) symbols need a caret (^) as a prefix so they are handled correctly.

The next step then is to check that a value has been set for the SVC environment variable.  If it is empty, then we know there are no stopped services with a prefix of RTC and we end the script, if it has a value we then send a start command to the service, reset the environment variable, and then re-run the query to look for stopped services with RTC as a prefix.

So there you have it, a couple of basic scripts that can be used to manage scripts within your environment.

This year will see the release of the new version of Communications Server, and no, that is not a typo, Office is being dropped from the product name.

So far this year we have seen the VoiceCon key note where Microsoft Corporate VP Gurdeep Singh Pall from the Unified Communications group announced Communications Server 14. 

As part of VoiceCon conference there was a RFP that was put out to the major PBX venders, Microsoft participated in this and subsequently their solution was chosen from amongst the various solutions as it was both the cheapest and it met all the requirements.

From there they rolled into Techdays and François Doremieux presented two sessions on Communications Server 14.  The first provided an overview of the wave 14 release, the second focused specifically on the voice capabilities in wave 14.

Microsoft have always relied on the partner ecosystem to provide the hardware required for its UC solutions and Wave 14 is no different.  Audiocodes ran a webinar early this year which discussed their new offerings that will work with wave 14. Dialogic, Ferrari electronic AG, HP and NET have also made announcements regarding their support for the new Survivable Branch Appliances which are basically an enhanced gateway that provide a local SIP registrar for clients as well as a fall back to the local PSTN in the event that the WAN link fails.

Wave 14 is also seeing a number of new end point devices appearing. Aastra, Polycom have already announced their devices with Audiocodes also getting on board with a solution that works in with their Mediant gateways.

There are a number of other partner announcements that can be found on the Microsoft Communications Server page relating to new accounting, call recording and contact (call) centre solutions as well.

For me, these announcements are exciting.  I’m going to be heading to Seattle shortly for the partner airlift for Communications Server 14, so am looking forward to getting my hands on the new code and learning more about the new features and sharing as much as the NDA allows.

http://www.microsoft.com/communicationsserver/en/us/

Thanks to Microsoft Australia’s Johann Kruse for bringing this to my attention.

Microsoft has released  KB article 982021 which details the supportability of Office Communications Server 2007 R2 on Windows Server 2008 R2.

The basics are

1. No group chat on Windows Server 2008 R2 servers or in Windows Server 2008 R2 domains or forests. (expect a hotfix in April to support GC client & admin in a R2 forest)
2. OCS 2007 R2 can only be freshly installed on a freshly installed 2008 R2 server – upgrading an existing 2008 server to R2 is not supported.

Of course, there is lots more to the article and there are detailed instructions on the hotfixes required as well as the minimum file versions so go check it out for the full  details.