Cloud should stay up forever, right? Well, no.

Last month there was an outage in the Azure – South Central US region, which, by reports, seemed to have some knock on effects for other regions.

This was reported at:

In the discussions that followed with our customers, particularly with those currently considering their digital transformation strategies including moves to Office 365 and/or Azure, some expressed varying levels of concern. This prompted some very valuable debate around Adexis and what we feel are some important viewpoints when it comes to digital transformation. Here were some of our thoughts;

Outages happen

Even with the enterprise-grade resources of Microsoft (or Amazon), 100% uptime of any service over a long period of time is not realistic. Between hardware issues, software bugs, scheduled downtime and human error, something, at some point will go wrong – just like in your on-premise environment. With all the buzz around cloud, it can sometimes be easy to forget that this is essentially just an IT environment somewhere else maintained by someone else. Like any IT environment, it is still reliant on humans and physical hardware which will inevitably experience failures of service from time to time.

Control and visibility

When an outage happens on-premise, the local IT team are able to remediate and have as much information as it’s possible to have – and can provide their users with detailed information regarding the restoration of service. Everything is in the hands of the local IT team (or the company to which it has been outsourced).
When an outage happens with Azure, the amount of information the local IT team has is minimal in comparison. Microsoft’s communication during O365/Azure outages varies, however, ETA’s and other information is generally vague at best. All control is with Microsoft and all the local IT team can say to staff is “Microsoft are working on it”. While Microsoft may be able to resolve the situation faster than you could on site (or not), the lack of visibility and control can sometimes be daunting. It’s not all doom and gloom though. In situations where the issue would need to be escalated to Microsoft anyway (i.e. premier support), the criticality of an international user-base can often mean a greater focus from Microsoft and inherently a faster resolution than what would be achieved for your single company.

Site resilience

Azure has many features which enable site resilience to protect a single data centre failure – but sometimes these are not used. This could be down to flawed design of services or simple cost saving. When architecting your environment (or engaging the experts at Adexis to provide these specialist services), it’s important you carefully consider your DR and BCP plans and ensure you have the redundancy built into your environment that matches those requirements. This is not unique to either cloud or on-premise and always must be carefully considered.

Root cause

It’s not uncommon for on-premise service outages to be “fixed” by a reboot. Root cause analysis and effective problem management is something that while nice, not many IT teams have time to complete.
Microsoft have the resources to perform these functions to great depth and in-fact their brand depends on it. A complete root cause analysis feeds back into improvement of their overall operations, which leads to greater consumer confidence and therefore greater penetration into the market. They also literally have access to the source code for the operating systems and many apps, in addition to strong relationships with hardware vendors to be able to get patches/fixes in times that all of us can only dream of.
While Microsoft has been known to hold their cards close to their chest at times in terms of releasing the real root cause of outages, they are definitely invested in resolving those root causes behind the scenes and preventing further outages. This means that the environment remains far more up to date and typically, far more robust than an on-premise environment.

SLA

While Microsoft might suffer reputational damage as the result of an outage, do not expect any form of meaningful compensation
The finically backed SLA that salespeople spruik is a joke – http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=37
This is table for many services (but it does vary depending on specific services)

Monthly Uptime %Service Credit
<99.9%25%
<99.0%50%
<95.0%100%

A 31 day month has 44,640 minutes, 2,232 minutes is 5% of that. So the service would have to be down a whopping 37.2 hours to get back 100% of your fees for that month only, and the compensation is in the form of a service credit off next month’s bill.
How to claim this service credit is detailed on page 5 of the document and basically, the onus is on you to prove that there was an outage and submit the paperwork within 2 months. A separate claim must be created for each service. What this essentially means is it’s usually more effort than it’s worth to log the claim for the service credits.

In Summary

Outages for cloud services must be anticipated, just like outages to on-premise services. The attitude of “It’s in the cloud so it’s not our problem” is simply not realistic and likely to catch you out, unprepared.
If you have vital services that you are considering moving to Azure (or AWS, or anywhere else), rest assured it can be safe to do so, but make sure you allow for site resiliency in your design and costing.

Adexis is neither pro, nor anti cloud. Unlike many other vendors, we have no skin in the game, no incentive to push you in one direction or the other. We are completely independent and can provide you with unbiased specialist advice on what is best for your environment and your business, including the pros and cons of staying on-premise or moving to the cloud for each service.

Every environment is different when it comes to security requirements, IT skillset, hardware availability, CapEx vs OpEx spend and a range of other factors – and these all feed into what is the best solution for your business.

If you’d like to explore your IT strategy further, please be sure to give us a call.

Avoiding a Microsoft Teams Nightmare

Have you ever had the experience of providing users a document management system or Sharepoint site only to find that everyone uses it differently, creates folders all over the place in different ways, stores documents differently and after six months time it’s so hard to find anything that it defeats the purpose for which it was implemented in the first place? What a nightmare! You’re not alone.

With Microsoft Teams quickly becoming a preferred collaboration tool, you’d be forgiven for having fears of this nightmare becoming a reality all over again. The primary reason for that is there’s no technical ‘silver-bullet’ to prevent this from happening, it’s more of a governance discussion. Notwithstanding, there are some things you can do on a technical level that can help.

There are basically four levels of administration to be considered:

  • Global Settings – There are a number of features and functionality for Teams that can be turned on or off at a global level and these should be risk assessed for each environment. Ideally this should be done before the first Team site is even created.
  • Team creation – Microsoft Teams, while based off Office 365 Groups, will also provision a Sharepoint site for each Team. Therefore the decision as to who should be creating Teams is the same as for who should be creating Groups and Sites. One approach that we’ve found works well is to have these functions centrally managed with Teams created on request. There is of course an admin overhead to be considered however. See below;
  • Team Owners – These are the users that really run the individual Teams and will have the best insight as to the value of the Team and how it should be used. Trying to run this centrally is likely to lead to frustration all round so once created, administration should really be handed over to the Team owners. They can then add Team members, assign roles, create Channels and enable Apps etc as they see fit.
  • Team Users – Obvious statement but these are the ones who should be seeing value in Teams collaboration. Paradoxically one way to dilute that is by being in too many Teams. Users shouldn’t be confused about what spaces they should be collaborating in or where to store documents etc. To prevent this, ideally Teams should have clearly defined functions, whether that be organisational, operational or project based collaboration. Confusion arises where these functions overlap between Teams so clear delineation is important. This is another reason centrally managing Team creation can work well. In larger environments implementing practices like naming standards for Teams will also be of value.

Some of the central administration technical considerations are outlined here: https://docs.microsoft.com/en-us/microsoftteams/enable-features-office-365

Melissa Hubbard also provides some useful considerations in her blog post on the topic and while it’s a little while ago now, it’s still a great starter for some of the governance considerations:  https://melihubb.com/2017/07/25/microsoft-teams-governance-planning-guide

If Microsoft Teams is on your agenda for implementation, be sure to reach out to the Adexis team who can assist with design and implementation and help you to provide this wonderful platform to your users to enable communication and efficient collaboration, without the admin headaches.

Welcome aboard Jamie Brooks

We are proud to introduce the newest addition to the Adexis team of senior consultants, Jamie Brooks.

We’ve known for some years of Jamie’s outstanding reputation for quality and technical skill and we are honoured to have him onboard.

Jamie brings to Adexis a new set of talents including expert skills in Microsoft Azure. This is an exciting addition which expands the cloud and hybrid services and solutions we can bring to our clients.

Jamie also brings with him extensive skills in our existing engagements with our customers such as SCCM, AD, Exchange and more.

I would like to thank our customers who continue to support us, making this increase in our team possible.

Welcome aboard Jamie, we are proud to have you onboard and look forward to achieving great things together.

Importing AD powershell module into Windows PE and then using encrypted creds

Powershell makes life much easier than vbscript…. however it does have its downsides…  signing policy can sometimes be a bit of pain and the modules you need have to be available…. which is an issue in particular for Windows PE.

Mick (good aussie name there) was nice enough to write a blog on how to import powershell into PE – without having to add it statically to the boot wim – http://mickitblog.blogspot.com.au/2016/04/import-active-directory-module-into.html

As a little shortcut from the blog, you can copy both the x86 and x64 required directories via robocopy rather than determining the version via powershell.

The next step however is the more important one…. a task sequence doesn’t allow us to run a powershell command in PE with credentials, we need a secure way of running the command. In this case, we want to delete a computer object….

Step 1 – Generate a key file (perform on any full OS)

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.key“

$Key = New-Object Byte[] 16

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)

$Key | out-file $KeyFile

 

Step 2 – Encrypt a password using the key

$PasswordFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.txt“

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\\DeleteComputer.key“

$Key = Get-Content $KeyFile

$Password = “Your password here” | ConvertTo-SecureString -AsPlainText -Force

$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

 

Step 3 – Create your script utilising the creds – (Below is the one I use to delete a computer object)

Import-module ActiveDirectory

#SCCM TS Object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

#SCCM Variables
$CompName = $tsenv.Value(“_SMSTSMachineName”)

# Get current path in order to get encrypted password
$MyDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition)
$User = “Domain\Account”
$PasswordFile = “$MyDir\DeleteComputer.txt”
$KeyFile = “$MyDir\DeleteComputer.key”
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

# Remove the computer from AD
Remove-ADComputer -Identity $CompName -server <DC name required> -Credential $MyCredential -confirm:$false

 

One obvious risk is, this is not very secure. It will stop a random snooper type person from seeing a plain text password…. but it will not stop someone who is capable of pressing F8 to get into the running TS (if you have it enabled) and then grabbing the key and txt and being able to use them…. So, take this into consideration when choosing to use (or not use) for your environment.

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s strong movement towards cloud platforms, it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, the documentation is somewhat unhelpful.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a couple of quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

Happy New Year – 2017 is here!

Wow, is it a new year already?
As we all enjoy the pleasure that is traffic, cubicles, tea-room chats, to-do lists and all things ‘back to work’, I’d like to take this opportunitity to thank our customers for their support in 2016 and look back at the year as well as the future for Adexis.

While we continued to deliver outstanding technical services and no-fuss consulting to our customers in 2016, we also did a lot of looking inside, for growth and to prepare ourselves for a big 2017 and beyond. To kickstart these changes, Hayes hired a General Manager. If I haven’t met you yet, hello, I’m Shawn Donaldson. I started my journey with Adexis by meeting with many of our customers to get their feedback and input on Adexis. I was pleasently surprised and sincerely appreciated the overwhelmingly positive feedback we received. With this in mind we continued to provide the services you’ve come to expect from Adexis. To extend beyond that, we also made some improvements and created some new services and capabilities including;

  • Cloud – We increased our focus on cloud centering primarily around Office 365, Azure and Hybrid-cloud solutions. We invested in training and certifications while increasing the volume of cloud work we performed enabling us to provide outstanding cloud planning, migration, implimentation and maintnence services. We created the Cloud Readiness Audit to help customers to understand their environment, it’s applicability to cloud and the pros and cons of cloud solutions for them.
  • Proactive Services – We created a new portfolio of proactive services to compliment the professional services portfolio we’re known for. This includes Managed Services which centres around outsourcing portions of your environment so you can focus on your preferred core functions and Scheduled Services which allows you to maintain your own environment with a Micorosft specialist providing guidance and quality assurance. Together these provide a completely flexible, technical-focussed approach to managing your environment.
  • Partnerships – We recognised a need to help our customers with a greater range of technologies. Understanding the contrasting feedback that our customers come to Adexis for our specialist Microsoft skills we decided not to generalise and diversify, thus diluting our quality of service. Instead, we partnered with outstanding organisations that share the same values of no-fuss consulting lead by technical excellence. We first partnered with Hastwell IT, who provide networking procurement, consulting and technical services. We have also partnered with AISH Solutions for hardware and software procurement and Academy IT for Microsoft-focussed training. Together with these vendors we can provide a complete set of technology services with consultants who all specialise in their respective fields and contribute to a cohesive delivery model.
  • Increased Certifications – Understanding the importance of our primary vendor, Microsoft, our team undertook a range of learning tasks and exams to increase our certification including multiple gold partner and Software Assurance Planning Services partner. We also increased our level of collaboration with Microsoft.
  • Our own back yard – We understand that providing quality service comes from a baseline of great people with passion and the right tools and processes to support them. We invested in our internal tools and processes as well as establishing greater collaboration so that we can provide a greater level of service and better quality documentation to you.
  • Digital Presense – We established an improved digital presence so we can hear from you and tell you some of the exciting things that are happening. This included the creation of this blog, our LinkedIn page, our Facebook page and an update to our website with information on some of these exciting new services we’re offering.

So what’s in store for 2017?

Much of the above work in 2016 was preparation work for a great 2017. We’ll use these initiatives as a foundation to continue growth in all of these key areas and we look forward to the increased flexibility, quality and range of services this will enable us to provide our customers in 2017. At the same time we’ll continue to focus on what’s most important; providing a technically competent, no fuss, independent Microsoft infrastructure specialist consulting service that’s genuinely customer focussed.

Our vision is that Adexis will be recognised as a premier provider of IT consulting services in the Australian market and to be seen as a partner of choice by clients, which we hope to achieve by daily practise of our core values;

  • Technical Excellence
  • Honesty
  • Independence
  • Reliable Support
  • No Sales-Speak

Happy new year!
Thank you again for your support and we look forward to working with you in 2017 and beyond!

Windows or Office deployment: it’s Microsoft’s shout

Adexis is known in Adelaide as the number one experts in SCCM and windows deployment. Did you know you can engage an Adexis expert and have Microsoft pick up the tab?

moneyMany customers aren’t aware that they’re entitled to a little golden nugget called Desktop Deployment Planning Services. DDPS  is a benefit provided by Microsoft to customers who purchase Software Assurance through their Volume Licensing whereby you can engage qualified partners to provide services for you and Microsoft will put in the dollars. In addition to our SCCM and deployment expertise, Adexis is also a qualified Desktop Deployment Planning Services partner, meaning you can engage under this scheme.
Through this scheme we can help you to plan and/or impliment on-premise, cloud-based or hybrid solutions for the deployment of windows and office to your user base utilising products including SCCM, Windows, Office and Office365.

Imagine for example you would like to try out Windows 10 for your users. In order to do that you would need to assess it’s suitability and compatibility, plan an upgrade of SCCM to 1606 or later, plan the windows deployment and impliment both solutions. These are services that Adexis can help you with and can be provided for under Desktop Deployment Planning Services. Perhaps you’ve been thinking about doing an upgrade like this but budget constraints have proven to be a challenge, this is where DDPS comes in.

Microsoft does have some strict guidelines on how these services can be utilised however. For example, they can only be utilised for the improvement of your environment using approved products. So, don’t be thinking “I can get that tricky issue fixed in my SCCM environment”, Microsoft won’t cover that one. Engagements are set up in groups of days and can allocate funds of between $3000 and $15,000.

So, you’ve decided you’d like to utilise your entitlement, how do you go about it?
The first step is to call us and let us know what you have in mind. We can provide some guidance on what is eligible and what would need to be covered by you. You should also check your eligibility with Microsoft by visiting the Volume Licensing Service Centre. You can also download the DDPS Fact Sheet for more information. Once we’ve worked together to come up with a scope of work and an understanding on it’s eligibility for DDPS, you can assign a voucher to Adexis to start the work. Here’s how;

1. Sign into VLSC.
2. Select Software Assurance from the top menu.
3. Click Planning Services. This will take you to the Manage Software Assurance Benefits page.
4. Click the LicenseID for which you want to manage Planning Services. This will take you to the Benefit Summary page.
5. Select Planning Services.
6. Select the voucher type and service level (length of the engagement in days).
7. Assign the Planning Services voucher to a project manager within your organization by entering their name and email address, and any special instructions.
8. Click Confirm Voucher Assignment.
9. Once the voucher is created, click Assign Voucher. This takes you to a benefit details page confirming voucher information, including voucher status and expiration date.
10. You can then assign this voucher to Adexis by searching for our name or using our Microsoft ID: 1388832
That’s it!
We manage the rest of the paperwork on your behalf and you’re good to go with your engagement.

To find out more or to get started on your engagement under Microsoft Software Assurance Planning Services with Adexis give us a call on (08) 7228 6188 or email us at Contact@Adexis.com.au