Tuesday, March 14, 2017

Making Sense of Office 365 Plans

If you're just starting to look at Office 365 as a solution for your organization, the various plans can be overwhelming and confusing. I'm going to try and boil down all of the Office 365 plan information to just the essentials that allow you to make an informed decision.

This is all based on research done March 2017 and the prices I include are Canadian dollars. You should verify that these features and prices are still correct for your scenario before making any decisions. I've includes some links at the bottom of this article to Microsoft documentation for you to verify. Microsoft should be keeping that content up to date.

I'm going to focus on Office 365 plans for small business and enterprise. However, whether you are small business, non-profit, enterprise, or education, there are basically three generic Office 365 plans available:
  • Office 365 desktop apps (Word, Excel, Outlook, etc)
  • Cloud services (Exchange, Skype for Business, etc)
  • Office 365 desktop apps and cloud services
Most of the organizations I work with are looking for the cloud services. The initial driver most of them have is replacing an older installation of Exchange Server. At the same time, they can evaluate whether including Office 365 desktop apps is appropriate. I do not have any customers subscribing to only the Office 365 desktop apps.

The Office 365 plans for small business (300 user max) are:
  • Office 365 Business (desktop apps)
  • Office 365 Business Essentials (cloud services)
  • Office 365 Business Premium (Business + Business Essentials)
The Office 365 plans for enterprise (unlimited users) are:
  • Office 365 ProPlus (desktop apps)
  • Office 365 Enterprise E1 (cloud services)
  • Office 365 Enterprise E3 (ProPlus + E1 + a few cloud features)
  • Office 365 Enterprise E5 (E3 + cloud telephony)
It is possible to continue using your existing OEM, retail, or volume licensed edition of Microsoft Office with Office 365 cloud services. So, if you recently purchased 100 volume licenses of Office 2016, that is not a lost investment. You can use those licenses until you are ready to upgrade to a newer edition of Office and then evaluate whether you prefer to purchase new volume licenses for Microsoft Office or change your Office 365 licensing to include the desktop apps.

Office 365 Desktop Apps

The Office 365 desktop apps are similar to the Microsoft Office Suite that you can buy retail, OEM, or through volume licensing. The biggest difference you'll notice is that these apps are streamed to desktops from Office 365 rather than a traditional installation (however it looks the same from a user perspective). This means that they are automatically updated outside of the Windows Update process. This should make the apps more secure because they will be updated faster than most organizations typically deploy updates. However, you do loose control over the update process and this may be a concern in organizations with specialized plugins.

The licensing for the Office 365 desktop apps is per named user rather than per computer. Each user can have up to five instances of the Office 365 desktop apps on devices. This allows a single user to put the Office 365 desktop apps on a work computer, a work laptop and a home computer. However, this does not mean that an organization with 20 users and 20 computers should purchase just 4 user licenses and install the Office 365 desktop apps 5 times per license. You need to license the Office 365 desktop apps for each user.

Licensing for Office 365 desktop apps is verified by signing in to Office 365. On each computer with the Office 365 desktop apps, you need to sign in to Office 365 at least every thirty days to verify that the license is still valid. This is a concern only in scenarios where a mobile computer would not have Internet access for more than 30 days.

Office 365 Business and Office 365 ProPlus contain the same apps:
  • Outlook
  • Word
  • Excel
  • PowerPoint
  • OneNote
  • Access
However, there are minor differences in app functionality. The following features are available only in Office 365 ProPlus and are not available in Office 365 Business:
  • Outlook:
    • Information Rights Management (IRM)
    • Data Loss Prevention (DLP)
  • Access:
    • Database Compare
  • Excel:
    • Spreadsheet Compare
    • Spreadsheet Inquire
    • Power Map
    • Power Pivot
    • Power Query
    • Power View
  • Support for Group Policy-based configuration
  • Support for Office add-ins, ActiveX, and browser helper objects (BHO)
  • Roaming settings
For a complete comparison of features, see Office Applications Service Description.

Note that some older documentation may reference that:
  • "Access is not included in Office 365 Business." Update: Access is included with Office 365 Business starting in November 2016.
  • "Outlook in Office 365 Business cannot access Exchange in-place archives." Update: The current version of Outlook in Office 365 Business can access in-place archives (also referred to as archive mailboxes). See Outlook license requirements for Exchange features.

Office 365 Plans with Cloud Services

Most cloud services in the small business and enterprise plans are the same. All of the small business and enterprise plans include the following:
  • Mailbox and calendar
  • Office Online apps - web-based versions of Word, Excel, and PowerPoint
  • OneDrive - personal file storage
  • SharePoint Online - shared file storage
  • Skype for Business - teleconferencing and instant messaging
  • Active Directory integration - synchronizes Active Directory users into Office 365
  • Yammer - Group discussions
The Office Online apps are very useful for performing quick edits to documents stored in OneDrive or viewing email attachments. In most cases, users prefer to continue using standard Microsoft Office desktop apps. However, in a very cost conscious organization, with limited needs, the online Office apps may be sufficient.

The graphic below summarizes some of the similarities and differences between the small business and enterprise plans:

Some differences to highlight are:
  • The small business plans are limited to 300 users. However, you can have a mix if small business and enterprise licenses in a single Office 365 tenant.
  • The small business and E1 plans have 50 GB mailboxes with 50 GB archives. The E3 plan has a 100 GB mailbox with unlimited archives. For small business and E1 plans, you can purchase an Archiving add-on for unlimited archiving.
  • Only the E3 plan supports litigation hold and data loss prevention for email.
  • The small business and E1 plans have 1 TB of OneDrive storage per user. The E3 plan has 5 TB of OneDrive storage per user.
  • SharePoint Online has 1TB of storage per Office 365 tenant and then 500 MB additional storage per licensed user. Storage consumed by Office 365 Teams come out of this pool.
  • All plans include Skype for Business, but only enterprise plans can add unified communications.
  • Only enterprise plans have meeting broadcast that allow presentations to thousands of users.
  • Only the E3 plan supports Azure Rights Management to encrypt and secure files.

Useful Links

The following are some of the links I found useful:

Thursday, March 9, 2017

Exchange 2010 SP3 Hub Transport Upgrade Error

Ran into a new issue yesterday related to installing Exchange 2010 SP3. I was called in to help when the initial upgrade attempt failed. The error during SP3 installation was:
An unexpected error occured while modifying the forms authentication settings for path /LM/W3SVC/1. The error returned was 5506.
A screenshot of the error is below:

Doing a search didn't come up with much, but it did give this:
That link seemed to indicate that it could be related to the SSL binding on the default web site in IIS. Taking a look at the SSL binding, it seemed to be missing the certificate assignment. However, when I tried to add the certificate I got a strange error about the session be closed.

Ok then, since you won't let me add the SSL certificate to the binding by using IIS Manager, let's try with Exchange Admin Console. When I assigned the IIS service to the certificate in EAC, it all looked fine. I also took this moment to review the certificate and verify that the SAN names were correct. I also noted that it did indicate that there was a private key for the certificate.

After this the binding worked because we could access https://servername/owa URL, but it returned a 503 error. However, rather than attempting to fix that error, we tried the SP3 install again. Since a service pack upgrade rewrites a lot of the content in the IIS virtual directories we through we might get lucky and it would fix and configuration errors that we had.

During the next install, the installation of the Hub Transport role completed successfully, but now we got an error on the Client Access role installation. As we were actively troubleshooting I didn't write it down at the time, but it was something like:
Could not grant Network Service access to the certificate with thumbprint BIGLONGHEXTHUMBPRINT because...
Based on this I decided to review the certificate in the Certificates MMC snap-in. Again, all the details looked right. Maybe I can add the necessary permissions myself for Network Service. To access the permissions for a certificate, you right-click it, point to All Tasks, and click Manage Private Keys. This normally brings up a security dialog box. However for me it brought up the following error:
Object not found.
I interpreted this error to mean that either the private keys were not really present for the certificate. Or the Domain Admin account that we were using to access the certificate and run the install didn't have permission to access the private keys. In either case, since our Domain Admin account couldn't set permissions in the certificate, we were dead in the water.

Fortunately certificates are much less expensive than they used to be and we quickly obtained a new certificate with all of the necessary names from NameCheap. They might not have the best management tools for certificates, but the price is right. So, if this didn't work it didn't waste a lot of money.

After installing the new certificate and assigning the correct services to it, we ran the Exchange 2010 SP3 upgrade again. And after some nervous waiting, the upgrade completed properly. And the upgrade fixed all of the errors for the web services. Email for phones began to work immediately, as did OWA.

So, You Wanna Be a Computer Geek?

I recently did a presentation for an Introduction to Management Information Systems class at the University of Manitoba Asper School of Business.  Students in this class are just starting to look at how IT and business are interrelated. One of the students asked me for advice on getting into the IT industry and this content grew out of that.

I suppose the more polite way to phrase it would be:
  • So, you'd like to work in the IT industry?

Areas of IT

One of the things that surprises many people looking at IT is that wide range of job roles. When you haven't been working in the industry, you tend to think that there is just the one role of computer geek. And your impression is likely that the computer geek does all computer related stuff including physically repairing computers.

In actuality, there are multiple job roles in IT. And, the more you learn about IT, the more you realize that you understand only your little corner of the world. The more you learn, the more you realize how little you actually know. Don't be disheartened as you go through that process. Nobody knows all of it.

Some of the job roles  are:
  • Help Desk - Takes support calls from users when computers or applications are not working correctly.
  • Desktop Support - Manages desktop computers which includes software deployment, repairing software problems, and repairing hardware problems.
  • Server/System Administration - Responsible for implementing and maintaining servers. This includes the server hardware and operating systems, Active Directory, and potentially some additional software that runs on servers such as SQL server.
  • Application Support - Responsible for configuring and maintaining specific business applications. For advanced troubleshooting, they act as an interface for interacting with the application vendor for support.
  • Database Administrator - A specialist that is responsible for managing and maintaining databases that are used by applications. This role troubleshoots database performance issues and implements the requirements specified for individual applications.
  • Network Administrator - Responsible for configuring switches, routers, firewalls, and other network specific devices.
  • Programmer - Builds and maintains customized software used internally. Programmers can also perform customizations for off-the-shelf software. Web development is also in this category.
  • System/Business Analyst - Responsible for helping bridge the gap between business units and the technical side by translating business requirements into technical requirements that can be implemented.
  • System Architect/Designer - This role is responsible for understanding how systems work and a high level and ensuring that any new applications/solutions work within the framework already developed for existing systems.
It's important to realize that not every organizations has all of these roles. Smaller organizations tend to combine these roles together. For example a small business may have 1 or 2 IT staff that effectively fill all of these roles.

If you want get into IT, you need to understand which role you're hoping to fill. The education requirements and career progression for each role is different.

Educational Requirements

When I started in this industry in the 1990s, many of us were self-taught and didn't have any formal computer training. That is not typical today. In most cases, you need to have formal related training in order to be considered for a position.

Help desk and desktop support are often thought of as entry level positions. The education requirement for these roles is usually a one or two year program that includes content on configuring desktop computers and some information about managing servers.

In larger organizations, desktop support can be an area of specialization rather than just a starting point. There is opportunity to move up within desktop support and have a wide scope of responsibility. For example, a large organization can have specialists that develop processes for deploying operating systems, applications, and configuring computers centrally.

Server/System administrators typically require at minimum the same one or two year program that is required for help desk and desktop support. However, this role is not entry level and you do require experience to obtain it. That on the job experience allows you to understand how all of the pieces really fit together and learn more technical details. In this role, you often have additional specialized technical training focused on specific products. Some organizations prefer a computer science degree for this role.

Application support can require a wide variety of technical skills. Depending on the organization, it may require a computer science degree or business degree. There will also be some element of training in the specific applications being supported. Some common applications such as Exchange Server for email may be taught as part of a formal education process. Other less common applications may be learned on the job or in training provided by the vendor.

Database administrator is a specialized role that requires specific education in database management. This can be a one or two year program or a computer science degree. There may also be training in how to use specific types of databases such as Microsoft SQL Server, Oracle, or MySQL.

Network administrators require specific training in how to configure network equipment. The most common way to show your knowledge in networking is to obtain industry certification from Cisco. Even if you don't use Cisco equipment in the job, having that certification shows you understand the general concepts that are required. Then you figure out the specific commands to implement what you need on equipment from a different vendor. Training for Cisco certification is provided in many one or two year technical courses.

You can get the training to be a programmer from technical colleges (2 year programs) or as part of a computer science degree. Generally speaking, a computer science degree will provide more theoretical knowledge that will help you advance more into design. A shorter program from a technical college will teach you programming, but less of the design aspects.

System/Business analyst is usually someone with broad business education and some technical knowledge. Often people in this role have a business degree with additional education or experience on the technical side.

A system architect/designer needs to have a broad range of technical experience, and years of it. In terms of formal education, it may be a business degree, computer science degree, or even an MBA. However, the real key here is that this is not an entry level position, it's something you work up to.

Industry Certifications

When you need to prove your knowledge of specific technologies, you'll most often end up obtaining industry certifications. Industry certification are exam-based certifications designed by the product vendors. I previously mentioned Cisco certification for networking, but many vendors offer certification for their products.

You do not need formal training in order to obtain most certifications. You can study on your own and then write the exam. Or, you can take short courses (often a week or less, but crazy expensive) that focus on the specific content related to that certification before writing the exam. Exams are available at testing centers throughout the world. Some certifications consist of multiple exams.

Here is information about some vendor certifications:
Some of the entry level certifications are included as part of formal training in technical schools. For example, you may get Cisco Certified Network Administrator (CCNA) or Microsoft Certified Professional (MCP) training. Another commonly included entry level certification is A+ certification for basic hardware and software configuration.

How Do I Decide?

If you're not already in the IT industry, it's pretty hard to figure out what you might want to do. I'm a firm believer in trying stuff out (or at least learning about it) to get a better understanding. It would be unfortunate to take a two-year programming course and then realize that you don't like programming at all.

The Internet is full of many resources on the technical details of help desk, desktop support, server administration, programming, and database administration. However, you may find it easier to start  learning about working in these roles by using content with some structure. Fortunately there is lots of that available for free on the Internet too.

The following resources are Microsoft-based because that's what I work with the most. There are many other worthwhile resources, but these are the ones I'm familiar with.

  • Microsoft Virtual Academy – Free online video training. This is no cost and Microsoft does it to spread knowledge about how to use their products. The IT Pros content is what I deal with, but you can also check out the developer (programmer) and data pro (database) content.
  • Channel 9 – Free online videos (typically 1 hour or less) about Microsoft products and features. Presentations from Microsoft conferences such as Microsoft Ignite are also hosted here (in the events section). Many people attend these conferences (at a cost of several thousand dollars), but I find it hard to justify when I can view the same information the day after for free.
  • TechNet Virtual Labs – Hands-on virtual labs that give you experience actually working with Microsoft products. Want to try out using Windows Server and creating SQL databases? This gives you access to virtual machines running that software completely free of charge. No need to setup your own test lab when they provide it for you. The labs includes specific activities for you to try or do your own thing.
  • Free eBooks from Microsoft Press - Most of these books tend to be introductory, almost marketing level content. They do a good job of describing features without some of the technical details. This makes them good for getting an overview of the products as someone looking at the industry for the first time.

Add Your Own Comments

If you have any additional suggestions for this content, please leave a comment below. This was written up in a couple of hours and I'm sure there are important and useful items that I've missed.

Thursday, February 2, 2017

Site Mailboxes Deprecated in SharePoint Online

Just saw a notification in my Office 365 portal that site mailboxes are being removed from SharePoint online. Existing site mailboxes will continue to function for now, but after March 2017 you cannot create new site mailboxes.

It is recommended that you use Office 365 groups for collaboration instead. An Office 365 group behaves like a combination of a distribution group and shared mailbox combined with storage in SharePoint. It's a more complete collaboration solution, but you can use just the features that you want.

In September 2017, a process will begin to transition site mailboxes to Office 365 groups.

Here is a link with more info about Office 365 groups:

Tuesday, January 31, 2017

Windows 2003 Documentation in PDF

Someone at Microsoft must have decided it was time to clean up the support documentation. You'll now find that if you try to use a link referring to older Windows Server 2003 documentation or support docs, you instead get prompted to download a PDF. At first I didn't think much about this as I didn't really need the documentation.

Today I wanted to confirm some processes in a forest recovery (a low likelihood issue, but I'm doing up some documentation). Ok, I'll download this and find the content I want.

It turns out that this PDF is 150MB and 28000 pages. I'm sure it's complete, but not very convenient.

If anyone else is looking for the forest recovery info, it's on page 3078.

I should also point out that this content is relevant all the way up to Windows Server 2012 R2 (and I assume Windows Server 2016 also). MS has no other official forest recovery info that I've run across.

And just for fun, here's a link to the Windows 2003/2003 R2 retired content:

Saturday, January 28, 2017

PowerShell Script for Math Homework

My daughter needs to practice her multiplication tables. So, I came up with a little script that can help.

You can use the script on any Windows computer. Copy the code below into a text file and then name that file something like multiply.ps1. The file needs to end in .ps1 for Windows to recognize it as PowerShell.

You may also need to allow PowerShell scripts on your computer. Open a PowerShell prompt and run Set-ExecutionPolicy RemoteSigned.

If you have the file saved on your desktop, right-click it and select Run with Windows PowerShell

 $questions = Read-Host "How many questions?"   
  For($i=1;$i -le $questions;$i++) {   
   $first = Get-Random -Minimum 0 -Maximum 10   
   $second = Get-Random -Minimum 0 -Maximum 10   
   $answer = $first * $second   
   Do {  
     Write-Host "$first x $second = ??"   
     $response = Read-Host "Enter your answer"   
     If ($response -eq $answer) {   
          Write-Host "That is correct!"  
     Else {   
          Write-Host "Try Again"  
   Until ($response -eq $answer)  
 Write-Host "Well done! $questions questions completed!"

Friday, January 27, 2017

Full Restore for DC with NetBackup

I was doing some disaster recovery testing for Windows 2008 R2 domain controllers today with Veritas NetBackup. I’m running through and documenting some scenarios in a test environment. Better to document the steps before you need them!

Doing a non-authoritative and an authoritative restore went well by restoring the system state. Next up on my list was a full server restore.

The documentation for a full server restore was (to be kind) a bit fuzzy. The best of their articles I could find was this one:
At a high level, the instructions are:
  • Install and OS with the NetBackup client software.
  • Restore the drives (and don’t reboot yet)
  • Restore the system state
  • Reboot
My problem was that after the reboot I got a blue screen. After stopping the blue screen long enough to see the error, I saw this:
STOP: c00002e2 Directory Services could not start because of the following error:
The specified procedure could not be found
Error status: 0xc000007a
I did some searching and found lots of references to a corrupt AD database and fixing it by removing log files or doing a manual repair on the ntds.dit file. Just for kicks, I did try these because they were fast and easy, but not the answer.

This link from Microsoft gave me the hint I needed:
This link indicates that the error occurs when the Active Directory Domain Services role is removed before a domain controller is demoted. Basically, you have lobotomized DC that doesn’t have all the files anymore but is still trying to run the services. I tried to run ntdsutil and the file wasn’t there. That was a good hint that some files for AD DS were not there.

To fix my process, I installed the AD DS and DNS server roles before I did the restore. By doing those, all was good.