Mac Does Stuff

Month: March 2016

  • Encryption…It’s for everyone

    Working in IT invariably means friends may ask you for help at some point. It’s the nature of it. Sometimes it’s help with a laptop, but it can also be random stuff like “Hey, you work in Computers! Can you help me with my new Microwave”. We’ve all been there.

    Anyways, recently I’ve been following the developments on Apple vs The US Government on iPhone encryption – and it got me thinking. How many people who aren’t in IT actually encrypt their stuff on purpose? I bet it’s not many. I’d be surprised if a lot of non-computer literate people actually did it, or understood why it’s important.

    Let’s take a recent event of somebody’s machine crashing and them not being able to start windows. Let’s forget for a second their extreme panic at the fact they had about 5 years worth of stuff on there…and no backup. Yeah, let’s forget that.

    So, I pull the hard disk out of the laptop, plug it in to mine…and there you go. I copy off all their data. Easily. Everything. Photos, documents, copies of their passport, bills, driving license…I’m sure you can see where I’m going with this.

    It’s so easy to do, it’s beyond terrifying. Imagine if they’d have had that laptop stolen, or left on a train?

    What about home stuff? Sure your home PC (people still buy those, right?) is safe isn’t it? After all, it’s got a password on it. Of course it isn’t. If the worst happened and you were burgled, and the base unit/external drives nicked…getting your data would be beyond easy. If it’s an external drive, just plug it in to something else.

    Personally, I encrypt absolutely everything. Every laptop, every external drive, anything that can be encrypted is encrypted. It’s the only thing that makes sense. Some may say I’m being over-cautious. Why am I? I have a sensible backup setup with multiple copies of stuff, on and off site, all encrypted of course. My risk to losing data is quite low.

    The risk of losing unencrypted data though – that is sky high. I don’t mean the risk of losing drives, I mean the risk to me should I lose one of those drives with data on. Could be customer data, personal data, could be anything. 

    Whatever it is, I don’t want people accessing it. The cost of the hardware/drive etc. is an annoyance. Losing the unencrypted data would be catastrophe.

    It’s not hard to encrypt stuff now – so really, you should make it happen.

    Use FileVault to encrypt the startup disk on your Mac

    Turn on Device Encryption

    It is beyond easy.

    Now, what about the scenario above where somebody has a laptop, and it’s encrypted, and they’ve never taken a backup…and it fails. Well, you’re stuffed pretty much. There are things you can do if it’s just an OS corruption or hardware issue like take the drive out and use the key to decrypt the drive, but it is harder.

    Me, I’d personally encrypt everything and have a decent backup. Failed drives to me are an annoyance, I can’t remember the last time it actually threatened any data.

    Anyways, encrypt your stuff. It’s important. Unless of course you only keep pictures of cats.

  • We don’t want Office Web Apps

    It is perfectly possible to implement a Lync 2013 or Skype for Business 2015 platform without implementing Office Web Apps – after all, Web Apps is just used for streaming PowerPoint slides, right?

    Well, yes, it is – but there are some other things to consider, mainly around how you control the user experience.

    What Changed?

    There are major differences between how PowerPoint slide-decks are presented in Lync 2010 and Lync 2013 – and it’s key to understanding the differences when assessing the requirement for Web Apps. In summary, Lync 2010 shares PowerPoint data in-client, whereas in Lync 2013/Skype for Business requires an Office Web Applications server to achieve similar, but far superior functionality.

    In Lync Server 2010, PowerPoint presentations are viewed in one of two ways:

    • For users who run Lync 2010, PowerPoint presentations are displayed by using the PowerPoint 97-2003 format and they are viewed by using an embedded copy of the PowerPoint viewer. 
    • For users who run Lync Web App, PowerPoint presentations are converted to dynamic HTML files then viewed by using a combination of the customised DHTML files and Silverlight.

    This model did have some limitations, namely:

    • The embedded PowerPoint Viewer (which provided a more optimal viewing experience) is available only on the Windows platform.
    • Many mobile devices (including some of the more popular mobile telephones) do not support Silverlight.
    • Neither the PowerPoint Viewer nor the DHTML/Silverlight approach supports all the features (including slide transitions and embedded video) found in the more recent editions of PowerPoint.

    To improve the overall experience of anyone who presents or views PowerPoint presentations, Lync Server 2013 or Skype for Business uses Office Web Apps Server to handle PowerPoint presentations. This is a better model, in that it offers:

    • Higher-resolution displays and better support for PowerPoint capabilities such as animations, slide transitions, and embedded video.
    • Additional mobile devices can access these presentations. That’s because Lync Server 2013 uses standard DHTML and JavaScript to broadcast PowerPoint presentations instead of customized DHTML and Silverlight.
    • Users who have appropriate privileges can scroll through a PowerPoint presentation independent of the presentation itself. For example, while David is presenting his slide show, Karen can scroll through and view any slide she wishes, all without affecting David’s presentation.

    User Experience – It’s Important

    It is important to understand the user experience of having an Office Web server in the architecture. To explain, the following screen shot shows the sharing options of a fully enabled client with an Office Web Applications Server present:

    Web Apps Present

    In the above screenshot, you can see the sharing options for Desktop, Program, PowerPoint, Whiteboard and Polls. This enablement is driven by the conferencing policy assigned to individual users. Selecting the PowerPoint presentation then uploads the presentation to the Lync Data share, and this is then streamed via the Office Web Applications Server.

    With architectures that do not have an Office Web Applications server available to them, users can share PowerPoint presentations using desktop and application sharing – marked out in the screen shot below – they cannot use the ‘PowerPoint’ button. This is different to the Lync 2010 client experience.

    The challenge with the user experience for architectures without an Office Web Apps server is configuring the policy to allow Desktop & Program Sharing, Whiteboard and Polls and removing the PowerPoint button – this is not currently possible.

    The reason for this is that PowerPoint, Whiteboard and Polls are part of the Data Collaboration Policy, whereas Desktop/Program sharing are part of the Application sharing policy.

    Disabling the data collaboration for a user disables the following functions:

    • Office Web Applications PowerPoint uploads
    • Whiteboards
    • Polls

    There is no granular control to just turn off the PowerPoint option. Turning off data collaboration disables all the above functions.

    Summary

    So, yes, you can implement a platform without Office Web Apps, but you just need to consider the other functions that it impacts when you turn it off by policy.

    The thing is, if the server role is just for a Skype for Business or Lync platform, you do not need Web Apps server or CALs…All you need to cover is the operating system to stand up the Web Apps platform, so it’s not particularly heavy duty.

    Anyways, I get asked this a lot, so I thought I’d provide some background.

  • Windows Server Update Services

    Windows Server Update Services – WSUS, WUS, SUS or whatever you like to call it. Possibly one of the daftest names for something I’ve seen in a long time…..Aaaanyway.

    This is the role you can use to cache, download, and deploy Windows Updates out to your estate under your control – I.e you can control both what updates the clients get, and how they get them – I.e. From the Internet or from your servers. The latter bit being a common usage – download to one distribution point, and then distribute out to your estate rather than all the machines downloading over the Internet.

    There’s lots of different architectures out there. The Technet article here is great at explaining them, and what the options are.

    Prepare for Your WSUS Deployment

    Most organisations don’t find this a difficult process or product to deploy – the ones that do, in my experience, have the problems because they try and massively over-complicate the deployment model for WSUS. Keep it simple – keep it working!

    The video below runs through the process of setting up a single server, how to get your clients talking to it, and how to approve/install basic updates. 

    I produced it for a specific request, but I thought it would be useful to share.

    Oh, by the way, if you have Windows 10 machines in your estate ensure your 2012 R2 WSUS server has this update installed. If it doesn’t, your Windows 10 machines will show up as Windows Vista – and nobody wants that.

    Update to enable WSUS support for Windows 10 feature upgrades

    Another thing to watch out for is specifying the servers in your group policy – make sure you put the port in, otherwise I find that the clients just don’t find the WSUS update server, and you never see the clients register.

    This bit – note the port numbers of 8530 and 8531 (http and https respectively), and don’t do what my brain keeps doing which is put 8350 and 8351 and sit there wondering why it’s not working.

    WSUS Settings

    The other piece of advice is that you should be patient once the group policy has applied – it can take a while for the machines to start appearing in the management console. That’s just fact, it takes a while.

  • Bulk Enabling Skype for Business Users

    I’ve been tidying up some of the scripts I use during deployments, so I thought I’d share some of them. This one that I’m about to go through does the following:

    • Takes a CSV of users
    • Enables them for Skype for Business or Lync 2013 (if they’re not enabled already)
    • Applies the conferencing policy
    • Applies the client policy
    • Applies the remote access policy

    These are the most common things you’ll see when working with users in bulk. The script can be modified to apply anything really – if you’re familiar with PowerShell, it’s fairly easy to read.

    Anyway, let’s look at the script. Firstly, you can download it below:

    SkypeEnable Very out of date, so I have removed it.

    Script Pre-Reqs

    You must have the Lync PowerShell modules installed on the machine you’re running this on – simplest way is to use the scripts on your Front End server(s).

    Script Modifications for your Environment

    You need to modify a couple of items to make it apply to your environment. These items are:

    #Update these variables appropriately

    $DefaultPool=”LyncPool.ds.co.uk”

    $LogFile=”.\EnableLOG.txt”

    $UserCSV=”.\EnableUsers.csv”

    They should be pretty obvious.

    • Default Pool: If the CSV doesn’t include a pool reference, then it will default to whatever you set this variable to.
    • Log File: Where do you want the log file to be written to?
    • UserCSV: This is the CSV containing the users you want to work on.

    Source File Requirements

    The script uses a CSV file containing the relevant info for the users that you wish to touch. The minimum data in the CSV is shown below:

    Data for import

    At a minimum, all you need in the CSV if the mail address of the user you want to touch. I alway use the mail address pretty much, as it’s usually unique in the organisation.

    There are other fields you can include too – shown below:

    All Fields

    The other fields that the script uses are:

    • RegistrarPool – the target pool that you wish to enable the users on.
    • SipAddress – what sip Address do you want to use? You can include the sip: prefix if you want – the script checks for its presence, and adds it if needs be.
    • ConferencingPolicy – what conferencing policy to apply.
    • ClientPolicy – which client policy to apply.
    • ExternalAccessPolicy – which external access policy to apply.

    Note that if any of these fields are empty or blank, the following logic applies:

    • RegistrarPool Missing/Blank – use the default one defined the variable I detailed above.
    • Sip Address Missing – use the Email address.
    • Conferencing/Client or External Access Policy missing then don’t touch those policy settings.

    Pretty simple really. If the file has extra columns – say you’ve done an AD Export for example – then they will be ignored. Only the above fields will be used.

    Executing the Scripts

    This is very simple. From an elevated PowerShell environment just execute the SkypeEnable.ps1 script with:

    .\SkypeEnable.ps1

    Note you must have set-executionpolicy unrestricted otherwise the script won’t run.

    The start directory where my scripts are looks like this. You can see the PowerShell script, and my CSV file ‘EnableUsers.CSV’.

    Start Directory

    Running the script results in this output:

    Script Execution

     It even tells you the files & logs to check.

    Script Output

    The script outputs a couple of check files for you to look at so you can make sure everything has gone as expected. I’ve used ‘EnableLog.txt’ for the main log file. In addition, a CSV called ‘UserCheck.CSV’ is also output. Let’s look at each – starting with EnableLog.TXT. This looks like this. The script tells you what it’s doing, and even shows you the PowerShell commands it’s using.

    The UserCheck.CSV contains a CSV export of the users we’ve touched, and includes their relevant policies. For example, have a look here. The CSV file will enable you to check against your original requirements and make sure stuff has applied properly:

    Check

    Can I use the script for anything else?

    Well, yes. If users are already enabled for Skype for Business/Lync, you can still specify Conferencing, Client or External Access policies. The script will then apply those policies to those users.

    Summary

    PowerShell is brilliant at automating common and bulk tasks, it absolutely makes sense to use it. To be fair, I may have over-complicated this script & process – sometimes simpler is easier – however the script process itself can be pretty useful for developing your own stuff. So I hope you find it useful.

    You can see a video run through below.

  • Skype for Business High Availability – Pool Pairing

    High availability and Disaster Recovery in Skype for Business/Lync 2013 is a beautiful thing. Providing always on services, as well as great recovery provisions for DR is core to the product. Looking at it though, you could perceive it requiring a whole heap of hardware and licensing – not the case really. A common misconception is around the pool pairing types. Let’s have a look at that. 

    Before we do however, let’s just qualify some terms for the purposes of this blog:

    High Availability

    For a service to be HA, it automatically survives a failure in the topology, and recovers, without administrative input.

    Disaster Recovery

    For DR, Administrative input is required to ‘push’ services/users to a DR site.

    Other’s have different definitions of the above, but this will do for the purposes of this blog.

    Firstly, for both HA and DR, don’t be quick to dismiss the Standard Edition of the product. It provides great high availability for voice, and easy to implement/low cost DR. Have a read of this to explain why:

    In praise of Lync Standard Edition

    Things seem to get expensive when you want to pair an Enterprise Pool for high availability. Consider the pool pairing requirements from this article:

    Front End pool disaster recovery in Skype for Business Server 2015

    In particular, note the requirements on the pool pairing:

    Pool Pairing

    As a quick side note, have a look at the RTO & RPO for the failover:

    RTO & RPO

    Great RTO and RPO, right? But wait – this is measured on 40 *thousand* active users, with 200 *thousand* enabled users. So, there’s that….

    Anyway, back to HA/DR. So let’s say for example you implement an Enterprise Edition pool as you want High Availability in your primary pool, and you also want to provision Disaster Recovery for the same pool. The configuration I often see proposed is similar to this (click on the image for a larger view):

    Example Structure

    So we put three front end servers in the primary pool, and have an SQL server for the databases. We also have the DR pool of three front end servers, and the associated SQL services at that site. Let’s say you have 3.5k users for example, that’s a lot of  server instances and Skype for Business Server 2015 licenses isn’t it? With that model, let’s assume:

    Primary DC (Active)

    • 2 x SQL Servers
      • 2 x OS, 2 x SQL
    • 3 x Front End Servers
      • 3 x Skype for Business Server 2015 licenses
    • Hardware Load Balancer for Web Services

    Secondary DC (Passive)

    • 1 SQL Server
      • 1 x OS, 1 x SQL
    • 3 x Front End Servers
      • 3 x Skype for Business Server 2015 licenses
    • Hardware Load Balancer for Web Services

    With three servers in the pool you’ll need to load balance the web services between the pool servers as well, usually using a Hardware Load Balancer of some sort.

    In this setup you have done the correct thing according to the supportability rules. Enterprise Pool with Enterprise Pool, virtual to virtual or physical to physical (no virtual to physical pairing), and you’ve used the same OS across the platforms.

    Here’s the thing though – why do you need three Front End Servers in the secondary/passive data centre? Look at the rules – where does it state you need the same number of Front End servers? The answer is – it doesn’t. You can have a differing amount of Front End servers in the paired pools.

    All of a sudden, that architecture is looking smaller. Consider this:

    Example Structure

    In this model, you’d need:

    Primary DC (Active)

    • 2 x SQL Servers
      • 2 x OS, 2 x SQL
    • 3 x Front End Servers
      • 3 x Skype for Business Server 2015 licenses
    • Hardware Load Balancer for Web Services

    Secondary DC (Passive)

    • 1 SQL Server
      • 1 x OS, 1 x SQL
    • 1 x Front End Servers
      • 1 x Skype for Business Server 2015 licenses

    You’ve immediately cut out an extra two servers, and the associated licensing, as well as the requirement for hardware load balancing in the secondary site. This works, and is supported. It’s a good model for when you want to provide HA & DR for users, without having to put a lot of infrastructure in the secondary DC.

    Of course this model only really suits an Active/Passive setup where you have users being provisioned from the primary DC, and the secondary DC is only used in a fail over scenario. If you wanted Active/Active (which is a very credible option), then you’d really need to provide HA in both DCs and provision enough resources for each DC to carry 100% of the load.

    I haven’t included Office Web Apps in the above, however that’s another consideration. You may put a couple of them in the Active DC load balanced – but why would you want multiple in DR? In fact, there’s a question of whether you need them in DR anyway unless you consider it a critical function.

    Anyway, the point of this blog is really just to show that there’s a lot of flexibility in Lync/Skype for Business in terms of HA/DR – put some thought in to it, you’ll find it’s not as difficult/expensive as you’d imagine.

  • Deleting the Skype for Business Address Books

    Quite a while ago I wrote a small VBScript that deletes all of the GalContacts (Skype for Business local Address Books) for you. It’s handy when testing things such as putting new normalisation rules on your Lync or Skype for Business Servers. Combine it with the ability to zero the download delay using the GalDownloadInitialDelay registry setting and it just makes your life a little bit easier. Initial article was here:

    Automatically Deleting the Lync Address Books

    Anyways, a few people now have asked me to update the script from VBScript to PowerShell – because the whole world is going PowerShell (and quite rightly, too!). Anyway, I have updated it, and you can download it here:

    DelContacts Removed as very out of date.

    So what does the script do? It’s quite simple – all it does is scan your own profiler any GalContacts.* files and deletes them. You can then use the Lync/Skype client to download new ones.

    It even logs the output of what it’s doing.

    Anyways, scripts like this, while they may not do an awful lot (but they do make your life slightly easier), are a great way to learn PowerShell. In here you’ll see how I’ve done some logging, called some DOS commands, the whole lot. Sure there’ll be other/better ways of achieving the same thing, there always are.

    Do you need to change anything in the script?

    Line 9 contains the path to the log file you wish to use for the script, so you need to change that to your preferred destination. Mine is usually on the desktop – but you can set it anywhere you have write access to:

    # Set LogPath to the place you want the log files to go

    $LogPath=”c:\DelContacts\DelContacts.TXT”

    How do you run the script?

    Start PowerShell, go in to the directory you have the script in, and use this command:

    .\DelContacts.ps1

    Bear in mind you will need to have appropriately set the set-executionpolicy to allow the script to run. 

    Log File Output

    The log file will tell you what it has done – example output below.

    Can I create a desktop shortcut to it?

    Yes, absolutely. Create a shortcut pointing to:

    Powershell.exe PathToScript\DelContacts.PS1

    For example on my Windows 10 desktop, I have a shortcut pointing to:

    powershell.exe C:\DelContacts\DelContacts.ps1

    ===========================================================================

    Computername : HUGEPC

    User Name : mark_

    Temp Dir : C:\Users\mark_\AppData\Local\Temp

    Profile Path : C:\Users\mark_

    Temp File : C:\Users\mark_\AppData\Local\TempDelContacts.TMP

    ===========================================================================

    Finding files using the command: DIR C:\Users\mark_\GalContacts.* /s /b >C:

    \Users\mark_\AppData\Local\TempDelContacts.TMP

    Temporary file found…

    Deleting files….

    Working on : C:\Users\mark_\AppData\Local\Microsoft\Office\15.0\Lync\sip_ma

    rk.*******@******.com\GalContacts.db

    File deleted.

    Working on : C:\Users\mark_\AppData\Local\Microsoft\Office\15.0\Lync\sip_ma

    rk.*******@******\GalContacts.db.idx

    File deleted.

    ===========================================================================

    Deleting temporary file…

    Temp file deleted.

    ===========================================================================

    Process finished.