SEMblog

This is a posting for anyone reading this blog using a feed reader.  

I am going to be making some changes to the blog in the next couple of weeks, and this could affect the RSS feed.

If your feed address is "feeds.sembee.co.uk/sembee" then you can stop reading now and go somewhere else, as that feed will not be affected.  

If you are using a feed that starts with the address of www.sembee.co.uk then you will need to change it to the Feedburner feed to ensure that you continue to receive the feed from this blog: http://feeds.sembee.co.uk/sembee 

Something I have been doing frequently for the last 18 months of so is cleanups of SBS 2003 servers and their associated networks. I have a number of clients in the IT Support industry who ask me to clean up their client's servers. Two of them get a new client and the first thing they do is ask me to look at it and make recommendations.

In many cases it is minor cleanups or ensuring that everything is up to date. However one that I have done just recently deserves a blog posting on its own.

Background

New client for one of my IT Support clients.
They said that their client didn't think that there had been much maintenance done by the previous support company and the AV had expired. They were also looking to use Windows Mobile devices but were having problems getting it to work.
It had already been agreed to deploy AVG, so I was asked to look at the site and report what was required.

Seven users, one server, low level of email use apparently. Old school was the phrase that was used to me when describing the company.

I was shocked, to say the least.

Server

SBS 2003 RTM.
Thankfully I was sitting down when I saw that. No service packs, no automatic updates nothing.
DHCP was being run by the router, not the server.
DNS wasn't configured correctly.
The AV had indeed expired - 18 months ago. It was Symantec as well.
POP3 connector for email collection
Most of the wizards hadn't been run correctly.
Various other bits of junk on the server
The backup wasn't configured correctly, therefore the Exchange transaction logs were building up. There were four years of transaction logs.

Clients

I was able to get on to one of the clients.
Windows XP SP1
Office 2003 RTM
Same expired Symantec AV.
Adobe Acrobat Reader 6 (remember that?).

It was like the site was stuck in 2004. The site was deployed and never touched afterwards.

Anyway, I like a challenge.
Did I mention that the site was 350 miles away, and I was working on it remotely?

The positives?
I tried.
8mb ADSL getting 5mb on the bandwidth tests, which was ok. Plus it had a static IP address. The server had lots of space on it, it was a good configuration, multiple arrays, 2gb of RAM. It was a Dell system and the original suppliers had obviously installed it fresh as it didn't have the Dell issue of a 12gb root partition. However the rest of the server hadn't been done correctly.

So what did I do?

To begin with, over a course of two nights in the week, I downloaded the updates I needed

Windows 2003 SP2
Exchange 2003 SP2
Windows XP SP2 and SP3
SBS SP1
SharePoint Service Packs
WSUS 3.0 SP1
Office 2003 SP3
AVG Admin and the main Application
Adobe Acrobat 9.0

I asked my client to purchase an SSL certificate credit from https://DomainsForExchange.net/
I also asked for access to their domain name configuration, and web site.

Finally I asked that all the workstations be left on over the weekend and a tape left in the backup drive.

Before I started, I corrected the backup job.
This not only provided me with a backup of their data, it also flushed out almost 15gb of transaction logs, which made the server a little more snappier. Once the job was finished, I ejected the tape as a precaution.

With a successful backup, I could then begin the real work.

I started off by flashing the router firmware to the latest version, then reviewing its configuration.
Then started on the server, downloading the latest BIOS and drivers.
Windows Service Pack was first, then the driver updates.
Rest of the service packs as required, concluding with the WSUS installation. I then set that to sync and started on the workstations.
Symantec AV was removed and the AVG installation was setup and configured, ready for installs on the clients.

I moved the data around on the server as per the best practices.
Using the SBS Best Practises tool, cleaned up any issues that flagged and reset the backup job to backup correctly. 

Each workstation had the Symantec AV removed, the Adobe Acrobat removed and then was brought up to SP3. Rebooted as required.
Office 2003 service pack installed along with the new version of Acrobat Reader.
The workstations also got updated BIOS and drivers.

AVG was installed on the systems, updated and a full scan carried out.
They were very lucky. While a few things were found, they were not serious and

I setup the client with an OpenDNS account and changed the configuration of the server to use that. DHCP was removed from the router and moved to the server. However before I did that I carried out an IP Address scan and found a network printer. A nice HP LaserJet. Fortunately it was configured by defaults, so I was able to connect to it, update its configuration and firmware. Then downloaded the latest drivers from HP and installed them on to the server and shared the printer from there. On each client the printer was changed from direct to the shared printer.

The SSL certificate was deployed with a real name following some DNS changes, and the relevant port opened on the firewall (443). Yes I know SBS can do that for me, but I needed to retain control.
Configured a split DNS system so that the external name on the SSL certificate also worked internally.

I also downloaded and installed PRTG Traffic Grapher and configured that on the server to look at the router. Created a mini admin web site on the server, with PRTG on a web page, along with the AVG status page and a web page to manage the IMF quarantine emails.

By this time WSUS had synchronised, so a few group policy changes had the client talking to that. I ran a few scripts on the client to get them to call in correctly, then left them to download their updates for a few hours.

Once the updates were in and installed, and the systems rebooted, close to finishing.
Secured the server for SMTP email and then changed the MX records to point to their static IP address.

Tested Exchange ActiveSync from outside, along with RPC over HTTPS, OWA and confirmed it was working.

Finally set all systems to defrag. 

There were also a lot of very small changes that I do on every site which are simply too numerous to list (plus I can't remember them all).
I was also available on Monday morning for any issues that came up - there were none.

Rough tests on start up times of the server and workstations showed that I halved the time they took to start up.

The job took most of a weekend and basically involved three or more years of maintenance being done on the network in that time. Once it was complete I dropped an email to my client with a list of what I had done (pretty much what I written above), recommendations for future work and a bill for £2,000.

Probably the best bit was the feedback from the end users. It felt like they had a new network, everything worked, faster, things we where they should be etc. Overall everyone was very pleased.

Ultimately, they were lucky. As they had a router and their email traffic was so low, they didn't get hit by anything major that would have caused a problem. They were badly exposed though and if something had got in then it would have run amok.

The Sales Pitch

If you are in the UK and either a direct user of SBS or are supporting SBS Servers, then I can do something similar for you. Server cleanups start from £250 (+ VAT) depending on the work that is required. I will look at the server and tell you what is needed and quote on that basis. Additional bits (like SSL certificates, AV licenses etc) need to be purchased separately.

If you are a support company, then this type of work can give you a quick win and provide you with an immediate impact with the client. The simple change from POP3 connector delivery to SMTP delivery is normally enough, without the other background work.

In the vast majority of cases, this work can be carried out remotely, out of hours. It does not require a site visit, simply remote access is required (Log Me In is my preferred method).

Similar work can be carried out on the full product over multiple servers.

However, here is the interesting bit… the financials.
The client who I did this job for was prepared to buy additional hardware and software from their previous support company to resolve the problems - which the previous support company had caused by not doing the maintenance correctly. Someone suggested getting a second opinion, and that has saved them money. Their original outlay will now be fully utilised and they will see benefits. Since that work was carried out in mid September they have started to use Windows Mobile, and are now looking at laptop use. Productivity has increased - simply by investing some time in their existing infrastructure, rather than purchasing new and going through the headache of a migration. Despite everything I did for them, Monday morning they were able to come in and start work immediately, with no significant impact on their business, other than the "wow" factor.

I hinted in my Exchange 2007 SAN certificate posting (http://blog.sembee.co.uk/archive/2008/05/30/78.aspx) that I had written an article on how to setup Exchange 2007 with a single name certificate. After cleaning it up I have now published the article. However it isn't here, as it contains screenshots which the blog seems to struggle with - you will find it on my company technical site: http://exchange.sembee.info/2007/install/singlenamessl.asp

Do note that if you are using Unified Messaging that you cannot use a single name certificate. Also note the hard requirements of SRV record support at your public DNS provider (ie your domain name registrar) and Outlook 2007 SP1.

Once again the UK IT Pro User Groups are getting together to have a community day at Microsoft in Reading. This time it will be spread over two days - 8th and 9th of April 2008.

I presented at one last year alongside Nathan Winters, but this time I have my own session. I will be presenting a session on behalf of the Microsoft Messaging & Mobility User Group (MMMUG - http://www.mmmug.co.uk/) on the first day on the subject of Client Access to Exchange 2007. This will include unified messaging with Outlook Voice Access, OWA, Windows Mobile and Outlook 2007. Particularly emphasis on what is new on Exchange 2007 SP1.
The idea is to show you the different ways that you can access your email, then look at the control the Exchange administrator has over those interfaces. This will be a hands on session, rather than something that is just a serious of Powerpoint slides.

As well as my own session I will be there all day sitting in the other sessions, the product group Q&A and the end Q&A at the end of the first day.

The event is free of charge, but you do need to register in advance. Full details of the agenda for the two days, the speakers and their sessions, plus registration details can be found on the web site: http://www.ukusergroups.co.uk/

Would your company like to use Exchange 2007, but are finding the costs too high, you don't have the internal skill set or just want to outsource it?
However have you found that hosted Exchange is too limiting for your company needs or you want a more personal approach to the management of your server?

If so, then we may have the answer.

I have recently been talking to a few clients who would like Exchange 2007, but for various reasons cannot justify their own server. They have also expressed a desire for it to be managed by someone they can get to know, rather than a request going in to a helpdesk queue and being completed by an unknown person. 

Therefore what we have talked about is a number of companies getting together to share an Exchange server and the management costs. This server would have a limited number of users, and would be managed by myself. My company would acquire the hardware, arrange hosting at a data centre, setup the server and then manage it.

However to make it worthwhile on costs, time and other investment, we need a few more mailboxes. Ideally we are looking for around 200 mailboxes, we currently have expressions of interest for around 75 mailboxes.

The monthly cost that is currently being looked at is £15 per mailbox per month, with a £100 per client per month management fee and maybe a setup fee. Numbers are not exact as it depends on how many mailboxes we get. If we get 400 or more, then multiple servers could be used, which will bring down the expense as the cost of the domain controllers and additional network hardware will be shared between more users.
We would also need to have a 12 month commitment to the service so that financing etc of the software and hardware can be arranged with some idea of the income flow.

At this time it is planned that each mailbox would have 2gb of space, plus there would be public folder space as well.

If you are interested, then please let me know through the company email address of contact @ amset.co.uk with the number of mailboxes you may be looking to host and whether you would be interested in Blackberry support, and the number of devices. We must ask that you do not contact us if you are outside of the UK, unless you have a UK billing address and the majority of the users will be located in the UK.

Please note this isn't going to happen overnight, once the legal stuff has been dealt with, the hardware needs to be acquired and setup, so it could be early April or later (at the time of writing) before we are ready to go.

Support for the migration from your existing solution should be included - although it depends on what you are currently using.

I appreciate that much of the detail is not exact, at the moment we need to find out how many others could be interested before proceeding any further.
I have written a brief FAQ below which should answer some common questions, although if you do have any queries, please contact me on the above address and I will attempt to answer them and also update this page.

AT THE TIME OF WRITING THIS IS NOT A SOLUTION YOU CAN BUY FROM US TODAY.

PLEASE NOTE THAT FOR LEGAL AND INSURANCE REASONS THIS SERVICE WOULD ONLY BE AVAILABLE TO UK BASED COMPANIES.

FAQ

Q: Isn't this Hosted Exchange?
A: It is a form of hosted Exchange, and we will be using the Microsoft Hosting licensing system to license the software. However the idea is to offer a service that is more flexible than those offered by Hosted Exchange providers because there is no control panel. Furthermore you know who is managing the server, that they built it and are aware of how it is working. I see it as taking the best bits of Hosted Exchange and having your own server, and putting them together.

Q: What don't we get that we would get with Hosted Exchange/Our Own Server.
A: You don't actually loose a great deal.
From a hosted Exchange point of view, you will not get a control panel or access to any kind of administration interface. Anything you want done from an admin point of view will need to be asked for and I will make the change for you - just as it would if you had your own server - you would ask your network admin or support company.

Things missing from having your own server will include your choice of antivirus and antispam, as we will need to use a solution for all users as it protects the server. You also don't have access to the admin console yourself.

Q: Will we see the other clients in the GAL etc?
A: No. Address list segregation will be used to make it appear to be your own server. While this isn't a traditional hosted Exchange environment, I will be using the techniques from Microsoft on setting up a hosted Environment to provide a secure deployment for all users.

Q: Will it be secure?
A: Yes, this will be a deployment done to best practises. Commercial trusted SSL certificates will be used, behind firewalls with the relevant ports open. It will be just as good as a deployment in your own office.

Q: Will we have access to all features? OWA, Windows Mobile support?
A: Yes. Everything Exchange offers will be there, except for Unified Messaging - see below.

Q: Blackberry?
A: Maybe. There are other issues with Blackberry, such as support for Exchange 2007 SP1 and paying for the licenses of both the server and the CALs. If you are likely to be a user of Blackberry, then please indicate that along with how many devices.

Q: What about Unified Messaging?
A: To begin with there will be no Unified Messaging support.
However I am already looking at how UM could be used with remote server for another client. This could be possible if you already have VOIP technology in use or by hosting the media gateway at your own site. That may mean having a different type of Internet connection in to your own office, and maybe increased bandwidth costs for everyone involved.
There are also security concerns to be addressed, so use of UM may be possible long term, but not at the start.

Q: Contract, SLA etc.
A: Can't answer questions on those bits yet, as that needs to be worked out if we went ahead with this project. There will be some kind of contract and SLA, however those details would need to be resolved once the project starts. That would also include support details, how to make requests, track requests etc. The operational details are a long way away.

Q: What about if you are not available?
A: Finding someone who back up me, in case I am not available to look after the server for whatever reason. Whoever I choose to use will be of high quality - I have very high standards and you will know who it is.

Q: Backups?
A: There will be some kind of backup solution, exactly what I do not know at this time. Certainly Exchange options will be used where possible, and then some additional backup will be used to protect the data in the event of server failure.

Q: It is more expensive than x service provider.
A: That maybe so. However this is highly customised solution with support from a named individual. This is not a "pile it high sell it cheap" solution based on price. This is a quality solution. I would compare it to buying a car, such as a 1978 used Mini to a brand new Mini. Same name, both cars, but very different in what you would expect.

Q: So what do we get that we wouldn't if we had our own server?
A: The first thing is less worry. Someone else worries about the server, the data, whether it is working correctly, bandwidth and use.
Next, you have peace of mind that it is managed by an experienced Exchange consultant, which is not something you may well expect to have if you had your own server. No need to worry about someone who doesn't know what they are doing playing around the with the server.
The server will be located in a data centre, so it will be protected and available to you where ever you are. If you have a high number of users out of the office, it may well be a better performing solution than hosting your own server.
There could also be opportunities to enhance the solution buy purchasing additional software products on a per server basis. While the cost may not be economical for 20 users, for 200 it becomes something viable.