Custom Technology Solutions, Inc

Corporate Blog

Custom Technology Solutions, Inc - Corporate Blog

Microsoft Office 365 service module offers MSPs the best of both worlds

Life for a managed services provider (MSP) is seldom straightforward.   Support staff in the service center have long had to juggle between screens as they log in and out of numerous applications from different vendors in the course of their day-to-day remote management operations. Over the years advances in technology have created ever more diverse technical environments for them to manage.  Nowadays it’s commonplace for customers to have a mix of traditional on-premise IT along with mobile devices and the latest cloud-based applications. The number of management screens just keeps on multiplying – all the while pushing up the time and costs of administration. The Microsoft® Office 365™ cloud-based collaboration, communications and productivity software platform is a good example.  Its combination of Exchange e-mail, SharePoint online, Lync VoIP and conferencing online, web hosting via SharePoint and the Office Web Apps has proved extremely popular with businesses of all sizes . Indeed Microsoft’s own executives have described it as the fastest growing business in its history . Little surprise, then, that it has also gained a strong channel following with more than 60 percent of top MSPs seeking to wrap their services around one of the market’s current best sellers. Yet managing this along with a multitude of other applications is no picnic.  Our MSP partners have been telling us that they would like a more convenient way to administer hybrid physical and online environments so that they can add value for customers with the Office 365 cloud platform.  In view of the large numbers of MSPs using Office 365, developing a solution to help our customers support and obtain recurring revenue streams from supporting Office 365 with ease and simplicity has been a priority. The Microsoft Office 365 service module for AVG Managed Workplace®, just released, goes some way towards addressing this issue. It allows our channel partners to provide management services such as user password resets and mailbox policies – which Microsoft typically will not do – via a single screen through AVG Managed Workplace. In fact the module allows MSPs to remotely perform five of the most popular management tasks. Apart from the two already mentioned you can also set license expiration alerts, receive service down notifications and managing users without using Windows PowerShell®. Other administrative tasks can be accessed without any additional logins. Allowing administrators to view all the essential information they need about cloud-based and on-premise applications together within the same screen in this way gives IT services providers the best of both worlds.  In so doing it neatly solves problem of multiple logins for partners and helps them to run their operations more efficiently. Our simplification of Office 365 management for services providers is a clear demonstration of our commitment to our channel partners.  We will continue to add modules to AVG Managed Workplace that allow IT service providers reap productivity benefits and deliver long-term value to their customers. In summary, the Office 365 service module represents a first step in developing easy ways to manage cloud data within AVG Managed Workplace – something that appears destined to become commonplace as more everyday objects and devices are IP-connected to form the Internet of Things. It also further enhances the wide range of productivity benefits already available to MSPs who use AVG Managed Workplace to remotely manage the IT of their entire customer-base through the same, single pane of glass.

How to enable verbose logging for Windows Server 2012/2012 R2 Essentials

[This post comes to us courtesy of Swapnil Rane and Rituraj Choudhary from Global Business Support] This post explains how to increase the logging level for the individual components of Server Essentials role for troubleshooting purposes. In order to accomplish this, we need to modify the Logging.config file. This file can be located at C:Program FilesWindows ServerBin on a Windows Server 2012 Essentials machine. On a Windows Server 2012 R2 Essentials this file is present at C:WindowsSystem32Essentials . Make sure to save a backup copy of the file before modifying it. You need to change the ownership of Logging.config file and give the user adequate permissions to save any modifications to it. You may use the following commands on an elevated Command Prompt to make modifications to the file: For Windows Server 2012 R2 Essentials: takeown /f C:WindowsSystem32EssentialsLogging.config icacls C:WindowsSystem32EssentialsLogging.config /grant administrators:F icacls C:WindowsSystem32EssentialsLogging.config /setowner “NT ServiceTrustedInstaller” notepad C:WindowsSystem32EssentialsLogging.config For Windows Server 2012 Essentials: takeown /f “C:Program FilesWindows ServerBinLogging.config” icacls “C:Program FilesWindows ServerBinLogging.config” /grant administrators:F icacls “C:Program FilesWindows ServerBinLogging.config” /setowner “NT ServiceTrustedInstaller” notepad “C:Program FilesWindows ServerBinLogging.config” The file Logging.config is now ready for editing. Search for the string level= and replace the string next to level= to All if it is set otherwise. For example: Change it as: Changing the level to All enables verbose logging. There are other values that the level can be set to, but mostly verbose logging is preferred, and can be achieved as mentioned above. When the issue is reproduced subsequently, the logs at C:ProgramDataMicrosoftWindows ServerLogs folder should now contain verbose information. Note : You may use the same procedure to enable verbose logging on the Essentials clients.

Announcing the availability of enabling Windows Server 2012 R2 Essentials’ integration of Microsoft online services in environments with multiple…

In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials.  I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed.  This update adds support for both Azure Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server. For more information, please go to http://support.microsoft.com/kb/2974308 .

Troubleshooting Common VPN issues on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support] In our previous post , we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment. In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected. To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command: Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT Let us now discuss some common issues with VPN connection. Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer. If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes. You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced . Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network . That should ensure that the network and internet connection are up and running. Let’s look at another error. Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly. The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port. You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not. To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site . On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit . On the Edit Site Binding page, click View . On the Certificate window, chose Details and make a note of the Thumbprint of the certificate. Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site: Get-WebBinding | Where-Object {$_.bindinginformation -eq “*:443:”} | fl certificateHash Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well. If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service: reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA1CertificateHash /t REG_BINARY / /f Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of. Let’s look at the next error. Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection. If VPN client is unable to obtain an IP address from the VPN server, you may see this error. In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties . On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope. On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%tracing directory. Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer. These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.

Configuring Health Report in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Harshal Charde, Kriti Thakral and Sandeep Biswas from Global Business Support] In this post we will discuss about configuring Health Report email notification using O365 in Windows Server 2012 R2 Essentials. The Health Report for Windows Server 2012 R2 Essentials provides you with consolidated information about the Windows Server Essentials network and enables you to distribute this information to intended recipients via emails. This information can be viewed on the Health Reports tab of the Dashboard on Windows Server 2012R2 Essentials. We can generate a report on demand or on schedule, customize the content of the report and send them through emails. Reading the Health Reports on the Windows Server Essentials Dashboard may be time consuming. With the email feature, after a report is generated, an email will be sent to a list of specified email addresses with the content of the report. The administrator can easily view this report from any device or any client application, and ensure that the server is running at its best state. In the following example we have used an Office 365 account to configure Health Report email notifications. You may log in and view the SMTP server details of O365 account as follows: 1. Click Outlook tab, click Settings icon   and then click Options. 2. On the next page click account and then click Settings for POP or IMAP access 3. Make a note of the SMTP setting and then click close. To configure the health report on the Window Server 2012 R2 Essentials, open the Windows Server Essentials Dashboard , click the Health Report page on the HOME tab and click Customize Health Report settings . Click the Schedule and Email tab, click to select Generate a health report as its scheduled time check box (customize the recurrence as per your preference) and then click Enable . Type the email address of your O365 mail account, the SMTP server name and the SMTP port. Click to select This server requires a secure connection (SSL) and This server requires authentication check boxes and type the username & password of your O365 account and click OK . On the next page, type the email address of the person that you would like to receive alert notification by email and click OK . If you wish to add multiple email addresses ensure that you separate each email address with a semicolon (;). Alternatively, if you prefer commands over the GUI, there are PowerShell commands built-in to the WssCmdlets module to configure the Health Report: Set-WssReportEmailSetting -Enable -From “healthreport@mysbs.onmicrosoft.com” -SMTPServer “smtp.office365.com” -Port 587 -UseSsl -To MyEssentials@outlook.com -UseAuthentication –Credential (Get-Credential) Set-WssReportSchedule -Enable -Daily -At 16:00 The above commands would take care of the email account configuration and the schedule of the health report. There are additional commands to generate a new report ( New-WssReport ), and send an email with the health report ( Send-WssReport ) that you can utilize too. You can find a list of all the commands of the WssCmdlets module here . Once the configuration is completed, you can click Generate a health report which will automatically send an email notification to the external user mailbox. You can also send an existing report by selecting it and clicking Email the health report . Here is a sample of the email received: You are now ready to receive the Health Report notifications on email. Logon to the subscribed user’s mailbox to verify the receipt of email.

Improve collaboration in small and midsize businesses solution guide now available

[This post comes to us courtesy of Kumud Dwivedi from Content Publishing] If you are a small to midsize business that is looking to enable employees and external partners to improve collaboration and securely access shared data, we now have a solution guide to address this. Windows Server 2012 R2 Essentials and Windows Server 2012 R2 provide a solution to easily collaborate with your partners or vendors. If your business has up to 25 users and 50 devices, use Windows Server 2012 R2 Essentials. For up to 100 users and 200 devices, use the Standard or Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed. To view this solution guide, see Improve collaboration in small and midsize businesses .

Understanding VPN configuration in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Md. Sabir Chandwale and Rituraj Choudhary from Global Business Support] In this post we will discuss about Virtual Private Network feature on Windows Server 2012 R2 Essentials. Virtual Private Network can be straightforwardly installed and configured on a Windows Server 2012 R2 Essentials by running the Set up Anywhere Access wizard and selecting Virtual Private Network (VPN) option on the following screen. If you want to know about Remote Web Access, or run through the sequential screens of Anywhere Access wizard, please visit this post . When you choose to enable VPN using this wizard, the following roles/features get installed on the Essentials Server: Remote Access, DirectAccess and VPN (RAS), IP and Domain Restrictions, IIS Management Scripts and Tools, Network Policy and Access Services Tools, and Windows Internal Database. You can also enable these roles/features from the Server Manager or PowerShell command-lets, however on Windows Server Essentials we recommend enabling it using the Set up Anywhere Access wizard. It’s noteworthy that Windows Server 2012 R2 Essentials allows client machines to join their server without having to be inside the company network using a feature called Remote Domain Join . So, if VPN is enabled on Server Essentials, you may connect a remote client to the local network via VPN, run the Connect wizard from http:// /connect or http:// .remotewebaccess.com/connect URL and join the remote client to the server. The process is very simple and straightforward. As a prologue to discuss some common issues with VPN on Windows Server 2012 R2 Essentials, let us first glance through the default Routing and Remote Access (RRAS) settings. You may also find the specifics about these settings on TechNet . Note: Server Essentials automatically manages the routing for VPN, and therefore Routing and Remote Access (RRAS) UI is hidden on the server to prevent tampering of RRAS settings. As a result, to view, change or troubleshoot the Remote Access settings, you need to install Remote Access GUI and Command-Line Tools using Server Manager or the following PowerShell command: Add-WindowsFeature RSAT-RemoteAccess-Mgmt This feature enables Routing and Remote Access console and respective command-line tools to manage VPN and DirectAccess. Note that this role may not be required on the server unless you need to change the settings for VPN or DirectAccess. Default Settings of VPN on Windows Server 2012 R2 Essentials To check the default settings for the VPN, open Routing and Remote Access Manager. Right click server name , and select Properties . On the General tab, IPv4 must be enabled: The Security tab consists of the Authentication Methods… and SSL Certificate Binding : The Authentication Methods should have Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) enabled. You can confirm it by clicking the Authentication Methods… button on the Security tab. The SSL Certificate Binding section on the Security tab displays the certificate active for VPN. This also indicates that we enable VPN on SSL and that you do not have to allow any port other than port 443. Let’s move on to the IPv4 tab. By default the VPN clients are set to receive IP from DHCP, but you may require to change it to a Static address pool for troubleshooting purposes. On the IPv6 tab, the options Enable IPv6 Forwarding and Enable Default Route Advertisement are selected by default. The IKEv2 tab consists of the default options to control the IKEv2 client connections and Security Association expiration. The PPP tab contains the settings for Point-to-Point protocol and are as follows: The Logging tab on the server properties page contains the level of logging enabled for Routing and Remote Access. To enable additional logging for the Routing and Remote Access, select the option Log additional Routing and Remote Access information . Once this option is selected additional log files are created in the %windir%Tracing directory that provide deeper insight to troubleshoot RRAS issues. Make sure to disable the additional logging once the troubleshooting is complete. You may also gather and modify information for Remote Access from an elevated Windows PowerShell terminal. Here are some common commands: Command Purpose   Get-Command -Module RemoteAccess   Displays a list of commands available with RemoteAccess module   Get-RemoteAccess   Displays the configuration of VPN and DirectAccess (DA)   Get-VpnAuthProtocol   Displays authentication protocols and parameters set on the VPN   Get-VPNServerConfiguration   Displays VPN server properties Here is a sample output: You can look at the help file of each of these commands for a detailed description. Better yet, you can use the following command to insert the help contents of each of these commands for the module RemoteAccess to a text file as: $(foreach ($command in (Get-Command -Module RemoteAccess)) {Get-Help $command.Name} ) | Out-File HELP.txt We will discuss some common issues with VPN on another post in future.