~ Dipti Goyal | SDET

Hello, I am Dipti Goyal, an engineer on the System Center Virtual Machine Manager team. System Center 2016 Virtual Machine Manager has the capability to create Production or Standard checkpoints and I summarize each of these processes below.

A little about Hyper-V Production Checkpoints

Production checkpoints allow you to easily create “point in time” images of a virtual machine which can be restored later on in a way that is completely supported for all production workloads. This is achieved by using backup technology inside the guest to create the checkpoint instead of using saved state technology. For production checkpoints, the Volume Snapshot Service (VSS) is used inside Windows virtual machines. Linux virtual machines flush their file system buffers to create a file system consistent checkpoint. If you want to create checkpoints using saved state technology you can still choose to use standard checkpoints for your virtual machine.

For any new virtual machines, the default is to create production checkpoints with a fallback to standard checkpoints.

More details on this can be found here.

What’s new in VMM Checkpoint options:

Hyper-V has added 4 types for checkpoints:

1. Disabled
2. Production
3. ProductionOnly
4. Standard

We have implemented these types in VMM, so let’s look at each of them in detail:

1. Disabled– This option disables the check-pointing ability on the VM. Once Checkpoint Type is set to this, a checkpoint cannot be taken on that VM until it’s set to some other value.

Example: Set-SCVirtualMachine –CheckpointType Disabled

This sets the CheckpointType property on the VM as ‘Disabled’

2. Production– Production checkpoints are application consistent snapshots of a virtual machine. Hyper-V leverages the guest VSS provider to create an image of the virtual machine where all of its applications are in a consistent state. The production snapshot does not involve the autorecovery phase during creation. Applying a production checkpoint requires the restored virtual machine to boot from an offline state just like with a restored backup. This is always more suitable for production environments.

Example: Set-SCVirtualMachine –CheckpointType Production

This sets the CheckpointType property on the VM as ‘Production’. With this option, if a Production checkpoint fails for any reason, a Standard checkpoint will be taken.

3. ProductionOnly– This option is same as Production, but if a Production checkpoint fails then no checkpoint will be taken.

Example: Set-SCVirtualMachine –CheckpointType ProductionOnly

This sets the CheckpointType property on the VM as ‘ProductionOnly’

4. Standard– In this kind of checkpoint, the memory states of running applications gets stored, then when you apply the checkpoint it’s back in the same state. For a production environment like a SQL server or Exchange Server this may not server the right purpose, thus this type of checkpoint is more suitable for dev-test environments.

Example: Set-SCVirtualMachine –CheckpointType Standard

This sets the CheckpointType property on the VM as ‘Standard’

The examples above are for Set-SCVirtualMachine, in VMM, however CheckpointType can also be set during the following operations:

• New-SCVirtualMachine –CheckpointType
• New-SCHardwareProfile –CheckpointType
• Set-SCHardwareProfile –CheckpointType
• New-SCVMTemplate –CheckpointType
• Set-SCVMTemplate –CheckpointType

If you want to change it from VMM UI, here are the options:

This gives VMM users the flexibility to change the checkpoints based on their requirements. Hope this is helpful and thanks for reading.

Dipti Goyal | SDET | Fabric Management

Get the latest System Center news on Facebook and Twitter:

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2

Die Zukunft des Wirtschaftsstandorts Deutschland wird intensiv diskutiert. Ein Unternehmer, der die Debatte um die digitale Transformation nicht nur als interessierter und mündiger Bürger verfolgt, sondern auch als aktiv Handelnder begleitet, ist Torsten Waßmann. Torsten Waßmann ist Inhaber und Geschäftsführer des auf innovative Haustechnik spezialisierten Handwerkbetriebs Waßmann GmbH mit 25 Mitarbeitern aus Stuhr-Brinkum bei Bremen. Im folgenden Gastbeitrag schreibt er über seine Erfahrungen mit der digitale Transformation seines eigenen Unternehmens.

Seit erstem Mai setzen wir bei uns im Unternehmen das Surface Pro 3 und Office 365 ein, damit unsere Meister im Außendienst unseren Kunden vor Ort alle Informationen, die sie für Angebote und Konzepte brauchen, direkt zeigen können. Zuvor sind meine Mitarbeiter mit einer dicken Mappe mit in Plastik eingeschweißten Verkaufsunterlagen unter dem Arm zu Kunden gefahren. Heute tragen sie nur noch das Surface mit sich und können alles zeigen, was wir anbieten. In Verbindung mit unserer Branchenlösung von pds Novis it-systeme, einem Partnerunternehmen von Microsoft, schaffen wir so eine durchgehend digitalisierte Kette von Angebot über Auftrag bis hin zur Dokumentation des Vorgangs.

„Ich hab da was für Sie!“

Auf das Surface Pro 3 bin ich überhaupt erst durch die pds Novis it-systeme aufmerksam geworden. Bei einem Routinebesuch hat unser Dienstleister angekündigt, das 2in1-Gerät beim nächsten Mal mitzubringen: „Ich hab da was für Sie!“ Und dann war schnell klar, dass das genau dem entspricht, wie wir uns für die Zukunft aufstellen wollten.

Mobiler Kundendienst geht nur über die Cloud

Ich habe schon länger überlegt, wie es gelingt, den Informationsfluss innerhalb meiner Firma zu vereinfachen und zu verbessern, damit alle Mitarbeiter von überall her auf die Informationen zugreifen können, die sie im Moment brauchen. Als Handwerksunternehmen sind wir sehr stark im Kunden- und Wartungsdienst und zudem auch im Notdiensteinsatz bei Störungen unterwegs und brauchen Informationen sowohl vor Ort als auch im Unternehmen selbst.

Mir war schnell klar, dass wir für diesen strategischen Ansatz über Cloud-Technologien sprechen (müssen). Und da wir schon lange mit Microsoft-Lösungen arbeiten, lag es nahe, auch hier auf Microsoft zu setzen, zumal unsere Branchenlösung ebenfalls von einem Microsoft-Partner stammt, der pds Novis it-systeme.

Wir sind dafür firmenweit auf Office 365 umgestiegen, nachdem wir schon seit 1995 mit Office – zuletzt mit Office 2010 – gearbeitet haben. Und das Surface Pro 3 hat sich sehr schnell aufgedrängt, weil es intuitiv zu bedienen ist, jederzeit über die Cloud Verbindung mit unserer Unternehmens-IT hält und sich optimal für die Präsentation von Angeboten und Produkten bei den Kunden vor Ort eignet. Zudem können wir Anfragen, Angebote und Aufträge über die Branchensoftware von pds direkt vor Ort in unsere IT einspielen.

Auf dem Weg ins papierlose Büro

Das bringt unsere Vision einer vollständig digitalisierten Prozesskette in einem nahezu papierlosen Büro näher, auch wenn das zurzeit noch nicht ganz zu realisieren ist. Der Grund liegt darin, dass noch nicht alle unsere Software-Partner im heiz- oder sanitärtechnischen Bereich ihre funktionalen und verkaufsunterstützenden Apps auf das Surface gebracht haben, da gibt es durchaus noch Nachholbedarf. Auch unsere Messdaten, die wir vor Ort mit speziellen, robusten Geräten abnehmen, können wir noch nicht direkt über die Cloud in unser System einspielen und über das Surface verfügbar machen. Auch hier gibt es noch Luft nach oben.

Gut aufgestellt für die digitale Transformation

Dessen ungeachtet, sehe ich uns in der Diskussion um die digitale Transformation sehr gut aufgestellt. Ich verfolge die Debatte darum mit großem Interesse für neue Technologien und neue Strategien, weil das alles ja auch unser Unternehmen betrifft. Wir selbst sind mit unseren drei Surface Pro 3 und den zehn Office 365-Arbeitsplätzen mitten drin im Transformationsprozess, den wir aber erst dann geschafft haben, wenn kein Papier mehr auf unseren Tischen liegt und wir alle Informationen durchgängig digital zur Verfügung stellen können.

Schon jetzt sind wir gegenüber unseren Mitbewerbern jedoch im Vorteil: Wir sind schneller und können jederzeit und an jedem Ort nicht nur über Produkte und technische Inhalte, sondern auch über Preise Auskunft geben und direkt auch Termine vergeben. Gerade im hart umkämpften Dienstleistungsmarkt und im Kundendienst sind das enorm wichtige Fähigkeiten: Je schneller wir dem Kunden ein Angebot unterbreiten können, desto zufriedener ist er. Und unsere Kunden sind zufrieden!

Ein Gastbeitrag von Torsten Waßmann
Inhaber und Geschäftsführer der Waßmann GmbH

- - - -

Zum Weiterlesen:

• Case Study zum Einsatz von Surface Pro 3 und Office 365 bei der Waßmann GmbH
• Informationen zum Surface und Office 365 für Unternehmen
• Gebündelte Presseinformationen zu Surface und Office

Skolen i Sydhavnen og Microsoft afholder i samarbejde et stort event for lærere, elever, forældre og interesserede gæster om sikkerhed og privatliv, når børn og voksne færdes i den digitale verden. Der er et stigende fokus på dette område, og derfor vil vi klæde alle på til at kunne begå sig ansvarligt og sikkert på nettet.

Af den grund har vi inviteret Pernille Tranberg, stifter af www.digital-identitet.dk og en af Danmarks førende eksperter inden for Privacy samt teknologidirektør i Microsoft, Ole Kjeldsen, som talere til arrangementet, hvor vi gør online sikkerhed og privatliv konkret.

Tid og sted

Dato: 12. november 2015

Tid: kl. 12.00 – 15.00

Adresse: Skolen i Sydhavn, Støberigade 3, 2450 København SV

Tilmelding sker ved at sende en e-mail til Pædagogisk uddannelseschef Morten Ovesen på moovesen@microsoft.com

Om talerne:

Pernille Tranberg er journalist og dataetisk rådgiver og bruges i mange sammenhænge som kommentator i privacy-sager på tv og i radioen. Til privacy-eventet vil Pernille bl.a. tale om, hvorfor man aldrig skal opgive sit rigtige navn til sociale medier, og at der findes hjemmesider, der hjælper dig med at få en falsk identitet. Pernille ser det som en klar fordel, at du med en falsk identitet ikke betaler med dine private oplysninger hos de tjenester, der hævder at være gratis. Pernille har tidligere talt på TEDxOxford:

(Please visit the site to view this video)

Ole Kjeldsen er teknologidirektør i Microsoft og har stor interesse for at udbrede kendskabet til mulighederne for at gøre brugen af internettet sikkert, så vi fortsat vil bruge it og medier aktivt.

Det bliver et spændende program, og vi håber meget, I har lyst til at deltage :)

Af Morten Ovesen, Pædagogisk Uddannelseschef

Службы Visio – это новый набор возможностей в Office 365, который позволяет открывать доступ к схемам для пользователей, на компьютерах которых программа Visio не установлена.

Что вы будете знать и уметь после прочтения этой статьи?

• Возможные варианты интеграции Microsoft Visio и Office 365.

22 и 23 октября состоится Project Virtual Conference 2015 -  бесплатная виртуальная 24-часовая конференция о Microsoft Project, Project Server и Project Online.

Project Virtual Conference 2015  - это первая в своем роде онлайн конференция, посвященная  Microsoft Project, Project Server и Project Online, которая будет длиться 24 часа без перерыва!

Зарегистрироваться.

Summary: Ed Wilson, Microsoft Scripting Guy, talks about filtering event log events with the Get-WinEvent cmdlet.

 Hey, Scripting Guy! I try to use the Get-WinEvent cmdlet to search event logs, but it is pretty hard to do. Also, I don’t see the nice switches that I had with Get-EventLog, so I don’t see why I should use the other cmdlet and have to pipe everything to Select-Object or Where-Object.

—EG

 Hello EG,

Microsoft Scripting Guy, Ed Wilson, is here. One of the things that you need to realize is that with Windows PowerShell, one should always filter to the left of the pipeline. This is the prime directive when it comes to working with large amounts of data. Event logs can be huge and contain massive amounts of data. They can consume huge amounts of bandwidth when they are delivered across the network or other places. Like the alligator that the Scripting Wife and I saw while we were hiking the other day, this can be a hidden trap with serious outcomes if the network admin is not paying attention.

Seven parameter sets

The Get-WinEvent cmdlet has a number of parameter sets. In fact, it has seven parameter sets. For the sake of the IT pro who needs to filter data from event logs, there are exactly three parameter sets. The parameter sets are shown here:

Here are the three filter parameters:

PS C:\> ((gcm Get-WinEvent | select -expand parametersets).parameters).where({$_.name

 -match '^filter'}) | select name -Unique

Name

----

FilterXPath

FilterXml

FilterHashtable

Of the three filter parameters, the easiest for me to use is FilterHashTable. The FilterHashTable parameter accepts…wait for it…you will never guess this one…

...a hash table.

That is right, the FilterHashTable parameter accepts a hash table as the input parameter.

            Note If you need a refresher about hash tables, see Learn the Basics of PowerShell Hash Tables.

Here is the most important thing you need to understand when using the FilterHashTable parameter:

Everything goes into the hash table.

The syntax is shown here:

Get-WinEvent [-FilterHashtable] <hashtable[]> [-MaxEvents <long>] [-ComputerName

<string>] [-Credential <pscredential>] [-Force] [-Oldest] [<CommonParameters>]

I said everything—well obviously, not everything. But things used for filtering the events, such as the event log name, the ID, and stuff like that go into the hash table. Here is a table of things you can use when creating a filter hash table:

The filter hash table takes the following form:

• At sign
• Opening Curly bracket
• Keyname
• Equals
• Value
• Closing Curly bracket

Here is a simple example that returns all the events from the application log:

Get-WinEvent -FilterHashtable @{logname='application'}

Although PowerShell is often very good at converting input to the required data type (dynamic type system), the filter hash table must have the string values placed in single or double quotation marks. For example, if I don't put my value for the LogName keyword in quotation marks, the following error message appears:

Note  When testing a filter hash table for the Get-WinEvent cmdlet, it is a good idea to limit the amount of data returned to just a few records. This is where MaxEvents is a useful parameter.

To add another key name/value combination to FilterHashTable, separate the key name=value pair with a semicolon. This is shown here, where I search the Application log for event ID 413.

Get-WinEvent -FilterHashtable @{logname='application'; id=413}

I can get an idea about the properties and values of an event log record by selecting a single event and piping the output to the Format-List cmdlet (fl is an alias). I then select all of the properties by using the asterisk ( * ) wildcard character. This is shown here:

By looking at the leven parameter, and knowing that my entry is an error record, I can surmise that I can filter specifically on events that have the ID of 413 and are error records. Again, I use a semicolon to separate my key name=value pair. Here is my revised query:

Get-WinEvent -FilterHashtable @{logname='application'; id=413; level=2}

The output is shown here:

PS C:\> Get-WinEvent -FilterHashtable @{logname='application'; id=413; level=2} -MaxEvents 1

   ProviderName: ESENT

TimeCreated                     Id LevelDisplayName Message

-----------                     -- ---------------- -------

10/18/2015 8:32:34 AM          413 Error            SettingSyncHost (392) Unable ...

PS C:\>

EG, that is how you can use Windows PowerShell to read the event logs. Join me tomorrow when I will talk about more cool stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Office 365 offers users a great experience on every level. From accessing files through the cloud to working on any device from anywhere, getting work done has never been this liberating.

But did you know the full suite of Office 2016 apps is also available as part of the total package?

That’s right! By using Office 365, you can enjoy the Office 2016 suite in its entirety, free of charge.

Rediscover freedom

Give yourself the option to work anywhere on any device with access to Office 2016 through various plans we have for Office 365. Between Business and Business Premium, there is sure to be a package suited for your needs. You can view the plans here.

Time to upgrade

Already have Office 365 Business, Business Premium, or Small Business Premium? Click here to find out how you can upgrade in order to access Office 2016.

Productivity reaches new heights with Office 2016, now part of Office 365!

SharePoint サポートの 末崎 (スエザキ) です。

本稿では、SharePoint 2013 のカスタムリストなどにリスト列を複数行テキストで追加、編集した際の動作についてご説明させていただきます。

あるカスタムリストに列を複数行テキストで作成することがあると思います。

以下、列の作成画面です。

また、作成した列の種類を変更することもあると思います。

以下、既存の列の編集画面です。

お気づきになられましたでしょうか。

列の作成時には、テキストの種類として「書式なしテキスト」「拡張リッチ テキスト」を選択できますが、編集時には「リッチ テキスト」が増えています。

SharePoint 2013 では、リスト列を複数行テキストで作成する場合、「拡張リッチ テキスト」の利用をお勧めしているため、列の作成時に「リッチ テキスト」を選択することができません。

ただし、以前のバージョンの SharePoint では、「書式なしテキスト」と「リッチ テキスト」、「拡張リッチ テキスト」を作成することが可能でした。

以前のバージョンの SharePoint で作成されたリストの種類変更などに対応するための互換措置として、列の編集画面に「リッチ テキスト」が残されているとご理解いただければ幸いです。

タイトル：リスト内の列見出しのテキストの書式を変更する

アドレス：https://support.office.com/ja-jp/article/%E3%83%AA%E3%82%B9%E3%83%88%E5%86%85%E3%81%AE%E5%88%97%E8%A6%8B%E5%87%BA%E3%81%97%E3%81%AE%E3%83%86%E3%82%AD%E3%82%B9%E3%83%88%E3%81%AE%E6%9B%B8%E5%BC%8F%E3%82%92%E5%A4%89%E6%9B%B4%E3%81%99%E3%82%8B-6f376710-16db-4469-82e3-ebbe17a52172

なお、「拡張リッチ テキスト」は、Web ベースの文字列 (ハイパーリンクなどに対応) を使用できます。

「リッチ テキスト」は、拡張リッチ テキストの機能として上記に劣りますが、文字スタイルなどは変更できます。

リッチ テキスト列を扱う複数行編集ツールについて

SharePoint 2013 のリストの編集には「クイック編集」や「Access で開く」が利用できます。

(リストの編集に関連する情報として こちらも参照いただけます)

「クイック編集」 (javascript) は Web ベースの文字列に対応しており、Access はテキストベースの文字列に対応しています。

テキストの種類によって利用できる文字列に違いがあり、リストの編集方法によって制限があるのが現在 (2015/10/19) の状況となります。

以下、リストの編集動作の可否 (○＝編集可、×＝編集不可) をグラフにしたものです。

なお、以前の SharePoint で利用したデータシートビュー (ActiveX) では、「Access で開く」と同様の編集動作になります。

今回の投稿は以上です。

補教教戰密  技，輕鬆贏得好口碑 

滿街文理補習班、才藝安親班，您也是其中一員嗎？您是否發現最花時間的並不是教學，反而是處理一件扣著一件的課程安排、師資安排、學生及家長資料建立等雜務？您是否還是使用紙本或是Excel在記錄補習班內的大小事情？在這個競爭激烈的補教環境中，您在尋找脫穎而出的方法嗎？

台灣微軟攜手Tectura 瀚資資訊專為社區型補習班/才藝安親班打造補教王，可以協助您處理所有班務大小事，讓您在管理上衝出逆境！衝出業績！並且輕鬆從各角度檢視經營成效，推升補教價值！

Tectura 瀚資資訊將於11月4日(三)舉辦「微軟CRM」線上研討會，將會透過45分鐘的時間分享補教王的相關功能，誠摯地邀請您一同參與！

議程：

• 16:00 – 16:30  補教王模組簡介- 課程安排、師資安排、學生及家長資料建立
• 16:30 – 16:45  Q&A

報名網址: http://surveys.benchmarkemail.com//Survey/Start?id=553731&s=418823 

• 補教王搶先看
  

Hello 

I wanted to share my experience on the issue which I was working on Azure Site Recovery configuration for enabling the VMM cloud protection. We had configured the VMM provider and registered it successfully with Azure subscription and the server was showing as connected on the Azure Portal.

However, when we navigate to Recovery Services-> <Recovery Vault >-> Protected Items -> VMM Clouds -- we see "No clouds are configured on the registered servers. On the VMM server, Create clouds which you want to protect."

We know that that we had 3 clouds created on the SCVMM server and it should supposed to show on the portal. 

SCVMM version -- 3.2.8071.0

Checked the provider agent version and the CBEngine version are latest.

Tried reinstalling the provider, still the same issue.

The SCVMM server was not installed with HA.

We found that around 6 machines were failing for VM refresh with the errors. Those machines were showing with status as migration failed and HDD missing.

We found these problematic machines from the console and removed them from the SCVMM database using the below cmdlet.

https://technet.microsoft.com/en-us/library/hh801721.aspx

NOTE: When used with the Force parameter, Remove-SCVirtualMachine only deletes the virtual machine from the VMM database. It does not delete the virtual machine itself.

Remove-SCVirtualMachine <MachineName> -Force

Then we refreshed the hosts with VM refresh and the VMs got refreshed without error status.

We restarted SCVMM service and then refreshed the SCVMM server on the Azure portal in the ASR configuration.

Waited for some time till it finishes the refresh job and found that the cloud started showing on the ASR configuration. 

Thanks

Santosh Killekar - Support Escalation Engineer (System Center)

Disclaimer: This posting is provided "AS IS" with no warranties and confers no rights.

こんにちは、日本マイクロソフトの松岡です。

Microsoft Exchange Server 2010 の DAG 環境において、3rd party 製のバックアップ要件などで、「DAG 環境のクラスター コア グループにバックアップ専用の IP アドレスを追加したい」というお問い合わせをいただくことがございます。しかしながら、DAG 構成においてバックアップ専用の IP アドレスを設定することは、サポートされておりません。

今回は以下の 2 点についてご案内させていただきます。

1. 「何故バックアップ専用の IP アドレスを追加することがサポート対象外であるのか」

2. 「どのようにバックアップをとれば良いのか」

1. 「何故バックアップ専用の IP アドレスを追加することがサポート対象外であるのか」という点について説明します。

まず DAG 構成をとる際のネットワーク要件について考えます。

---------------------

DAG 構成の環境を作成する際に、一意の名前を 15 文字以内で指定する必要があります。またそれ以外に、1 つ以上の IP アドレス (IPv4 または IPv4 と IPv6 の両方) を割り当てる必要があり、割り当てられた IP アドレスは、MAPI ネットワークのサブネット上で使用可能な状態である必要があります。その上で  DAG と IP アドレスの要件として各 DAG には複数の MAPI ネットワークが備えないようにする必要があり、指定された MAPI ネットワークは、他の Exchange サーバーおよび Active Directory や DNS などのその他のサービスへの接続を提供しなければなりません。

---------------------

※MAPI （Messaging Application Programming Interface） とはメッセージを送受信するアプリケーション用にマイクロソフトが作成した規約です。メッセージの送受信、アイテムの保存、アドレス帳の参照など Outlook のさまざまな機能は、MAPI を RPC ベースで呼び出すことによって実現されています。

上記要件を簡単にまとめると、以下の 2 つの要件によって DAG にバックアップ専用の IP アドレスを追加することができません。

・DAG に対して割り当てる IP アドレスは MAPI ネットワークというネットワーク上にある必要がある。

・DAG 構成では MAPI ネットワークを複数持つことが出来ない。

（ 注 : サイトを跨いだ DAG の場合、各サブネットに 1 つずつ DAG 用の IP アドレスを保持できます。）

MAPI ネットワークを複数設けた場合でも、スイッチオーバーやスイッチバック、Outlook からの接続等は、問題なく行うことが出来ます。しかし上述の通り、他セグメント上のサーバーや他サイトの DAG とも通信を行うためのネットワークであるため、ゲートウェイの問題を含め、様々な理由で複数ある状態は構成としてサポートされない状況となっております。

2. 「どのようにバックアップをとれば良いのか」という点について説明します。

バックアップを取得する対象についてですが、Exchange Server 2010 の構成情報は、Active Directory 上に保存されていますので、基本的にバックアップの対象となるのはデータベースとなります。DAG では全てのノードがアクティブである為、各ノードが保持するデータベースからバックアップを取得すれば問題ございません。

つまり、”バックアップ取得の為に、専用の IP アドレスを追加する必要は無い”ということになります。

ここで一例としてWindows Server Backup によるバックアップを以下にご紹介します。

<参考> Windows Server バックアップを使用した Exchange のバックアップ

https://technet.microsoft.com/ja-jp/library/dd876854.aspx

Windows Server Backup によるバックアップ取得では、制限事項としてアクティブ (またはスタンドアローン) のデータベース コピーのみ Exchange 対応バックアップを採取できます。今回は DAG 環境ですべてのノードがアクティブなので、問題なくバックアップを取得することが可能です。

　　～まとめ～

「DAG 環境でバックアップ専用 IP アドレスを設定できない」件についての弊社の見解は、以下 2 点となります。

・バックアップ専用のものに限らず IP アドレスを追加することは、DAG 構成の要件上 "サポート対象外" である！

・DAG 環境のバックアップは、各ノードが保持するデータベースから取得することが可能である！

繰り返しになりますが、Exchange Server 2010 の DAG 環境においてバックアップの計画を立てる場合は、バックアップ専用の IP アドレスを設定することなく、各サーバーのデータベースよりバックアップを取得いただく運用をお願いいたします。

以上、本情報がお役に立てば幸いでございます。

※以下参考 URL　

<参考> バックアップ、復元、および障害回復

https://technet.microsoft.com/ja-jp/library/dd876874.aspx

<参考> Windows Server バックアップを使用して Exchange のバックアップを復元する

https://technet.microsoft.com/ja-jp/library/dd876864.aspx

<参考> Exchange Server 2010 可用性ガイド ホワイト ペーパー

http://download.microsoft.com/download/5/2/2/5229EFB4-65BE-450D-B18A-4BBAF5519EDF/exchange2010_availability.doc

The ModernBiz Technical Series provides training, demonstrations, and hands-on instruction on how to use the latest Microsoft technologies to deliver solutions to small and midsize organizations. See the latest training in September through to December 2015.

Todd Sweetser

Hi Cloud Sellers!

You may be aware that each user of Office 365 ProPlus (and Office 365 Business) can install the Office client on up to 5 (FIVE) workstations.  This is a great benefit of the subscription licensing model!

Did you also know that both the user and the administrator can manage these activations?  Here is some info to help get you started.

From an administrator viewpoint you can access each user’s Office activation via the Office 365 Admin console. 

First step is to go to Active Users:

Select the user desired:

On the right column go to the Office Installations item and select Edit:

On that page you will see a list of the devices that the user has Office applications installed on:

From there you can Deactivate one of the computers if needed or desired.  In above example, deactivating would enable this user to install on another workstation as they are currently at the 5 maximum.  (Perhaps one of the machines was recently retired from service.)

The user can accomplish this themselves as well.  This is done by accessing their Office 365 Settings via the portal (also via this direct link):

From there the user chooses “Install status” and can choose to deactivate any installs they may have:

Note that when a copy of Office is deactivated it will NOT be uninstalled, but will go into Reduced Functionality Mode

For further info see the following help articles and Blog:
Overview of licensing and activation in Office 365 ProPlus
Getting started guide for deploying Office 365 ProPlus
Office 365 ProPlus User Activations Management (Good video as well)

BTW, please check out the full series on Office 365 You Need to Know here: http://office365.msts2.com

Thanks!  And good selling!

The Exchange Preferred Architecture, for both Exchange Server 2013 and Exchange Server 2016, recommends enabling BitLocker on fixed data drives that store Exchange database files. Over the years, there have been a number of questions regarding how BitLocker should be enabled on servers.

However, before we discuss that, I think it is important to provide an overview of BitLocker, as I have found not many are familiar with the technology.

What is BitLocker?

BitLocker is the built-in Microsoft Windows solution for volume encryption that provides enhanced protection against data theft in form of stolen or lost computers or hard disks.

BitLocker was first introduced in Windows Vista and Windows Server 2008. Since the initial release, there have been several improvements made to BitLocker including, encrypting data volumes, encrypting only used disk space, and provisioning flexibility.

By default, BitLocker uses the AES encryption algorithm in cipher block chaining (CBC) mode with a 128-bit (default) or 256-bit key.

For more information, see the BitLocker Overview on Microsoft TechNet.

How can BitLocker be deployed?

There are multiple ways you can deploy BitLocker on Exchange servers.

1. Encrypt the operating system volume, as well as, the Exchange data volumes utilizing either network unlock, the Data Recovery Agent and PKI infrastructure, or via TPM (recommended approach).
2. Encrypt the Exchange data volumes only.

To use BitLocker in a FIPS-compliant manner, keep in mind:

• Trusted Platform Module (TPM) 1.2 is not FIPS-compliant and uses SHA1. You need to use a TPM 2.0 for FIPS compliance.
• To leverage the Network unlock feature, you need to take into account the core requirements.
• Microsoft BitLocker Administration and Monitoring (MBAM) cannot be used to manage BitLocker on server operating systems.
• If you are not using Windows Server 2012 R2 or later as the base operating system, then you cannot use recovery passwords for BitLocker. For more information, see What's New in BitLocker and KB 947249.

Volume Encryption Method

There are two methods for volume encryption:

1. Encrypt the entire volume. Use this option when you need to encrypt volumes that already contain existing messaging data. With a 3TB disk, it takes more than 8 hours to encrypt the entire disk.
2. Encrypt only the used space. Use this for new deployments or for new disks where the volumes have no existing data.

Be sure to place the servers in maintenance mode to prevent impact to end users prior to beginning the encryption of an entire volume. You can expect major performance degradation (~90% CPU utilization) and limited free OS volume space (less than ~2GB) while the volume is being encrypted. Also, be sure to deploy BitLocker one server at a time within a DAG to preserve availability.

OS Volume and Exchange Data Volume Encryption Scenario

BitLocker provides the most protection when used with a TPM. The TPM is a hardware component installed in the server and we recommend a TPM 2.0 chip. It works with BitLocker to help protect user data and to ensure that a server has not been tampered with while the system was offline.

Specifically, BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original server.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

• Checks that the early boot file integrity has been maintained, and helps ensure that there has been no malicious modification of those files, such as with boot sector viruses or rootkits.
• Enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.
• Locks the system when it is tampered with. If any monitored files have been modified, the system does not start. This alerts the administrator to the tampering, because the system fails to start as usual. In the event that system lockout occurs, follow the BitLocker recovery process which includes unlocking the system with a password or a USB key.

Important: A TPM can only be used in a physical server deployment. Virtualized servers are not capable of using a TPM. If you encrypt the guest operating system volume, a password or USB key must be used to allow the guest operating system to boot.

Setting up the Environment

The steps below assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist.
   1. Open PowerShell with the appropriate Active Directory permissions.
   2. Execute New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com".
   3. Execute $ExchangeOU = Get-ADOrganizationalUnit -Filter ‘Name -like "Exchange Servers"’.
   4. Execute Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName.
2. Create group policy object and link it to the Exchange Servers OU.
   1. Open PowerShell with the appropriate Active Directory permissions.
   2. Execute Import-Module grouppolicy (requires RSAT tools to be installed).
   3. Execute New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com
   4. Execute New-GPLink -Name"Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName
3. Install the BitLocker module on the Exchange servers.
   1. Open PowerShell with local administrative privileges.
   2. Execute Install-WindowsFeature BitLocker -Restart.
   3. Reboot the server.
4. Enable TPM on the Exchange servers.
   1. Refer to your hardware vendor’s BIOS manual for details on how to enable/activate the TPM.
   2. Verify the TPM state by using the Trusted Platform Module Management tool (tpm.msc).
5. Allow TPM Recovery Information to be stored in Active Directory.
   1. Open the Exchange Management Shell with an account that has the necessary permissions in Active Directory to apply access control entries.
   2. Execute Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents.
6. Configure the Bitlocker GPO settings.
   1. Open the Group Policy Management Console (gpmc.msc).
   2. Navigate the hierarchy to the Exchange Servers OU.
   3. Right-click the Exchange Server BitLocker Policy and select Edit.
   4. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.
      1. In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AES 256-bit encryption, select it and click OK.

   5. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Operating System Drives.
      1. In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do so and click OK.

      2. In the right pane, double-click Choose how BitLocker-protected operating system drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives option. Click OK.

      3. In the right pane, double-click Enforce drive encryption type on operating system drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.

   6. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives
      1. In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

      2. In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.

   7. Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
      1. In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.

7. Ensure the group policy is applied to the Exchange servers.
   1. Execute $Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter.
   2. Execute Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}.
8. Enable OS encryption.
   1. Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
   2. Execute the following against the operating system drive: manage-bde -on C: –usedspaceonly
9. Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).
   1. Create a recovery key: manage-bde -protectors -add -RecoveryPassword "C:\ExchangeVolumes\ExVol1"
   2. Execute the following for each Exchange database volume: manage-bde -on "C:\ExchangeVolumes\ExVol1" –usedspaceonly
   3. Execute the following for each Exchange database volume to enable automatic unlock: Enable-BitLockerAutoUnlock -MountPoint "C:\ExchangeVolumes\ExVol1"

   Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

Exchange Data Volume Encryption Scenario

In the situation where a TPM cannot be used (e.g., the server does not have a TPM, or it is virtualized), encrypting the OS volume requires the use of a password or USB key to allow the operating system to boot. As that can be detrimental for a service like Exchange, you could choose not to encrypt the OS volume. Instead, you only encrypt the fixed data volumes. Since the OS volume is not encrypted, the operating system cannot automatically unlock the encrypted volumes on boot. Therefore, one of two things must happen:

1. An administrator manually enters the recovery key and unlocks each drive after OS boot.
2. A scheduled task is invoked to unlock the encrypted volumes during OS boot.

The following steps outline how to setup the scheduled task and assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist.
   1. Open PowerShell with the appropriate Active Directory permissions.
   2. Execute New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com".
   3. Execute $ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers".
   4. Execute Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName.
2. Create group policy object and link it to the Exchange Servers OU.
   1. Open PowerShell with the appropriate Active Directory permissions.
   2. Execute Import-Module grouppolicy (requires RSAT tools to be installed).
   3. Execute New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com
   4. Execute New-GPLink -Name"Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName
3. Create BitLocker scheduled task service account (_bitlockersvc).
   1. Create a service account following your organization’s policy.
4. Create security group for BitLocker management, placing the security group in a protected container.
   1. Open PowerShell with the appropriate Active Directory permissions.
   2. Execute New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local".
   3. Execute Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management".
5. Install the BitLocker module on the Exchange servers.
   1. Open PowerShell with local administrative privileges.
   2. Execute Install-WindowsFeature BitLocker.
   3. Reboot the server.
6. Add BitLocker security management group to local administrators group on the Exchange servers.
7. Grant the BitLocker security management group permissions to access the msFVE-RecoveryPassword AD object. This allows the accounts to access the recovery password.
   1. Open an elevated PowerShell session with Domain Administrator permissions.
   2. Execute $ExchangeOU = Get-OrganizationalUnit "Exchange Servers".
   3. Execute DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword".
8. Configure the BitLocker GPO settings.
   1. Open the Group Policy Management Console (gpmc.msc).
   2. Navigate the hierarchy to the Exchange Servers OU.
   3. Right-click the Exchange Server BitLocker Policy and select Edit.
   4. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.
      1. In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AED 256-bit encryption, select it and click OK.
   5. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives.
      1. In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.
      2. In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.
   6. Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
      1. In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.
9. Ensure the group policy is applied to the Exchange servers.
   1. Execute $Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter.
   2. Execute Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}.
10. Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).
    1. Execute the following against each Exchange database volume: Manage-bde -on "C:\ExchangeVolumes\ExVol1" -rp -usedspaceonly.

       Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

11. Validate recovery keys are stored in Active Directory.
    1. Download the BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory.
    2. Execute Get-BitLockerRecoveryInfo.vbs.
    3. If script does not return any data, backup the recovery keys by downloading and executing BDEAdBackup.vbs.
12. Create the script that unlocks the volumes when the operating system boots.
    1. Save the below file to your script directory (e.g., c:\bitlocker).

       UnlockDrives.ps1
       $computer = Get-ADComputer $env:computername
       $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties *
       $vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption"
       $lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1}
       $vols[0].GetKeyProtectors().VolumeKeyProtectorID
       foreach($lockedvol in $lockedvols)
       {
       $RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")}
       }

       Note: This is a basic script to get you started. You may need to extend the duties of this script to ensure that Microsoft Exchange Diagnostics, Microsoft Exchange Health Manager, and Microsoft Exchange Service Host services are restarted in the event they fail to start while the above script unlocks the data volumes.

13. Create the scheduled task to run at system start and unlock the volumes, replacing the bold items.
    1. Save the below file to your script directory.
    2. Execute schtasks /create /s $env:computername /ru contoso\_svcexbitlocker /rp <Password> /XML c:\Bitlocker\UnlockDrivesAtStart.xml /TN UnlockDrivesAtStart.

       <?xml version="1.0" encoding="UTF-16"?>
       <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
       <RegistrationInfo>
       <Date>2015-04-16T12:07:14.9465954</Date>
       <Author>contoso\exadmin</</Author>
       <Description>Script unlocks Exchange data drives at OS startup</Description>
       </RegistrationInfo>
       <Triggers>
       <BootTrigger>
       <Enabled>true</Enabled>
       </BootTrigger>
       </Triggers>
       <Principals>
       <Principal id="Author">
       <UserId>contoso\_bitlockersvc</UserId>
       <LogonType>Password</LogonType>
       <RunLevel>HighestAvailable</RunLevel>
       </Principal>
       </Principals>
       <Settings>
       <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
       <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
       <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
       <AllowHardTerminate>true</AllowHardTerminate>
       <StartWhenAvailable>false</StartWhenAvailable>
       <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
       <IdleSettings>
       <StopOnIdleEnd>true</StopOnIdleEnd>
       <RestartOnIdle>false</RestartOnIdle>
       </IdleSettings>
       <AllowStartOnDemand>true</AllowStartOnDemand>
       <Enabled>true</Enabled>
       <Hidden>false</Hidden>
       <RunOnlyIfIdle>false</RunOnlyIfIdle>
       <WakeToRun>false</WakeToRun>
       <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
       <Priority>7</Priority>
       </Settings>
       <Actions Context="Author">
       <Exec>
       <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
       <Arguments>-Command .\UnlockDrives.ps1</Arguments>
       <WorkingDirectory>DIRECTORY_FOR_UNLOCKDRIVES.PS1</WorkingDirectory>
       </Exec>
       </Actions>
       </Task>

System Changes

It’s important to remember that any of the following system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volumes:

• Moving the BitLocker-protected drive into a new computer.
• Installing a new motherboard with a new TPM.
• Turning off, disabling, or clearing the TPM.
• Changing any boot configuration settings.
• Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
• Applying BIOS/UEFI firmware updates.

As part of your standard operating procedure, it is best to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) prior to introducing any changes to the server. In addition, be sure to test any hardware and software configuration changes in a lab environment (that has BitLocker enabled) prior to deploying in production.

Also, be sure to develop a standard operating procedure about how to recover in the event the BitLocker recovery must be performed. This will ensure that downtime is minimized. For more information, please see the BitLocker Recovery Guide.

Disk Maintenance Activities

During the server's lifecycle, disks will die. As part of your standard operating procedures, you need to ensure that when a disk is replaced the new volume is formatted and encrypted via BitLocker.

In the event you are using AutoReseed to recover from failed disks, you have two options: format and encrypt the disks prior to usage, or encrypt after failure.

Format and encrypt the disks prior to usage

In this scenario, your standard operating procedure will be to prevent Disk Reclaimer from formatting hot spare disks. Instead, you will format and encrypt all hot spare disks prior to usage.

1. Disable Disk Reclaimer on the DAG: Set-DatabaseAvailabilityGroup <DAGName> -AutoDagDiskReclaimerEnabled $false
2. Format and encrypt all hot spares. Do not assign mount points or drive letters.
3. As disks fail, AutoReseed will assign the hot spare volumes, replacing the failed volumes, and reseed the afflicted database copies.
4. Schedule a maintenance window. Replace the failed disks. Format and encrypt.

Encrypt after failure

In this scenario, your standard operating procedure will be to allow Disk Reclaimer to format hot spare disks (default behavior). After the spare is formatted and databases are reseeded, you will encrypt the disk.

1. As disks fail, AutoReseed allocates, remaps and formats a spare disk.
2. AutoReseed initiates reseed operations.
3. Using SCOM, or another operations management tool, you will monitor for events 1127 (initiated reseed of a database) and 826 (completed reseed of a database) that are located in the Microsoft-Exchange-HighAvailability/Seeding crimson channel.
4. Schedule a maintenance outage for the affected server and encrypt the new volume.

Conclusion

Hopefully this information helps understanding BitLocker encryption and configuring BitLocker for Exchange servers. As indicated, the recommended approach is to use a TPM for storing the recovery information and to allow the operating system to unlock volumes automatically during boot. However, if your servers do not have access to a TPM, you can consider encrypting only the data volumes and crafting a mechanism to ensure that the data volumes unlock at OS boot.

If you have any questions, please do not hesitate to ask.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience