V tomto článku se podíváme na možnost centrálního nasazení OneDrive pro firmy ve vaší Active Directory. Přestože má každý uživatel možnost si OneDrive konfigurovat manuálně, určitě je mnohem více uživatelsky přívětivější situace, kdy se uživatel do svého počítače přihlásí a má vše nakonfigurované. To, v případě využití Active Directory společně s Office 365 obnáší několik konfiguračních kroků.

Proč přejít na OneDrive for Business?

Pokud máte ve vaší organizaci uživatele, určitě řešíte, jakým způsobem a kam mají uživatelé ukládat svá data. Ve spoustě případů se používají síťové jednotky, v podobě domovských adresářů, které jsou následně zálohované přímo na serveru. V některých situacích (pro mě překvapivě) cestovní profily, které vás dokáží poměrně hezky potrápit s novějšími verzemi Windows, případně se data drží lokálně na stanicích a následně se pak záloha provádí na jednotlivé složky či se zálohuje celá stanice. Nicméně míra auditování, klasifikace nebo třeba jednoduchosti obnovování předchozích verzí souborů je v těchto případech velmi spekulativní.

Kromě toho, že OneDrive for Business nabídne vašim uživatelům až 5TB úložiště (v závislosti na vámi zakoupeném plánu), získají možnost jednoduchého, ale bezpečného sdílení s ostatními uživateli, ať už v rámci vaší organizace či mimo ní nebo také možnost spolupráce v reálném čase nad jednotlivými dokumenty. Nechybí také například verzování jednotlivých souborů, možnost vrácení změn, synchronizace nejen s PC, ale i s Mac či mobilními zařízeními. Vše je samozřejmě plně auditovatelné, existují logy všech operací a událostí, které proběhly, ale o tom až jindy. Zkrátka a dobře za málo peněz dostanete hodně muziky (v případě škol a neziskových organizací kompletně zdarma).

Jedním z dřívějších argumentů, proč na OneDrive nepřecházet bylo to, že pokud uživatel má na OneDrive spoustu dat, musí se všechna stáhnout do počítače, případně si uživatel musí manuálně vybrat složky, které chce synchronizovat. Aby se tomuto předešlo, historicky se používalo mapování jako síťového disku např. pomocí startup skriptu. Toto je naštěstí již historie a s příchodem Windows 10 1709 a funkcionalitou OneDrive Files On-Demand máte možnost mít na svém počítači uložené pouze soubory, se kterými aktivně pracujete. Ostatní soubory se budou tvářit jako zástupci a dokud není soubor potřeba (např. dokud ho neotevřete) tak je v tzv. online módu a díky tomu nezabírá místo na disku.

Samotné stahování a ukládání souborů je také poměrně chytré, jelikož Files On-Demand si automaticky řídí využití disku, a pokud explicitně neřeknete, že má být složka permanentně dostupná offline, tak může klient automaticky soubory převést do online módu, pokud s nimi aktuálně nepracujete a je potřeba místo na disku.

Celé toto povídání je určitě hezké, ale pojďme se podívat na to, jak to vypadá a funguje v praxi.

Konfigurace Azure AD Connect

Prvním předpokladem pro zprovoznění automatické konfigurace v lokální síti je mít nainstalovaný Azure AD Connect. AAD Connect je nástroj, který synchronizuje celý (nebo vámi vybraný) obsah vaší Active Directory (případně jiného LDAP adresáře) do Azure Active Directory. Pokud Azure AD Connect již máte nasazený, můžete přistoupit k dalšímu kroku, a sice nastavení Hybrid Azure AD Joinu pro vaše zařízení. Hybrid Join je funkcionalita Windows 10, nicméně je možné Hybrid Join využít i v zařízeních s OS od Windows 7 a novějších.

A co je tedy Hybrid Join? Hybrid Join umožňuje vašim počítačům být členem Active Directory a Azure Active Directory zároveň. Díky tomu jsou pak vaši uživatelé po přihlášení ke stanici nejen autentizovaní vůči Active Directory, ale zároveň i vůči Azure AD, a díky tomu máte k dispozici plnohodnotné SSO nejen do služeb, které se autentizují vůči AD, ale i služeb, které se autentizují vůči AAD - třeba právě OneDrive pro firmy a jeho klient ve Windows 10.

Pokud synchronizujete hashe hesel z vaší AD do AAD, je konfigurace velmi jednoduchá. Pokud využíváte federaci přihlášení (Active Directory Federation Services), musíte následně upravit ještě konfiguraci claimů, které ADFS předává do AAD při přihlášení. Pro ukázku si toto nastavení uděláme pro synchronizaci hashů hesel, nicméně pro celý návod v angličtině využijte následující dokumentaci.

Aby se počítače mohly registrovat vůči Azure AD, musí předem znát několik informací - název a ID vašeho AAD tenantu. K tomu slouží konfigurace tzv. Service Connection Pointu (SCP). Abyste si vyzkoušeli, zda jsou tyto informace již dostupné ve vaší doméně, můžete využít následující PowerShell.

V první řadě musíte znát naming context ve vašem AD forestu, ten zjistíte pomocí příkazu Get-ADRootDSE. Pro doménu s názvem ad.thenetw.org bude naming context: CN=Configuration,DC=ad,DC=thenetw,DC=org.

$scp = New-Object System.DirectoryServices.DirectoryEntry;
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=ad,DC=thenetw,DC=org";
$scp.Keywords;

Výstup tohoto skriptu (hodnota $scp.Keywords) by měla vypadat takto:

azureADName:thenetw.org
azureADId:67266d43-8de7-494d-9ed8-3d1bd3b3a764

Pokud tento Service Connection Point neexistuje, je nutné ho vytvořit pomocí PowerShell příkazu: Initialize-ADSyncDomainJoinedComputerSync. Abyste tento příkaz mohli spustit, musíte mít oprávnění Enterprise Admina v doméně a musíte znát název účtu, který se používá pro synchronizaci v Azure AD Connectu. Je to účet, který si vytvořil Azure AD Connect a typicky má jméno AAD_* (nebo v předchozích verzích MSOL_*).

Import-Module -Name "C:Program FilesMicrosoft Azure Active Directory ConnectAdPrepAdSyncPrep.psm1";
$aadAdminCred = Get-Credential;
Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [název účtu z AAD Connectu] -AzureADCredentials $aadAdminCred;

Následně dojde k vytvoření SCP a spuštění synchronizace vašich zařízení do Azure AD. Pokud by vás zajímalo, jak celý proces funguje napozadí, můžete se podívat zde.

Konfigurace Active Directory a Group Policy

Po konfiguraci Azure AD Connectu se můžeme pustit do vytvoření Group Policy pro to, aby se doménové počítače začaly registrovat do Azure AD. Konfigurace Hybrid Joinu probíhá v politice: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration > Register domain-joined computers as devices. Díky této politice můžete kontrolovat zapojení vašich doménových počítačů do Azure AD pomocí Hybrid Joinu na jednotlivé organizační jednotky nebo bezpečnostní skupiny.

Následně je nutné provést nastavení OneDrive klienta na koncových stanicích. Abyste nemuseli měnit samotné registry, můžete využít balíček šablon, které rozšiřují doménové politiky o ty, pro OneDrive klienta (pozor, jedná se o dodatečné politiky, které nejsou součástí Active Directory). Tyto politiky zatím není možné separátně stáhnout z webu Microsoftu, nicméně je najdete na každém Windows 10 s Fall Creators Update a poslední verzí OneDrive klienta: %LOCALAPPDATA%MicrosoftOneDrive, následně vyberte složku s nejvyšším číslem buildu a v ní najdete složku adm. Obsahem této složky jsou dva soubory - OneDrive.admx a OneDrive.adml. Tyto soubory můžete nakopírovat do vaší Active Directory, a rozšířit tak GPO Templates v doméně.

V prní řade je potřeba pomocí politiky nastavit Computer Configuration > Policies > Administrative Templates > OneDrove > Silently configure OneDrive using the primary Windows account a zároveň povolit automatické přihlášení uživatelů - toto se zatím dělá pouze pomocí registru:

[HKLMSOFTWAREPoliciesMicrosoftOneDrive]
"SilentAccountConfig"=dword:00000001

Ukázka vytvořené politiky

Mimo jiné pomocí GPO můžete například všem uživatelům centrálně zapnout Files On-Demand či omezit využití šířky pásma v síti OneDrive klientem. Všechny politiky, které je možné nastavit ve OneDrive klientovi najdete zde.

Závěrem...

V tomto článku jsem ukázal možnost automatického mapování OneDrive pro firmy na klientech pomocí Active Directory, její synchronizace do Azure AD a Group Policy Objects. Pokud máte například čistě cloudovou verzi Active Directory, tedy Azure AD, pro takovouto konfiguraci můžete využít Microsoft Intune. Na tento způsob mapování a nastavení se podíváme někdy příště...

- Jan Hajek, TheNetw.org s.r.o.

Dalším zlomovým rokem v oblasti služeb Office 365 bude symetrické datum 2020. V tomto roce bude v Office 365 ukončena podpora starších verzí klientských sad Microsoft Office, na které se v této době již nebude vztahovat technická podpora.

Když se uživatel připojuje k online službám za pomoci starší verze sady Office, nemůže využít všechny možnosti celé platformy. Příkladem může být nedostupnost online příloh z OneDrive úložiště v aplikaci Outlook. Chybějící automatické ukládání a verzování souborů ve Wordu, Excelu a PowerPointu. Synchronizace seznamu používaných dokumentů a další příjemná usnadnění každodenní práce. Zkušenost uživatele z používání online služeb tak pokulhává a stejně tak bezpečnost. Nové verze podporují například ověřování druhým faktorem a jsou pro ně poskytovány nejen bezpečnostní, ale i funkční aktualizace, které dokáží plně využít online prostředí.

Z tohoto důvodu bude od 13. října 2020 vyžadováno používat pro služby Office 365 sady Office, které jsou:

• Předplatnými Office 365 ProPlus na aktuálně podporovaných sestaveních
• Předplatnými Office 365 Business na aktuálně podporovaných sestaveních
• Klasické licence, sady a verze Office, které jsou kryty hlavní technickou podporou (takzvaný mainstream support)

Tato změna se týká pouze firemních online služeb Office 365 (Enterprise, Business), nikoliv služeb pro domácí koncové zákazníky. Nijak se také nemění životný cyklus podpory samotných sad Office, nebo jejich podpory pro použití s lokálními servery Exchange, Skype for Business či SharePoint a jejich cyklu podpory.

Tato změna byla v Office 365 oznámena v souladu s podmínkami služeb a to tři roky před samotnou platností této změny. Firemní IT oddělení tak mohou snadněji naplánovat případnou výměnu starších verzí Office na klientských stanicích.

Prakticky tak po roce 2020 budou podporovány především sady pořízené z online předplatného a sada Office 2019, na kterou se můžeme těšit na konci roku 2018. Sadě Office 2016 totiž končí hlavnická technická podpora (mainstream support) právě 13. října 2020, rozšířená (extended support) pak dobíhá do roku 2025.

Více informací hledejte u servisního partnera služeb Office 365 nebo v záznamu Ignite prezentace BRK2005: Roadmap for Office 365 client requirements and service connectivity.

- Petr Vlk (KPCS CZ, WUG)

1 月 3 日 (水) (日本時間 1 月 4 日 (木)) より順次 Internet Explorer / Microsoft Edge の累積セキュリティ更新プログラムを公開しています。
緊急性の高い内容が OS 側の更新プログラムに含まれていたため、Internet Explorer や Microsoft Edge 向けの更新もタイミングを合わせての公開となっています。

2018 年 1 月のセキュリティ更新プログラム (月例)

====================================
■ Internet Explorer 累積更新の詳細情報
====================================
この更新プログラムの詳細については、以下の公開情報をご確認ください。

Cumulative security update for Internet Explorer: January 3, 2018
(日本語版) Internet Explorer 用の累積的なセキュリティ更新プログラム2018 年 1 月 3 日

====================================
■ IE の更新プログラムを含む各 OS のロールアップの公開情報
====================================
各 OS のロールアップに関する修正や変更点に関しましては、以下の公開情報よりご確認いただくことが出来ます。

Windows 7, Windows Server 2008 R2
Windows Server 2012
Windows 8.1, Windows Server 2012 R2
Windows 10 (Version 1507 (LTSB))
Windows 10 (Version 1607 - Anniversary Update), Windows Server 2016
Windows 10 (Version 1703 - Creators Update)
Windows 10 (Version 1709 - Fall Creators Update), Windows Server 2016 (1709)

====================================
■更新プログラムのダウンロード
====================================
各環境向けの Internet Explorer / Microsoft Edge の更新を含むアップデートは、Microsoft Update カタログよりダウンロードできます。

Internet Explorer の累積的なセキュリティ更新プログラム
セキュリティ マンスリー品質ロールアップ (Windows 7, Windows Server 2008 R2)
セキュリティ マンスリー品質ロールアップ (Windows Server 2012)
セキュリティ マンスリー品質ロールアップ (Windows 8.1, Windows Server 2012 R2)
Windows 10 (Version 1507 (LTSB))
Windows 10 (Version 1607 - Anniversary Update), Windows Server 2016
Windows 10 (Version 1703 - Creators Update)
Windows 10 (Version 1709 - Fall Creators Update), Windows Server 2016 (1709)

※ 1507 は LTSB 向けです。
※ Windows 10 Version 1507 および Version 1511 はそれぞれ下記のとおりサポートが終了しています。安全にご利用いただくためにも v1607 以降への移行をご検討ください。

Windows 10 Version 1507 の CB/CBB のサービス終了
CB と CBB で Windows 10 Version 1511 のサービス終了 (2017 年 7 月 27 日)

====================================
■バージョン情報
====================================
更新プログラムを適用すると、Internet Explorer 11 の更新バージョンは以下のようになります。
- 各 OS 共通 : 11.0.50 (KB4056568)

Internet Explorer ならびに Microsoft Edge をより安全にご利用いただくため、できるだけ早期に今月公開のセキュリティ更新プログラムを適用くださいますようお願いいたします。

In a world where we are increasingly encouraged to be "life long learners", it is common place for employees to continue to study and up-skill themselves during their employment. For teachers this is no different, as not only are they generally subject area experts with a need to be proficient in pedagogical principles, there are a myriad of other skills they must also keep across such as ICT!

To make this easier, Microsoft has recently revamped the Microsoft Certified Educator Exam (MCE) which enables educators to demonstrate that they are able to incorporate the 21st Century Learning Design (21st CLD) skills into learning activities using Microsoft tools for education. The core of this certification is based around the 21CLD and Innovative Teaching & Learning Research which provides a set of rubrics for educators to identify and implement learning opportunities for students to build 21st century skills.

The course and certification assesses a teachers ability to:

• Facilitate student collaboration
• Facilitate skilled communication
• Facilitate self-regulation
• Facilitate real-world problem solving and innovation
• Facilitate student use of Information and Communication Tools (ICT)
• Use ICT to be an effective educator

Resources To Prepare For The MCE Exam:

To assist schools and teachers to prepare for the exam, Microsoft have provided a number of easy to access resources such as:

• 21st Century Learning Design (21CLD) Online Course
• 21CLD OneNote - an indepth resource for teachers.
• MCE Study Guide

You will note that these sources are being delivered on the Microsoft Education Community site and offer up points and badges for completion of the courses. I've blogged about this previously explaining how schools can use this portal for professional development and measuring the progress / completion by teachers through the use of points and badges. This is now extended with teachers able to complete the MCE Exam and having great evidence of ongoing professional development and qualifications that could be used as reference material in future job applications and promotions.

Resources For Schools:

There are a number of resources available to promote the MCE programme to teachers:

• MCE Digital Kit - this includes the following:
  • Full size classroom poster
  • MCE Datasheet
  • Exam Objectives
  • Links to MCE website
• Costs and how to register for the exam
• More information from Certiport on assessment and course overview

My POV - Why This Matters:

Being a "life long learner" is a truism almost as tired as being a "collaborative learner" and yet both remain fundamental skills and attitudes sought after by employers. When talking about the skills that Microsoft NZ look for in employees when hiring, Public Sector Director Jeff Healey said:

I know that when we hire people at Microsoft they’re some of the skills: do they have those critical thinking skills? Can you work in a team? Are they open to making mistakes and learning from those mistakes? They’re some of the valuable things that we’re looking for as an employer.

In late November 2017 the Ministry of Education published a summary showing that in PISA's OECD 2015 study New Zealand students excelled at collaborative problem solving:

Historically considered soft skills, these are more and more being seen as essential by employers who are competing in a globally connected and technology savvy world... Students with collaborative problem solving skills and competencies will be well placed to take advantage of the many opportunities they will be faced with in an evolving work environment, and an increasingly global digital world.

It is precisely these skills that the Microsoft Certified Educator qualification looks to develop and assess, meaning those teachers who pass the examination can demonstrably prove their abilities in this area and their proficiency in effectively teaching with technology. To that end, I can see schools implementing staff-wide assessment of teachers in programmes such as this. Given the preparation is in micro-credentialed, self-paced and online courses through the Microsoft Education Community portal, teachers can prepare themselves thoroughly before the examination.

Reading the more in-depth review of the PISA testing is instructive for New Zealand educational leaders as well, with some of the key findings highlighted as:

• New Zealand students performed very well in the collaborative problem solving assessment (with a mean score of 533, well above the OECD average of 500). Only Singapore, Japan, and Hong Kong China had significantly higher average results.
• New Zealand had one of the largest proportions of students that scored at the highest level of collaborative problem solving proficiency (only Singapore had a higher proportion).
• New Zealand students perform better in collaborative problem solving than expected given their performance in science, reading, and mathematics in PISA 2015.
• Girls outperformed boys in collaborative problem solving across the OECD by 29 points, and in New Zealand this difference was particularly large (41 points).
• Once performance in science, reading and mathematics was taken into account, there were no significant differences between the scores for students identifying as one ethnic grouping compared with those who do not identify with that group (e.g., Pākehā/non-Pākehā). In contrast, the difference between girls and boys remains large after accounting for performance in the three core subjects.

Some very interesting results evidenced in terms of gender performance with girls out-performing boys in collaboration, echoing some of the other trends in NCEA assessment in NZ. Again, I encourage you to review the entire document here.

This article details some of the more common error messages encountered when replicating on-premises Hyper-V virtual machines using Azure Site Recovery and explains in detail the troubleshooting steps to resolve them.

Enable protection failed

• Ensure your configuration adheres to support matrix (supported/not-supported configurations) and prerequisites recommended for Hyper-v to Azure.
• Ensure Hyper-V host prerequisites are met before enabling replication. If you are using VMM, then ensure its prerequisites are also met.
• Ensure Hyper-V Virtual Machine Management service is up and running.
• Check the logs listed in this article to understand the root cause of the issue.
• Ensure WMI is enabled and accessible:
  • Basic WMI Testing
  • WMI Troubleshooting
  • Troubleshooting problems with WMI scripts and WMI Services
• Ensure  Integration Service version is latest:
  • Check if your version of Integration Services is latest by following steps listed in this article
  • Follow steps listed in this article to keep Integration services on latest version

Initial replication stuck (or) Replication not progressing

This can happen for various reasons listed below. It is always a good practice to ensure that you are running on latest agent (visit this article  and check the instructions of latest rollup update):

• Check if the replication is Paused
  • Connect to the on-premises Hyper-V manager console, select the virtual machine, and see the replication health.
  • If replication health is Critical, right-click the virtual machine > Replication > View Replication Health.
  • If replication is paused, then click Resume Replication.
• Check if the Azure Site Recovery services are running. (Re)Start any service, which is not running and check if the problem still exists.
  • Hyper-V to Azure: On the Hyper-V server:
    • Virtual Machine Management service
    • Microsoft Azure Recovery Services Agent
    • Microsoft Azure Site Recovery Service
  • Hyper-V with VMM to Azure:
    • On Hyper-V host, ensure "Virtual Machine Management service" and "Microsoft Azure Recovery Services Agent" is running
    • On VMM server, ensure  "Microsoft Azure Site Recovery Service" is running
  • Ensure WMI Provider Host service is running on Hyper-V host.
• Check your network bandwidth availability
  • Check if there are bandwidth or throttling constrains in your configuration by following steps and recommendations listed in this article.
  • Run the profiler (steps) using Deployment Planner tool. Follow bandwidth recommendations, storage recommendations and aware of data churn limitations.
• Check connectivity between Hyper-V server to Azure: From Hyper V server, open the Task Manager (press Ctrl-Shift-Esc) -> Performance tab ->Open Resource Monitor-> Network tab. Check if cbengine.exe in ‘Processes with Network Activity’ is actively sending large volume (in Mbs) of data.
• Check if Hyper-V server can connect Azure Blob:   Select and check cbengine.exe to view the 'TCP Connections' to see if there is connectivity from Process server to Azure Storage blob URL
• High data churn on VM: 
  • Check if your VM is marked for resynchronization. One of the reasons this can happen, is if the HRL files reaches 50% of the available disk space. To investigate the source of churn follow steps listed in this article. If this turns out to be the issue, then provision more storage space for all VMs enabled for replication to Azure that are accounting for the HRL file growth.
  • Network bandwidth limitations can also impact replication. Follows steps listed under Check your network bandwidth availability section to ensure there is enough bandwidth to meet your requirements.
  • Ensure the replication is not paused. If the replication is suspended/paused, it does not stop writing the changes to the hrl file (which in turn can lead growth of HRL files reaching limit).
  • Choose the appropriate storage to match your churn scenario as listed in this article.

One of the coolest ‘features’ of inventory is the fact that it logs information to the database when it processes the files. Granted, I’m biased on this opinion because I helped make it happen. Unfortunately, I haven’t seen anyone talk about it yet so it’s either not as cool as I thought or people don’t really know about it. So, in hopes that it’s the latter, here’s a quick blog on it.

The "InventoryLog" table only exists on the primary sites, so if you’re in a hierarchy you’ll have to query the primary(ies) directly instead of querying the CAS. However, I do have a user voice to get it added to replication so if you find it useful go ahead and vote it up here!

If you look at the distinct “LogText” items on your server you’ll see the type of data that is being stored. Obviously, your records will be different than the following sample:

So, we could use this information to know how often a particular machine is having issues or to know how often the system is forcing resyncs, or to look for trends in these issues.

For example, about a year ago I created a report that grouped the records in this table by week and got counts of the issues to see if we could see what the biggest buckets were. I wrote the query to run on the CAS and use linked servers to the primaries so I could also group the records by primary site. Here’s what that looked like back then:

As you can see, I immediately picked up on the “Exceed MIF size limit. Discard” records. The numbers weren’t the highest but it’s a pretty straightforward issue so decided to look at that first. The first table shows the total of all sites for the last four weeks and the second table shows the counts by primary site for the last week – highlighting the cell that has the highest counts.

It was apparent that some sites were worse than others – so I ran a PowerShell script to check the "Max MIF Size" of all the sites. Here was the output:

Those values are in MB. And, unfortunately for us, we did not have a consistent size across all sites so the ones with the lowest values obviously were the problem sites. We can get some pretty big MIFs due to some of the noisy classes we collect – such as “Recently Used Apps”. So, we decided to increase our Max MIF Size on all sites to 50MB (to account for the largest file size we had received).

And then we monitored…obviously, by using the “InventoryLog” table:

Note: these pictures are taken from old status reports…hence my comments as well.

And, a couple weeks later:

I realize that was a very simple example, but a real-life example nonetheless.

For some of the issues you can find more details in the “LogDetail” column. For example:

In this case, we see that for the issue “Non-existent row. Resync” it collects the procedure which first hit the error. In this case, the procedure didn’t find a record for the machine/instance so it couldn’t do anything with the data. And to mitigate the risk that SCCM does not have all the data from the client, the server would request a resync from the client.

Other issues (items in the “LogText” column) may have a “LogDetail” that has the machine’s GUID, something else that helps (or doesn’t ), or you may need to look at “ServerReportVersion” and “ClientReportVersion” to get more info. For example, if you see a “LogText” of “Different major. Resync” that means that the version in the report (MIF) sent by the client was not the same as the one the Server was expecting. In this case it will have the client resync to make sure we are not out of sync with the client.

To actually see what the client sent and what the server expected for the major version you have to divide the value by 4294967296. If it were a different minor you’d have to get the mod of the value and the same value. That, or you could just use the view “vInventoryLog”.

SELECT  LogID -- Primary Key!

       ,MachineID

       ,LogTime AS [LogTimeUTC]

       ,CONVERT(int,ServerReportVersion/4294967296) AS [ServerMajor]

       ,ServerReportVersion%4294967296 AS [ServerMinor]

       ,CONVERT(varchar(5),CONVERT(int,ServerReportVersion/4294967296))+'.'+CONVERT(varchar(5),ServerReportVersion%4294967296) AS [ServerVersion]

       ,CONVERT(int,ClientReportVersion/4294967296) AS [ClientMajor]

       ,ClientReportVersion%4294967296 AS [ClientMinor]

       ,CONVERT(varchar(5),CONVERT(int,ClientReportVersion/4294967296))+'.'+CONVERT(varchar(5),ClientReportVersion%4294967296) AS [ClientVersion]

       ,LogText

       ,LogDetail

  FROM dbo.InventoryLog

 WHERE LogText = N'Different major. Resync';

Example output:

Hopefully now that you know about this log table you’ll be able to use it in your investigations. If you do, please share how it was helpful!

Hi there,

It's been a very long while since I have blogged something here and it's time to come back and continue sharing our field experiences with the IT community hoping to shed light for similar problems.

I was tasked to deal with a customer problem where the end users were reporting various problems like "cannot access the file server, getting authentication prompts" and the IT admins were also observing various problems like the server wasn't properly applying GPOs, Netlogon service complaining about DC access issues and etc. At times, they were even able to manually reproduce the issue by issuing a "telnet DC-IP 389" command from the affected server.

There might be a lot of reasons behind, so I decided to collect a number of logs while the issue was reproduced:

a) TCPIP ETL trace:

You can collect it with the below commands on a Windows client/server: (from an elevated command prompt)

netsh start trace capture=yes scenario=internetclient

<<repro>>

netsh trace stop

b) Network trace:

This could be collected in different ways like using the above command, Wireshark, Network Monitor, Message Analyzer,...

c) Handle outputs

This could be collected as follows:

Note: Handle tool could be downloaded from the following link: https://technet.microsoft.com/en-us/sysinternals/handle.aspx Handle v4.1

handle.exe -a -u >> %computername%_handledetails.txt

handle.exe -s >> %computername%_handlesummary.txt

ANALYSIS:

========

The logs were collected while doing a repro with telnet command on the server. After the logs were shared with us, I checked various things to understand why the outbound connection might be failing (by the way, the file server not being able to authenticate the incoming users was also a side effect of this issue since the file server wasn't able to verify the client credentials via Netlogon secure channel)

1) I first checked network traces, but there were no outgoing connection attempts (TCP SYNs sent to the target server) which means the issue is local to the server itself

2) Then I checked the TCPIP ETL trace and observed the root cause:

Note: You can open up the ETL file that is generated as a result of running netsh command in Network Monitor or Message Analyzer

[0]03E0.5214::01/04/18-15:07:37.5237622 [Microsoft-Windows-TCPIP/Diagnostic] TCP: endpoint (sockaddr=0.0.0.0) bind failed: port-acquisition status = The transport address could not be opened because all the available addresses are in use..

[0]58F0.4558::01/04/18-15:07:51.8242042 [Microsoft-Windows-TCPIP/Diagnostic] TCP: endpoint (sockaddr=0.0.0.0) bind failed: port-acquisition status = The transport address could not be opened because all the available addresses are in use..

[0]04D8.072C::01/04/18-15:07:52.0110322 [Microsoft-Windows-TCPIP/Diagnostic] TCP: endpoint (sockaddr=0.0.0.0) bind failed: port-acquisition status = The transport address could not be opened because all the available addresses are in use.. 1616260 [0]

...

Actually that clearly explained why the outbound connections were failing: PORT EXHAUSTION.

3) And the main reason behind the port failure was a socket leak caused by an outdated 3rd party AV software: (from handles.exe output)

Note: The process name was deliberately changed

92355 ABC.exe pid: 1148 NT AUTHORITYSYSTEM

92517   144: File  (---)   DeviceAfd

92519   148: File  (---)   DeviceAfd

92627   220: File  (---)   DeviceAfd

92629   224: File  (---)   DeviceAfd

92633   22C: File  (---)   DeviceAfd

92635   230: File  (---)   DeviceAfd

92689   29C: File  (---)   DeviceAfd

92701   2B4: File  (---)   DeviceAfd

92703   2B8: File  (---)   DeviceAfd

92705   2BC: File  (---)   DeviceAfd

92707   2C0: File  (---)   DeviceAfd

92743   308: File  (---)   DeviceAfd

92755   320: File  (---)   DeviceAfd

92761   32C: File  (---)   DeviceAfd

92767   338: File  (---)   DeviceAfd

92771   340: File  (---)   DeviceAfd

92773   344: File  (---)   DeviceAfd

92779   350: File  (---)   DeviceAfd

92881   420: File  (---)   DeviceAfd

92897   440: File  (---)   DeviceAfd

92899   444: File  (---)   DeviceAfd

92927   47C: File  (---)   DeviceAfd

92929   480: File  (---)   DeviceAfd

92933   488: File  (---)   DeviceAfd

92935   48C: File  (---)   DeviceAfd

92941   498: File  (---)   DeviceAfd

92977   4E0: File  (---)   DeviceAfd

92993   500: File  (---)   DeviceAfd

93053   578: File  (---)   DeviceAfd

93073   5A0: File  (---)   DeviceAfd

93075   5A4: File  (---)   DeviceAfd

93077   5A8: File  (---)   DeviceAfd

93079   5AC: File  (---)   DeviceAfd

93093   5C8: File  (---)   DeviceAfd

93113   5F0: File  (---)   DeviceAfd

93145   630: File  (---)   DeviceAfd

93165   658: File  (---)   DeviceAfd

93167   65C: File  (---)   DeviceAfd

93175   66C: File  (---)   DeviceAfd

93195   694: File  (---)   DeviceAfd

93199   69C: File  (---)   DeviceAfd

93217   6C0: File  (---)   DeviceAfd

93219   6C4: File  (---)   DeviceAfd

93227   6D4: File  (---)   DeviceAfd

93239   6EC: File  (---)   DeviceAfd

93249   700: File  (---)   DeviceAfd

93253   708: File  (---)   DeviceAfd

93265   720: File  (---)   DeviceAfd

93269   728: File  (---)   DeviceAfd

93271   72C: File  (---)   DeviceAfd

93273   730: File  (---)   DeviceAfd

93275   734: File  (---)   DeviceAfd

93277   738: File  (---)   DeviceAfd

93281   740: File  (---)   DeviceAfd

93283   744: File  (---)   DeviceAfd

93285   748: File  (---)   DeviceAfd

93297   760: File  (---)   DeviceAfd

93299   764: File  (---)   DeviceAfd

93301   768: File  (---)   DeviceAfd

93305   770: File  (---)   DeviceAfd

93307   774: File  (---)   DeviceAfd

93313   780: File  (---)   DeviceAfd

93317   788: File  (---)   DeviceAfd

93321   790: File  (---)   DeviceAfd

93323   794: File  (---)   DeviceAfd

93327   79C: File  (---)   DeviceAfd

93329   7A0: File  (---)   DeviceAfd

93331   7A4: File  (---)   DeviceAfd

93333   7A8: File  (---)   DeviceAfd

93335   7AC: File  (---)   DeviceAfd

93339   7B4: File  (---)   DeviceAfd

93343   7BC: File  (---)   DeviceAfd

93355   7D4: File  (---)   DeviceAfd

93357   7D8: File  (---)   DeviceAfd

93359   7DC: File  (---)   DeviceAfd

93361   7E0: File  (---)   DeviceAfd

93365   7E8: File  (---)   DeviceAfd

93373   7F8: File  (---)   DeviceAfd

93383   810: File  (---)   DeviceAfd

93389   81C: File  (---)   DeviceAfd

…

RESOLUTION:

===========

So we advised the customer to update the 3rd party AV software. Apart from that, you can take the following actions to avoid possible port leak issues:

a) Please make sure that Windows OS runs with latest rollups/security updates

b) Please make sure that all 3rd party softwares are up to date (including Firewall, AV, backup or any kind of software that might have to frequently establish outbound connections)

c) Finally you may consider extending the port range for busy servers which are supposed to establish many outbound connections very frequently. The following is the maximum range that you can set, but you may extend the range in phases instead of maxing out at the very beginning: (from an elevated command prompt)

netsh int ipv4 set dynamicport tcp start=1025 num=64500

netsh int ipv4 set dynamicport udp start=1025 num=64500

and you can decrease the TCPTimedWaitDelay registry key on the servers: (you may lower it to 30 seconds)

https://technet.microsoft.com/en-us/library/cc757512(v=ws.10).aspx TcpTimedWaitDelay

The TcpTimedWaitDelay value determines the length of time that a connection stays in the TIME_WAIT state when being closed. While a connection is in the TIME_WAIT state, the socket pair cannot be reused. This is also known as the 2MSL state because the value should be twice the maximum segment lifetime on the network. To adjust the TcpTimedWaitDelay settings, you have to modify/create the registry settings as listed below:

Note: This change requires a server reboot

Please note that the same techniques could be applied to virtually any Windows versions as of Windows 7/Windows 2008 R2 onwards easily.

Hope this helps

Thanks,

Murat

Some time ago I worked with an organization that had difficulties in receiving emails on a newly added address. The Organization used “Set-UnifiedGroup” cmdlet to successfully add a new alias to an existing Office 365 group, but external senders were receiving the following NDR: “550 5.4.1 [newaddress@contoso.com]: Recipient address rejected: Access denied” upon sending an email to the new address.

So, I've decided to write a script and help this organization.

Scenario:

• You want to add a new alias to an existing Office 365 Group.
• You want external senders to be able to send emails to the new alias.

Current limitations:

• It is not possible to add a new alias to an existing Office 365 Group in EAC.
• The new alias is not replicated to DBEB (resulting in a rejection if an email is sent to the new address).

Workaround:

• Use the Set-UnifiedGroup PowerShell cmdlet to add an alias to an existing Office 365 group (ex. Set-UnifiedGroup -Identity current_group_address@contoso.com -EmailAddresses: @{add="smtp:newaddress@contoso.com"}
• Force the replication in DBEB by changing the primary address in Exchange Online (ex. Set-UnifiedGroup -PrimarySmtpAddress newaddress@contoso.com)

DISCLAIMER: 

This application is a sample application. The sample is provided “as is” without warranty of any kind. Microsoft further disclaims all implied warranties including without limitation any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the samples remains with you. In no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, data loss or other pecuniary loss arising out of the use of or inability to use the samples, even if Microsoft has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

 Prerequisites:

• To be able to run the script you need to install on the computer the prerequisites described in the following article Connect to Office 365 PowerShell

Script logic:

• Before taking any actions, the script tries to do some basic verifications:
  • Checks if the Current Group Address really exists in Exchange Online
  • Checks if the Current Group Address is the primary address (as at the end we will set it back)
  • Checks the domain of the New Group Address
  • Checks if the New Group Address already exists in Exchange Online
  • Checks if the New Group Address already exists in Azure AD
• Adds the New Group Address to the Office 365 group
• Sets the New Group Address as primary address in order to replicate it in DBEB
• Reverts the primary address to Current Group Address

Script Sample:

#------------------------------------------------------------------------------
#
# Copyright © 2017 Microsoft Corporation.  All rights reserved.
#
# THIS CODE AND ANY ASSOCIATED INFORMATION ARE PROVIDED “AS IS” WITHOUT
# WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT
# LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS
# FOR A PARTICULAR PURPOSE. THE ENTIRE RISK OF USE, INABILITY TO USE, OR
# RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
#
#------------------------------------------------------------------------------
#
# PowerShell Source Code
#
# NAME:
#    Office365_add_alias.ps1
#
# VERSION:
#    1.0
#
#------------------------------------------------------------------------------
[CmdletBinding()]
param
(
[Parameter(Mandatory = $True, Position = 0)]
[ValidateNotNullOrEmpty()]
[string]$CurrentGroupAddress,

[Parameter(Mandatory = $True, Position = 1)]
[ValidateNotNullOrEmpty()]
[string]$NewGroupAddress
)

#region Set Up Variables
$Matcheduser = $Null
$Matchedgroup = $Null
$MatchedOldGroup = $Null
$Objid = $Null
$CheckDomain = $Null
$AllUsers = $Null
$AllGroups = $Null
$MatchedUnifiedOldGroup = $Null
$MatchedRecipient = $Null
$MatchedMSODS = $Null
$MatchedEXO = $Null
$UserMatchFound = $false
$GroupMatchFound = $false
$MSODSEmailAddress = $Null
$CounterEXO = 6
$CounterMSODS = 6
$CheckEXO = $Null
$CheckMSODS = $Null
#endregion

#region Connect to Office 365
try
{
# Connect to Azure AD
Write-Host "Please enter your Office 365 credentials" -ForeGroundColor Green
$O365Cred = Get-Credential
Import-Module MSOnline
Write-Host "`nConnecting to Azure AD..."
Connect-MsolService –Credential $O365Cred

# Connect to Exchange Online
Write-Host "`nConnecting to Exchange Online..."
$O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $O365Cred -Authentication "Basic" -AllowRedirection
Import-PSSession $O365Session -DisableNameChecking -AllowClobber | ft

}
catch
{
Write-Host "`nUnable to connect to Office 365`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
#endregion

#region Checking if the old address exists
Write-Host "Checking the address $CurrentGroupAddress in Exchange Online"
$MatchedUnifiedOldGroup = Get-UnifiedGroup -Identity $CurrentGroupAddress -ErrorAction SilentlyContinue | select Name, EmailAddresses
if ($MatchedUnifiedOldGroup -eq $Null)
{
Write-Host "`tI was not able to find $CurrentGroupAddress in Exchange Online `n"-Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
else
{
Write-Host "`tDone. The address $CurrentGroupAddress was found in Exchange Online`n" -Foregroundcolor Yellow
}
Write-Host "Checking the address $CurrentGroupAddress in Azure AD"
$MatchedOldGroup = Get-MsolGroup -All -SearchString $CurrentGroupAddress | select ObjectId,proxyAddresses
if ($MatchedOldGroup -eq $Null)
{
Write-Host "`tI was not able to find $CurrentGroupAddress. Are you sure this is the primary address of the group?`n"-Foregroundcolor Red
$Objid = (Get-UnifiedGroup $CurrentGroupAddress).ExternalDirectoryObjectId
$MSODSEmailAddress = Get-MsolGroup -ObjectId $objid |select EmailAddress
Write-Host "Based on Exchange Online info $($MSODSEmailAddress.EmailAddress) might be the primary address. Would you like me to use this address instead of $($CurrentGroupAddress)? (Default is No)" -Foregroundcolor Yellow
$Readhost = Read-Host "Enter your choice ( y / n ) "
Write-Host "`n"
Switch ($ReadHost)
{
Y {$CurrentGroupAddress = $MSODSEmailAddress.EmailAddress}
N {Read-Host “Press ENTER to exit...”;  Exit}
Default {Read-Host “Press ENTER to exit...”;  Exit}
}
}
else
{
Write-Host "`tDone. The address $CurrentGroupAddress was found `n" -Foregroundcolor Yellow
}
#endregion

#region Verify the new address
Write-Host "Checking if the address $NewGroupAddress is part of an accepted domain"
$CheckDomain = Get-AcceptedDomain -Identity ($NewGroupAddress.Split("@"))[1] -ErrorAction SilentlyContinue
If ($CheckDomain -eq $Null)
{
Write-Host "`tDomain does not exists or is not correct`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
else
{
Write-Host "`tDone. The domain was found `n" -Foregroundcolor Yellow
}
#endregion

#region Checking if new address exists in MSODS
Write-Host "Checking if any user in Azure AD contains $NewGroupAddress (this may take a while)..."
$AllUsers = Get-MsolUser –All | Select userPrincipalName,proxyAddresses
$AllGroups = Get-MsolGroup –All | Select ObjectId,proxyAddresses

#loop all users
ForEach ($User in $AllUsers)
{
#loop proxyAddresses
ForEach ($UPA in $User.ProxyAddresses)
{
If ($UPA –Match $NewGroupAddress)
{
$UserMatchFound = $True
$Matcheduser = $User
}
}

}
write-host "`tDone. `n" -Foregroundcolor Yellow
write-host "Checking if any group in Azure AD contains $NewGroupAddress (this may take a while)..."

#loop all groups
ForEach ($Group in $AllGroups)
{

#loop proxyAddresses
ForEach ($GPA in $Group.ProxyAddresses)
{
If ($GPA –Match $NewGroupAddress)
{
$GroupMatchFound = $True
$Matchedgroup = $Group
}
}

}
write-host "`tDone.`n" -Foregroundcolor Yellow

If ($UserMatchFound -or $GroupMatchFound)
{
$MatchedMSODS = $true
If ($UserMatchFound)
{
Write-Host "`nThe new address exists in Azure AD"
Write-Host "The user $($Matcheduser.userPrincipalName) contains the following addresses: $($Matcheduser.ProxyAddresses)`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
Else
{
Write-Host "`nThe new address exists in Azure AD"
Write-Host "`The group $($Matchedgroup.ObjectId) contains the following addresses: $($Matchedgroup.ProxyAddresses)`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
}
Else
{
write-host "`tDone. No user or group found in Azure AD`n" -Foregroundcolor Yellow
}

#endregion

#region Checking if new address exists in EXO
Write-Host "Checking the address $NewGroupAddress in Exchange Online "
$MatchedUnifiedGroup = Get-UnifiedGroup -Identity $NewGroupAddress -ErrorAction SilentlyContinue | select Name, EmailAddresses
$MatchedRecipient = Get-Recipient -Identity $NewGroupAddress -ErrorAction SilentlyContinue | select Name, EmailAddresses
if (($MatchedUnifiedGroup -ne $Null) -or ($MatchedRecipient -ne $Null))
{
$MatchedEXO = $true
If ($MatchedRecipient -ne $Null)
{
Write-Host "`tDone. receipint $($MatchedRecipient.name) contains the following addresses: $($MatchedRecipient.EmailAddresses) `n" -Foregroundcolor Yellow
}
Else
{
Write-Host "`tDone. Unified Group $($MatchedUnifiedGroup.Name) contains the following addresses: $($MatchedUnifiedGroup.EmailAddresses)  `n" -Foregroundcolor Yellow
}
Write-Host "The new address already exists`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
Else
{
Write-Host "`tDone. No user or group was found in Exchange Online`n" -Foregroundcolor Yellow
}
#endregion

#region Adding the new address
Write-Host "Finished all checks. Moving forward...`n" -Foregroundcolor Green
if (!$MatchedMSODS -and !$MatchedEXO)
{
$Objid = (Get-UnifiedGroup $CurrentGroupAddress).ExternalDirectoryObjectId
Write-Host "Adding $NewGroupAddress in Exchange Online"

# add the new address
Set-UnifiedGroup -Identity $CurrentGroupAddress -EmailAddresses: @{add="smtp:$NewGroupAddress"}

do
{
sleep 10
$CounterEXO--
$CheckEXO = Get-UnifiedGroup -Identity $NewGroupAddress
}
while (($CounterEXO -ge 0) -and ($CheckEXO -eq $Null))

if ($CheckEXO -eq $Null)
{
Write-Host "I was not able to add the new address`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
Else
{
Write-Host "`tDone.`n" -Foregroundcolor Yellow
}

Write-Host "Adding $NewGroupAddress in Azure AD"

# Changing the primary address to force the sync
Get-UnifiedGroup $CurrentGroupAddress | Set-UnifiedGroup -PrimarySmtpAddress $NewGroupAddress

do
{
sleep 10
$CounterMSODS--
$CheckMSODS = Get-MsolGroup -All -SearchString $NewGroupAddress | select emailaddress
Write-Host "`tPlease wait..."
}
while (($CounterMSODS -ge 0) -and ($CheckMSODS -eq $Null))

if ($CheckMSODS  -eq $Null)
{
Write-Host "I was not able to sync the new address`n" -Foregroundcolor Red
Read-Host “Press ENTER to exit...”
Exit
}
Else
{
Write-Host "`tDone.`n" -Foregroundcolor Yellow
}

# Changing back the primary address
Get-UnifiedGroup $NewGroupAddress | Set-UnifiedGroup -PrimarySmtpAddress $CurrentGroupAddress
Write-Host "`nAll Done! Wait 15 mins before doing a test!`n" -Foregroundcolor Yellow
Read-Host “Press ENTER to exit...”
Remove-PSSession $O365Session
}
#endregion

(この記事は 2017 年 11 月 6 日に Office 365 Blog に投稿された記事 Getting the best connectivity and performance in Office 365 の翻訳です。最新情報については、翻訳元の記事をご参照ください。)

従来のエンタープライズ ネットワークは、企業が運用するデータセンターでホストされているアプリケーションやデータにユーザーがアクセスできるようにすることを第一に設計されています。また、通信や Web 閲覧を行えるようにインターネット アクセスのゲートウェイとしても使用される場合があります。このモデルでは、ユーザーと企業が運用するデータセンターの間のネットワーク セキュリティは最小限であるうえに、ユーザーとインターネットの間のセキュリティ境界は広範で、ファイアウォール、ウイルス検索プログラム、データ損失防止、侵入検出デバイスなど、多数のネットワーク デバイスが含まれます。

ネットワーク セキュリティ スタックが大規模であるため、ブランチ オフィスのインターネット接続は、お客様のワイド エリア ネットワーク (WAN) を介して集中化およびバックホール接続されることが一般的です。このモデルは、ユーザーがオフィス内から、帯域幅が保証されている企業のオンプレミス アプリ (メールやドキュメント共有など) に安全にアクセスするうえで適していました。WAN 内のネットワーク セキュリティが最小限であるため、ネットワーク トラフィックが妨げられることもありません。

従来のエンタープライズ ネットワークによる WAN を介したインターネットへのトラフィックのバックホール

しかし、企業において Office 365 などの SaaS アプリの導入と使用が増加し、従業員の働く場所が多様化するにつれて、検査のためにトラフィックを中央の場所にバックホール接続するという従来の方法では、遅延が発生してエンドユーザー エクスペリエンスが低下するようになりました。お客様が運用する中央のデータセンターのエンタープライズ アプリケーションから Office 365 への移行に伴い、単純なインターネット通信や Web 閲覧および調査を行う場合と比較して、トラフィック パターン、パフォーマンス要件、エンドポイント セキュリティの違いを認識し、ネットワーク計画を変更する必要があります。

マイクロソフトのグローバル ネットワークは、世界最大級のネットワーク バックボーンであり、ネットワークの輻輳が最小限に抑えられた高帯域幅のリンクと、数千マイルにわたる私有のダーク ファイバー、データセンター間のマルチテラビット ネットワーク接続、世界中に広がるアプリケーションのフロント ドア サーバーから構成されています。このネットワーク上には、インターネットのパブリック ピアリングを行う相互接続用の拠点が 100 以上存在するため、すべてのユーザーが所在地を問わず、簡単にインターネットを使用してネットワークに接続し、Office 365、Azure、Xbox、Bing、Skype、Hotmail などのサービスにアクセスできます。

マイクロソフトは、ネットワーク、アプリケーションのフロント ドアの所在地、ISP とのパブリック ピアリング パートナーシップ、トラフィックのバックホール機能の強化に引き続き投資してまいります。これにより、ユーザーのネットワーク トラフィックはユーザーに非常に近い場所からマイクロソフトのグローバル ネットワークに送信され、そのトラフィックはマイクロソフトの負担により、ネットワーク内の高帯域幅回線を介してユーザーのデータが格納されている場所にバックホール接続されます。

マイクロソフトのグローバル ネットワーク (青い点は世界中の Office 365 のフロントエンド サーバーを表す)

マイクロソフトは、Office 365 の接続性とパフォーマンスを最適化するために、インターネットの使用とシンプルなネットワーク設計を推奨しています。ネットワーク設計の主な目標は、お客様のネットワークからマイクロソフトのグローバル ネットワークへの往復時間 (RTT) を短縮すると共に、ネットワーク トラフィックがヘアピン処理や特定の場所に集中化されていないことを確認することです。以下の Office 365 の接続原則を使用して、トラフィックを管理することで、Office 365 への接続時のパフォーマンスを最大限に向上できます。

Office 365 の URL と IP アドレス (aka.ms/O365IP)

SaaS アプリケーションである Office 365 には、Office 365 サービスのフロントエンド サーバーを表す URL と IP アドレスが多数あります。これらの URL と IP アドレスはエンドポイントと呼ばれ、お客様はこれらを使用して Office 365 への特定のネットワーク トラフィックを特定できます。

Office 365 のネットワーク トラフィックを一般的なインターネットへのネットワーク トラフィックと区別するためには、まず Office 365 のトラフィックを特定する必要があります。マイクロソフトは Office 365 のエンドポイントとこのデータの最適な使用方法に関するガイダンスを公開しています。Office 365 管理者は、スクリプトを使用してエンドポイントの詳細を取得し、境界ファイアウォールやその他のネットワーク デバイスに適用できます。これにより、Office 365 へのトラフィックを特定し、従業員が閲覧する一般的かつ不明なインターネット Web サイトへのネットワーク トラフィックとは異なる方法で適切に処理および管理できます。

ローカル インターネットからマイクロソフトのネットワークへの送信

エンタープライズ WAN の多くは、ネットワークからインターネットに送信する前に、ネットワーク トラフィックを処理するために中央の本社にバックホール接続するように設計されています。Office 365 は、世界中の多数のフロントエンド サーバーを含むマイクロソフトの大規模なグローバル ネットワーク上で稼動しているため、多くの場合、ユーザーの所在地の近くにネットワーク接続とフロントエンド サーバーが存在します。

ほとんどの場合、ユーザーの所在地に近い場所から Office 365 のネットワーク トラフィックをインターネットに送信してマイクロソフトのグローバル ネットワークに接続することにより、企業の WAN を介してデータをバックホール接続する場合と比較してパフォーマンスが向上します。また、多くの Office 365 アプリケーションは DNS 要求を使用してユーザーの所在地を特定します。ユーザーの DNS 参照がネットワーク送信と同じ場所で実行されない場合は、離れた場所の Office 365 のフロントエンド サーバーに接続される可能性があります。

ローカル インターネット送信およびローカル DNS 解決を提供することにより、Office 365 へのネットワーク トラフィックは、ユーザーに可能な限り近い場所からマイクロソフトのグローバル ネットワークと Office 365 のフロントエンド サーバーに接続できます。このように、マイクロソフトのグローバル ネットワークと Office 365 のフロントエンド サーバーへのネットワーク パスを短縮することで、Office 365 の接続性のパフォーマンスとエンドユーザー エクスペリエンスの向上が期待できます。

エンタープライズ ネットワークによる Office 365 へのインターネット トラフィックのヘアピン処理

マイクロソフトは、ユーザーと Office 365 のエンドポイントの距離を短縮し、遅延を削減してエンドユーザー エクスペリエンスを向上させるべく継続的に取り組んでいます。ユーザーを Office 365 に接続する場合、2 種類のネットワーク ルートのヘアピン処理が発生する可能性があります。これらのヘアピン処理が発生すると、ユーザーとマイクロソフトのグローバル ネットワーク間のネットワーク パスが大幅に延長されるため、ネットワーク遅延が増大し、Office 365 のパフォーマンスが低下します。

前述のように、2 つ目のヘアピン処理は、クラウドベースのネットワーク セキュリティ インフラストラクチャ デバイスが原因となります。ネットワーク デバイス ベンダーのホスティング拠点が限られていて、ユーザーを離れた場所の特定の拠点に接続する場合、ネットワーク トラフィックがユーザーの所在地から離れた場所のネットワーク デバイスを経由して、ユーザーの近くの Office 365 のフロントエンド サーバーに戻るというヘアピン ルートが生じる可能性があります。これを回避するためには、特定のホスティング拠点についてクラウドベースのネットワーク セキュリティ ベンダーに確認し、それによって生じるネットワーク パスが、マイクロソフトのグローバル ネットワーク上の Office 365 のエンドポイントへの直接ルートとは異なる可能性があることを批判的に捉える必要があります。

1 つ目のヘアピン処理は、ネットワーク出力とユーザーの DNS 参照が一致しないことが原因です。この場合、ユーザーは近くの Office 365 のフロントエンド サーバーに接続されますが、離れた場所にある本社の送信場所を経由することになります。これは、上記の原則で説明したように、ローカル送信とローカル DNS 解決によって回避できます。

Office 365 の追加のセキュリティのバイパス

不明なインターネット サイトへの一般的なインターネット Web 閲覧トラフィックには、多大なセキュリティ リスクが伴うため、大部分の企業はインターネットへの送信場所にネットワーク セキュリティ、監視、トラフィック評価テクノロジを実装しています。ネットワーク セキュリティ テクノロジには、プロキシ サーバー、インラインの SSL によるネットワーク トラフィックの中断および検査、ネットワーク レイヤベースのデータ損失防止などが含まれます。ネットワーク セキュリティ デバイス業界は、目覚ましい成長を遂げています。これらのデバイスはすべて、企業におけるインターネット接続のリスクを軽減するものですが、インターネット接続に必要なコストとリソースが増加し、ネットワーク接続のパフォーマンスが低下するというデメリットもあります。

すべての Office 365 サーバーはマイクロソフトのデータセンターでホストされており、マイクロソフトは、これらのサーバーとそのネットワーク エンドポイントに関連するデータセンターのセキュリティ、運用セキュリティ、リスクの軽減について積極的に情報を公開しています。これらのセキュリティの詳細については、Microsoft Trust Center をご覧ください。Office 365 には、その他にもネットワーク セキュリティのリスクを軽減する方法が多数あります。たとえば、データ損失防止、ウイルス対策、Multi-Factor Authentication、カスタマー ロックボックス、Advanced Threat Protection、Office 365 Threat Intelligence、Office 365 セキュリティ スコア、Exchange Online Protection、ネットワーク DDOS セキュリティ、その他多数のセキュリティ機能が組み込まれています。

企業のお客様は、Office 365 へのトラフィックに特化したこれらのリスク軽減方法を検討し、Office 365 の組み込みセキュリティ機能を使用することで、Office 365 として特定されたネットワーク トラフィックに干渉してパフォーマンスに影響を及ぼす高価なネットワーク レイヤベースのセキュリティ テクノロジの使用を減らすことをお勧めします。

Office 365 ネットワーク製品グループでは、Office 365 に接続する場合のネットワークの問題についてのご意見は、このブログのコメント欄までお寄せください。皆様からのご意見をお待ちしています。

• Office 365 の接続原則を拡張する Office 365 製品グループの動画:
  • 戦略: https://youtu.be/19a8s90HboQ (英語)
  • 計画: https://youtu.be/cJDpB59gk3M (英語)
  • 実装: https://youtu.be/lZwvitkvg6A (英語)

• Office 365 のネットワーク計画とパフォーマンスのチューニングに関するガイダンス: aka.ms/tune
• Office 365 の URL と IP アドレス: aka.ms/O365IP
• Office 365 の帯域幅要件の管理: aka.ms/O365networkconnectivity

※ 本情報の内容 (添付文書、リンク先などを含む) は、作成日時点でのものであり、予告なく変更される場合があります。

Автор статьи - Виталий Веденев.

Продолжаю рассматривать примеры реализации образовательных программ [1] средствами Microsoft Office 365 и, в частности, с помощью единого центра интеллектуальных коммуникаций Microsoft Teams [2] и сайтов SharePoint [3].

Что вы будете знать и уметь после прочтения этой статьи?

- Как создать информационно-образовательную среду (ИОС) средствами Microsoft Teams и сайтов SharePoint для реализации образовательных программ [1].

В статье [4] я разобрал, начиная с 2015 года, зависимость между срочностью в процессе обучения, размером аудитории и основными сервисами Office 365 в ходе одной из важнейшей составляющей учебного процесса -  коммуникациями с учетом новых тенденций.

Если вы в ходе организации электронного обучения в единой информационно-образовательной среде Office 365 сталкиваетесь со следующими ситуациями:

- базовый контент дисциплины (модуля) изучает много разнообразных по составу и уровню подготовки групп обучаемых;

- базовый контент обновляется сравнительно не часто;

- вы должны организовать межпредметные связи, повторение пройденного материала, в ходе обучения вам необходимо обратиться к многочисленным материалам других дисциплин;

- вам необходимо обеспечить адаптивность среды обучения;

- необходимо обеспечить одновременное обучение нескольких групп обучаемых;

- вам необходимо обеспечить гибкое администрирование учебными ресурсами, то в этом случае целесообразно за основу ИОС взять Microsoft Teams в сочетании с сайтами SharePoint.

Рассмотрим примеры организации ИОС на базе Microsoft Teams и сайтов SharePoint в отдельных сценариях.

Сценарий 1. Организация информационно-образовательной среды на базе Microsoft Teams и отдельных библиотек сайтов SharePoint

В состав образовательных программ можно включить онлайн-курс (электронный учебный курс), качество которого достигается разнообразием и возможностями сервисов и приложений Office 365: Microsoft Sway [5], OneNote, библиотек сайтов SharePoint [6].

Добавление библиотеки сайта SharePoint в канал Microsoft Teams позволяет обеспечить вариант изучения, повторения и т.п. большого объема учебного материала (электронного учебного комплекса – библиотеки сайта) с последующим обсуждением средствами Microsoft Teams, например, в ходе семинарского занятия [7].

Пояснения к схеме:

1. Организуем в группе Microsoft Teams (в примере «Группа-класс2») канал «Повторение».
2. В канал «Повторение» добавляем вкладку «SharePoint».
3. При добавлении вкладки есть возможность воспользоваться закладкой «Подходящие сайты» или, если вы не обнаружили подходящий сайт, то вам необходимо добавить ссылку на сайт (подготовить ссылку).
4. При добавлении ссылки на сайт (в примере «Охрана труда») появится название сайта и возможность нажать кнопку «Далее».
5. Появится окно «Выбор библиотеки документов». Выбираем нужную для целей обучения библиотеку документов сайта, нажимаем кнопку «Далее», и во вкладке канала «Повторение» появится содержимое библиотеки документов с учебным контентом.
6. Записываем пояснения к порядку изучения материалов библиотеки сайта в канале (во вкладке «Беседы») и позже назначаем любую форму контроля знаний [8] по итогам изучения материалов библиотеки сайта.

Сценарий 2. Организация информационно-образовательной среды на базе Microsoft Teams и сайта SharePoint

В состав образовательных программ можно включить онлайн-курс, построенный на основе учебных материалов библиотек, списков сайтов SharePoint [6] и содержимого различных веб-частей сайта.

Например, вы в ходе изучения современных сайтов SharePoint [9] решили создать на базе возможностей коммуникационного сайта специализированный сайт для целей обучения большого количества групп с добавлением специализированных веб-частей.

Пояснения к схеме:

1. Организуем в группе Microsoft Teams (в примере «Группа-класс2») канал «Обучение на сайте».
2. В канал добавляем вкладку «Веб-сайт».
3. При добавлении необходимо добавить ссылку на сайт (подготовить ссылку на сайт надо заранее).
4. После добавления ссылки на сайт необходимо нажать кнопку «Сохранить».
5. Сайт в канале-вкладке Microsoft Teams появится не сразу. Вам будет предоставлена возможность открыть сайт в браузере или потребуется перезагрузить вкладку. После ввода пароля для подтверждения прав доступа к сайту (администратору сайта SharePoint необходимо разрешить доступ группе к сайту) вы получите доступ к сайту во вкладке канала Microsoft Teams.
6. В беседах канала будет опубликована информация об этой вкладке (при размещении ссылки мы оставляем отметку «Опубликовать информацию об этой вкладке в канале») и здесь же можно разместить дополнительную информацию для более эффективного изучения учебных материалов сайта.
7. Добавление на сайт веб-части Yammer позволит наладить коммуникации всех участников учебного процесса (много групп, внешние пользователи: консультанты, родители, административные работники и т.п.).

Сценарий 3. Обеспечение учебно-познавательных действий обучаемых в среде Microsoft Teams

Педагог организовывает учебно-познавательные действия обучаемых по овладению изучаемым материалом, например, посредством выполнения заданий [10] или путем решения ситуационных задач [11].

Использованные источники:

1. Microsoft Office 365 в образовании. Примеры реализации образовательных программ https://blogs.technet.microsoft.com/tasush/2017/06/16/primery-realizacii-obrazovatelnyh-programm/
2. A new vision for intelligent communications in Office 365 https://blogs.office.com/en-us/2017/09/25/a-new-vision-for-intelligent-communications-in-office-365/
3. Microsoft Office 365 в образовании. Семейство сайтов SharePoint. Введение https://blogs.technet.microsoft.com/tasush/2015/05/06/microsoft-office-365-9/
4. Microsoft Office 365 в образовании. Современное обучение и Microsoft Teams. Новые тенденции https://vedenev.livejournal.com/25012.html
5. Microsoft Office 365 в образовании. Содержание образовательных программ и Microsoft Sway https://vedenev.livejournal.com/19936.html
6. Microsoft Office 365 в образовании. Использование библиотек и списков сайтов SharePoint. Обзор https://blogs.technet.microsoft.com/tasush/2015/05/24/microsoft-office-365-12/
7. Microsoft Office 365 в образовании. Технология проведения учебных занятий в чате Microsoft Teams. Примеры https://blogs.technet.microsoft.com/tasush/2017/04/14/tehnologija-provedenija-uchebnyh-zanjatij-v-chate-microsoft-teams-primery/
8. Microsoft Office 365 в образовании. Формы организации контроля знаний в Microsoft Teams https://blogs.technet.microsoft.com/tasush/2017/12/25/formy-organizacii-kontrolja-znanij-v-microsoft-teams/
9. Microsoft Office 365 в образовании. Веб-квест для педагогов. Коммуникационные сайты https://vedenev.livejournal.com/21581.html

• Microsoft Office 365 в образовании. Организация обучения, основанного на заданиях в Microsoft Teams с нововведениями. Часть 1 https://blogs.technet.microsoft.com/tasush/2017/12/13/organizacija-obuchenija-osnovannogo-na-zadanijah-v-microsoft-teams-s-novovvedenijami-1/
• Microsoft Office 365 в образовании. Организация решения ситуационных задач в Microsoft Teams. Часть 1. Роль – преподаватель https://vedenev.livejournal.com/20209.html

Интересная новинка. Видна сразу на Web Client.

P.S.
Changes in C/AL Behavior and Support in Microsoft Dynamics NAV 2018

Moving Private Branch Exchange (PBX) calling services to the cloud is now a common part of a digital transformation to Microsoft Office 365. Moving all calling services to the Microsoft Cloud often results in the partial or full removal of on-premises PBX equipment, a reduction in operational costs and far easier administration. Even with a desire to move completely to the cloud, there are organizations who require a local outbound call route in an unlikely event the Internet is unreachable. This blog contains information about a design option to meet this requirement.

At this point, you may wonder why not just use a cellular phone or take a Skype for Business softphone on a laptop down the street to a Wi-Fi hotspot where users can continue making calls? Why would an organization require a backup call route like this? The answer is that some organizations require that desk phones be available for anyone to use at any time to reach emergency services - regardless of the widespread availability of cellular services. To move forward with cloud calling and PBX services, a local backup route for outbound calling must be provided for organizations with these requirements.

To provide this type of local call resiliency, some AudioCodes Session Border Controllers (SBC) include a feature called One Voice Resiliency (OVR). When OVR is combined with AudioCodes VoIP desk phones, Skype for Business Online users will use the Microsoft Office 365 cloud as the primary call route for inbound/outbound calling. For the secondary, optional outbound failover call route, a local telephone analog line(s) or T1/E1 can be provisioned and connected to the SBC ports. Additionally, a SIP trunk may also be used as the backup outbound calling route (this would require Internet access to remain available). Also note that when using the OVR configuration all calls will be routed through the SBC - to Skype for Business Online under normal operations and then, as a secondary route, to the local PSTN provider during an Internet outage or a SIP Trunk provider (if the Internet is still available).

Configuration

The intent of this blog is to demonstrate the functionality of a secondary call route using the optional SIP trunk in the event communication is lost with cloud calling services. It is more likely you will want to include the use of an analog line as a backup call route in your design – I just happened to have a SIP Trunk in my lab and could make use of it for this example. Configuration of these services is available in the AudioCodes OVR with SIP Trunk guide as well as by engaging with AudioCodes and other Microsoft Certified Partners. To configure Audiocodes OVR to use local PSTN analog services, review the Audiocodes OVR with PSTN guide and/or contact a Microsoft Certified Partner.

Lab Design

Let's begin with a simple lab design.

Desk phone:

• In this lab, we will be using a single 450HD AudioCodes desk phone with firmware version UC_3.0.4.120.3 (Nov 2017).
• LAN IP Address: 192.168.1.170

Session Border Controller:

• In this lab, we will be using an M800 AudioCodes Session Border Controller with firmware version 7.20A.156.023 (Oct 2017).
• LAN IP: 192.168.1.201
• WAN IP: 71.166.43.xxx
• The M800 model used in the lab has a Cloud Connector Edition (CCE) unit installed, but it is not needed to provide OVR and not configured in this lab.

SIP Trunk Provider:

• The SIP Trunk used in this lab environment is provided by Intelepeer
• SIP Trunk Target IP Address is 68.68.xxx.x on TCP port 5060

Demonstration

With everything connected and configured, lets first review the phone and logs of an outbound call placed normally using the AudioCodes 450HD logged in as a Skype for Business Online user.

Example One: Normal Call Routing

1. The AudioCodes M800 SBC and 450HD phone are both configured to use the OVR feature. Both components have access to the Office 365 Skype for Business Online services. The phone display below is normal.

    

2. Below are the logs associated with an outbound call using Skype for Business Online services.

   Log Section One:

   Explanation: We can see below the outbound call being dialed to the +141062795xx number. The call is placed from the AudioCodes 450HD phone on IP address 192.168.1.170.

   INVITE sip:+141062795xx@cloudtenantid.onmicrosoft.com;user=phone SIP/2.0

   From: "pattif"<sip:pattif@cloudtenantid.onmicrosoft.com>;tag=0d6800e811;epid=00908f98058c

   To: <sip:+141062795xx@cloudtenantid.onmicrosoft.com;user=phone>

   Call-ID: 0010f92f0aa01a8c013c455013009570

   CSeq: 1 INVITE

   Via: SIP/2.0/TLS 192.168.1.170:5071;branch=z9hG4bK-e1-37153-1531eaea

   Max-Forwards: 70

   Supported: replaces,100rel,eventlist,timer,ms-bypass,ms-early-media,ms-dialog-route-set-update

   Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE, UPDATE,PUBLISH

   User-Agent: AUDC/3.0.4.120 AUDC-IPPhone-450HD_UC_3.0.4.120/3

   Ms-Conversation-Id: 21e209757e1ccd51

   Accept-Language: en-US

   ms-endpoint-location-data: NetworkScope;ms-media-location-type=internet

   ms-subnet: 192.168.1.0

   Contact: <sip:pattif@cloudtenantID.onmicrosoft.com;opaque=user:epid:8ZjnRr4oEVatUo4lmcgAFAAA;gruu>

   P-Preferred-Identity: "Patti Fernandez" <sip:pattif@cloudtenantID.onmicrosoft.com>,<tel:+144329062xx>

   ms-keep-alive: UAC;hop-hop=yes

   Session-Expires: 1800

   Min-SE: 90

   Authorization: TLS-DSK opaque="BA6F0958", qop="auth", realm="SIP Communications Service", targetname="BLU2A05FES07.infra.lync.com",crand="63920c06",cnum="21", response="B8B6C [Time:22-12@16:38:02]

    

   Log Section Two:

   Explanation: Below we see the same outbound call routing to Skype for Business Online at 52.112.67.16 on port 443. This IP address has a hostname of sippoolblu2a05.infra.lync.com and is just one of the many addresses that Skype for Business Online may use. This demonstrates that under normal connections, the phone is placing the call through the Skype for Business Online services.

   For a complete list of service IP addresses and hostnames that Office 365 uses periodically review addresses in this link (Expand to see the Skype for Business Online IP Addresses).

   ( sip_stack)( 43996) ---- Outgoing SIP Message to 52.112.67.16:443 from SIPInterface #1 (FE) TLS TO(#23) SocketID(481) ---- [Time:22-12@16:38:02]

   INVITE sip:+141062795xx@cloudtenantID.onmicrosoft.com;user=phone SIP/2.0

   Via: SIP/2.0/TLS 71.166.43.xxx:5061;alias;branch=z9hG4bKac1539607808

   Max-Forwards: 69

   From: "pattif" <sip:pattif@cloudtenantID.onmicrosoft.com>;tag=0d6800e811;epid=00908f98058c

   To: <sip:+141062795xx@cloudtenantID.onmicrosoft.com;user=phone>

   Call-ID: 0010f92f0aa01a8c013c455013009570

   CSeq: 1 INVITE

   Contact: <sip:pattif@cloudtenantID.onmicrosoft.com;opaque=user:epid:8ZjnRr4oEVatUo4lmcgAFAAA;gruu>

   Supported: eventlist,ms-bypass,ms-early-media,ms-dialog-route-set-update,100rel,timer,replaces,sdp-anat

   Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE, UPDATE,PUBLISH

   P-Preferred-Identity: "Patti Fernandez" <sip:pattif@cloudtenantID.onmicrosoft.com>,<tel:+144329062xx>

   Accept-Language: en-US

   Authorization: TLS-DSK opaque="BA6F0958", qop="auth", realm="SIP Communications Service", targetname="BLU2A05FES07.infra.lync.com",crand="63920c06",cnum="21", response="B8B6CACA32B6E352480BF51DF1130157E9294F21",version=4

   Session-Expires: 1800

   Min-SE: 90

   User-Agent: AUDC/3.0.4.120 AUDC-IPPhone-450HD_UC_3.0.4.120/3

   Content-Type: application/sdp

   Content-Length: 1537

   Ms-Conversation-Id: 21e209757e1ccd51

   ms-endpoint-locati [Time:22-12@16:38:02]

    

Example Two: Call Routing Using AudioCodes OVR and a SIP Trunk

• To simulate a loss of communication with Office 365 Skype for Business services, I created two firewall rules.
  • The first rule blocks the 450HD phone from reaching any Internet services.
  • The second rule blocks the SBC from communicating externally on port 443 effectively preventing it from reaching Skype for Business Online services to establish a call. The SBC can still communicate to the Internet on all other ports.

1. Within a minute of the firewall rules above being enabled, the phone will detect that is has lost communication with Skype for Business Online and enter into a Limited Service mode. The screen of the AudioCodes 450HD phone below now displays the warning of "Limited Service."

    

2. With the phone now operating in a limited service mode, I will make an outbound call to 410-627-95xx to demonstrate the new call flow.

   Log Section One:

   ( sip_stack)( 50249) ---- Incoming SIP Message from 192.168.1.170:45574 to SIPInterface #2 (UserPhones) TLS TO(#26) SocketID(478)

   INVITE sip:+141062795xx@cloudtenantid.onmicrosoft.com;user=phone SIP/2.0

   From: "pattif"<sip:pattif@cloudtenantid.onmicrosoft.com>;tag=005c006e2f;epid=00908f98058c

   To: <sip:+141062795xx@cloudtenantid.onmicrosoft.com;user=phone>

   Call-ID: 0010f94f0aa01a8c013c455013007eec

   CSeq: 1 INVITE

   Via: SIP/2.0/TLS 192.168.1.170:5071;branch=z9hG4bK-7b5-1e1d46-1923efa1

   Max-Forwards: 70

   Supported: replaces,100rel,eventlist,timer,ms-bypass,ms-early-media,ms-dialog-route-set-update

   Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE, UPDATE,PUBLISH

   User-Agent: AUDC/3.0.4.120 AUDC-IPPhone-450HD_UC_3.0.4.120/3

   Ms-Conversation-Id: de1851a2c41bd575

   Accept-Language: en-US

   ms-endpoint-location-data: NetworkScope;ms-media-location-type=intranet

   ms-subnet: 192.168.1.0

   Contact: <sip:pattif@cloudtenantid.onmicrosoft.com;opaque=user:epid:8ZjnRr4oEVatUo4lmcgAFAAA;gruu>

   P-Preferred-Identity: "Patti Fernandez" <sip:pattif@cloudtenantid.onmicrosoft.com>,<tel:+144329062xx>

   ms-keep-alive: UAC;hop-hop=yes

   Session-Expires: 1800

   Min-SE: 90

   Authorization: TLS-DSK opaque="BA6F0958", qop="auth", realm="SIP Communications Service", targetname="BLU2A05FES07.infra.lync.com",crand="d11ea4d4",cnum="46", response="E90 [Time:22-12@17:07:13]

   Log Section Two:

   Explanation: In the log below we can see the outbound call in the limited service mode now being routed to the IntelePeer SIP Trunk configured at 68.68.xxx.x on TCP port 5060.

   ( sip_stack)( 50498) ---- Outgoing SIP Message to 68.68.xxx.x:5060 from SIPInterface #3 (IntelepeerSIPTrunk) TCP TO(#289) SocketID(215) ---- [Time:22-12@17:07:13]

   INVITE sip:+141062795xx@68.68.xxx.x;user=phone SIP/2.0

   Via: SIP/2.0/TCP 71.166.43.xxx:5060;alias;branch=z9hG4bKac259820836

   Max-Forwards: 68

   From: "pattif" <sip:pattif@cloudtenantid.onmicrosoft.com>;tag=1c1771619637;epid=00908f98058c

   To: <sip:+141062795xx@68.68.1xx.x;user=phone>

   Call-ID: 1600361692212201717713@71.166.43.xxx

   CSeq: 1 INVITE

   Contact: <sip:FEU396-2-xxx-1@71.166.43.xxx:5060;transport=tcp;opaque=user:epid:8ZjnRr4oEVatUo4lmcgAFAAA;gruu>

   Supported: eventlist,ms-bypass,ms-early-media,ms-dialog-route-set-update,100rel,timer,replaces,sdp-anat

   Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE, UPDATE,PUBLISH

   Accept-Language: en-US

   Authorization: TLS-DSK opaque="BA6F0958", qop="auth", realm="SIP Communications Service", targetname="BLU2A05FES07.infra.lync.com",crand="d11ea4d4",cnum="46", response="E903DD69EC2000ED575DA61668C1D6B5BDE272D1",version=4

   Session-Expires: 1800

   Min-SE: 90

   User-Agent: M800B/v.7.20A.156.023

   P-Asserted-Identity: <tel:+144329062xx>

   Content-Type: application/sdp

   Content-Length: 312

   Ms-Conversation-Id: de1851a2c41bd575

   ms-endpoint-location-data: NetworkScope;ms-media-location-type=intranet

   ms-subnet: 192.168.1.0

   ms-keep-ali [Time:22-12@17:07:13]

    

Returning to Normal Operations

To demonstrate the failback capabilities of the configuration, I removed the two firewall rules above to enable all outbound connections from the SBC and phone. Within a minute, the phone display returned to normal. The user has not needed to take any action to failover to the limited service mode or back to normal operations.

Summary

My goal in writing this blog is to provide a design option for organizations with requirements for local call resiliency when planning a transition to Skype for Business Online. Proper planning, sizing, number of concurrent sessions, licenses, etc. need to be taken into consideration for this design. For more information about this design and equipment or for assistance with your design and implementation, please contact AudioCodes or another Microsoft Certified Partner.

For Microsoft Partners who would like additional information on this configuration or other architectural areas of Skype for Business Online, please also contact the Microsoft One Commercial Partner (OCP) organization.

The topic of this blog will deviate a bit from my past device focused blogs. I do appreciate all of the support and page hits from you my blog fans. I was speaking with a vendor of mine and he told me of a feature comparison chart that he found. It was so good that I reached out to the owner to re-blog it. Many thanks to Ted Estwan from Novus LLC for turning me on to this.

This is not a practice I would normally do, but I had such an issue finding it that I figured re-blogging it would be one of the better ways to spread the word on this.

However, in my own true form., I will also add additional information on Microsoft Teams.

So, that said, I would like for you all to meet Luca Vitali, he is a Microsoft MVP and UC blogger. The blog in particular that I am referencing today is https://lucavitali.wordpress.com/2017/10/01/sfb-teams-features-comparison-table/ . From his blog, you will find the link to this page for the Skype/Teams Feature comparison he built.

Here is a picture of it, but I recommend that you download it instead.

Listed below are some great Microsoft Teams resources. I know this one is short, but I wanted to get this information out to you - my ever faithful blogees….

http://aka.ms/skypeandteams

https://products.office.com/en-US/business/office-365-roadmap

http://aka.ms/successwithteams

Have a great day!

Scott

Para que todos arranquen 2018 con el pie digital correcto, el Council for Digital Good de adolescentes de Microsoft ofrece 15 piezas de orientación, diseñadas para hacer las interacciones en línea más seguras y saludables al enfatizar la resistencia, conciencia y civilidad digitales.

Armamos este impresionante grupo de jóvenes basados en los Estados Unidos como parte de un programa piloto lanzado en 2017. El consejo formado por 15 miembros sirve como una caja de resonancia para el trabajo de las políticas de seguridad en línea enfocadas en la juventud. El consejo se reunió en agosto de 2017 para una conferencia de dos días, y se reunirá más adelante en 2018. El verano pasado, cada joven creó un manifiesto para la vida en línea, y después regresó a casa a trabajar en tres tareas más: (1) una representación artística de los manifiestos individuales, (2) un manifiesto escrito consolidado desde el grupo completo, y (3) una representación visual del manifiesto en grupo.

Pensamos que el comienzo de este nuevo año era el momento adecuado para compartir las inspiradoras palabras del consejo.

Manifiesto en grupo de 15 puntos

Después de las reuniones, correos y redes sociales, cada joven selección alguna guía desde su manifiesto individual para que fuera instructivo y atractivo. “Nuestro (proceso) funcionó casi igual a una democracia,” dice Bronte, miembro del consejo de 17 años radicado Ohio, quien presentó el manifiesto del grupo en nombre del consejo. “Propusimos ideas sobre las ideas que tuvimos para el manifiesto, analizamos los detalles, y luego votamos por aquella que más nos gustó. Al final, todos nos divertimos al trabajar juntos. Aprendimos mucho de nosotros mismos, y supimos más acerca de un compañero que vive a varios estados de distancia.”

Aquí están las piezas individuales de guía por parte de cada miembro del consejo, las cuales agrupamos en tres categorías amplias: “habilidades, consejos y perspectivas.” Pueden encontrar el manifiesto del grupo completo y algo de contexto adicional de cada miembro del consejo en esta liga.

Habilidades: Algunas competencias importantes para la vida en línea

• Construir y reparar resiliencias para asegurar que los jóvenes puedan recuperarse de experiencias desagradables en línea.
• Pausar y pensar antes de enviar o publicar.
• Su perfil en línea los representa a USTEDES, así que asegúrense de presentarse de la mejor y verdadera manera posible.
• Sean escépticos y cuestionen las acciones e intenciones de otros.
• Inculquen morales y enseñen a los niños ética y educación en línea; les servirá tanto en línea como en la adultez.

Consejos – puntos adicionales que resaltan la necesidad de “habilidades” y “perspectiva”

• Esperen a tener 13 y cumplan los requerimientos de edad para usar redes sociales.
• Quítense la máscara y sean en línea como son en la vida real.
• Discrepen con respeto más que atacar de manera verbal.
• Su voz y reportes [a autoridades de confianza] importan, así que aprovechen los recursos tecnológicos de las empresas para reportar conductas y contenido ilegal u ofensivo.
• Utilicen el poder del internet para impulsar a otros.

Perspectivas – Pensamientos para mantener un saludable panorama en línea.

• Su pantalla es 2D mientras la vida real es en 3D – Lo que sucede en línea puede fallar, así que siempre consideren el contexto y otros factores.
• No sean prisioneros de sus celulares al dejar que las interacciones en línea controlen su vida.
• Las publicaciones los afectan a ustedes y a sus familias, así que recuerden, una vez que oprimieron ‘enviar’, no hay cómo deshacerlo.
• No, no obtendrán un iPhone gratis, si un trato suena demasiado bueno para ser verdad, es probable lo sea.
• Enfóquense en la vida que tienen y no dejen que la tecnología domine sus actividades diarias.

Los jóvenes han brindado unos buenos consejos para ayudar a todos a dirigir con seguridad, más productividad y mayor diversión sus vidas en línea. Al acercarnos al Safer Internet Day internacional el 6 de febrero, vamos a mostrarles a los jóvenes “momentos de Twitter” individuales, el manifiesto creativo por parte de todo el consejo, donde discutieron entre ellos sobre sus puntos recomendados de orientación. Estén pendientes en sus redes sociales en las próximas semanas.

Una visión y misión para el consejo

Además del manifiesto en grupo, los jóvenes fueron más allá de cumplir con sus tareas específicas y redactaron un documento de visión adicional, en el cual detallaron cómo ven sus roles individuales en el consejo, su misión como equipo y el impacto que quieren tener.

“Necesitamos una ‘revolución inspirada en jóvenes’ ya que no hay soluciones mágicas,” escribe el grupo. “Este es un problema global que requiere respuestas globales por parte de todos: padres, educadores, compañías tecnológicas y gobiernos. Como grupo inaugural, el consejo ha dedicado nuestro tiempo para apoyar en torno a los comportamientos saludables en línea.”

El documento tiene el propósito de decir cómo los jóvenes utilizarán las redes sociales y contactarán a los jóvenes de las comunidades para crear conciencia acerca de los problemas de seguridad en línea y brindar soporte para programas e iniciativas significativas. “Esto va, a su vez, a forzar a los administradores escolares, líderes de comunidades, gerentes o cualquiera con puestos de autoridad, a asegurar que las medidas de prevención sean tomadas. Apuntamos a ver una generación de jóvenes más empáticos… Después de que nuestro periodo termine, los futuros miembros del consejo construirán sobre lo que hemos logrado para crear un movimiento global duradero. Desde la totalidad del consejo, hasta el mundo entero, todos merecen y tienen el derecho a tener experiencias seguras en línea. (Pueden leer el documento completo sobre la visión del consejo aquí.)

Mirar hacia el futuro en 2018

En Microsoft, caracterizamos esos esfuerzos mientras que fomentamos la “civilidad digital” al promover interacciones más seguras y saludables en línea para todos. Nos hemos enfocado en hacer crecer un mundo en línea más amable, con mayor empatía y respetuoso, y en esta búsqueda, sabemos que hemos elegido algunos socios sobresalientes en este increíble grupo de jóvenes.

Esperamos la realización de nuestro próximo evento en persona con el consejo este verano. Hemos comenzado a planear un evento más público para discutir algunos problemas importantes de seguridad en línea, y vamos a pedirles a los jóvenes que compartan sus visiones con los creadores de leyes y políticas en conjunto con otros personajes de influencia, mientras nos reunimos en la capital de nuestra nación.

Mientras tanto, estamos en proceso de preparación de nuestro siguiente episodio de investigación para la civilidad digital, la cual será lanzada durante el Safer Internet Day 2018 el 6 de febrero. Como muchos de los resultados que anunciamos en 2017, hemos encuestado a jóvenes y adultos acerca de su exposición a una gama de riesgos y formas de abuso en línea. Este año, vamos a lanzar una investigación realizada en 23 países, más que los 14 del año pasado. También hemos agregado algunos riesgos más al estudio, y algunos de resultados son sorprendentes.

Hasta entonces, pueden seguir al Council for Digital Good en nuestra página de Facebook y a través de Twitter con el hashtag #CouncilforGood. Para aprender más acerca de la seguridad en línea a nivel general, pueden visitar nuestro sitio web y nuestra página de recursos; “dar like” en Facebook y seguirnos también en Twitter.

Problem: During a site collection export, we received the nebulous SQL Server error “String or binary data would be truncated.” Based off some research and experience in the past, this is normally caused by a URL somewhere in the site exceeding the 260 character limit. We queried the AllDocs table in the content database to check if the combination of the DirName and the LeafName exceeded the limit of 260 for the site collection in question. Our result came up empty.

Solution: A different site in the content database had a URL that was over the limit and it was causing issues when trying to export the original site. See below for the technical details for more information. Thanks to Paul Feaser for figuring this one out!

Technical Details: With our only trouble-shooting information being the generic error message, “String or binary data would be truncated”, we set up a SQL Server Profiler session to get more details while attempting to export the site collection again. SQL profiler showed us that the error was being generated while running the stored procedure, DeplAddWebDependencies. In order to do some testing, we made a copy-only SQL backup and restored it in our test environment. Running the exact same SQL procedure, it completed successfully which made the problem even more complex.

Since the error was still occurring in our production environment every time, the next step we took was to restore the same copy of the SQL database on the production environment. Our production environment has over 100+ sql databases with most databases containing many different site collections. The SQL Server itself is appropriately sized to handle the massive workload we are running. In the production environment, we were able to recreate the error every time on the restored database copy running the procedure DeplAddWebDependencies. The problem within the stored procedure was the fifth “Insert Into …Select” statement. When commenting out the “Insert Into” part of the statement, the select runs and interestingly returns zero records. So the question is how could an insert of zero records cause a data truncation error?

After further investigation, it turns out the issues was with a query hint that was being used in the select statement: OPTION (FORCE ORDER). The following screen capture shows the query hint along with the error.

This particular query hint tells the SQL Compiler to override its derived execution plan and join the tables in the order that they are listed. The select statement in production was taking a little over 2 seconds with the FORCE ORDER hint. Commenting out just the query hint resulted in an immediate response without the data truncation error. With this in mind, we were able to figure out that the issue was some records in a different site collection were greater than the 260 allowed for the full URL. Because SQL Server is executing parts of the query in parallel and then puts everything together in the end, SQL was actually bringing back all records from the AllDocs quicker than the WHERE clause was being evaluated. The records from the different site collection where causing the data truncation error. Since it is unsupported to modify SharePoint code, the fix was to have the owner of the different site collection fix the records that were greater than 260. As soon as the offending site collection URLs were reduced, the original site collection exported correctly.

REMINDER: AS detailed on the official Microsoft Lifecycle policy page, Dynamics AX 2009 SP1 will reach end of mainstream support April 10, 2018.

https://support.microsoft.com/en-us/help/4043450/products-reaching-end-of-support-for-2018

Extended support definition is found here: https://support.microsoft.com/en-us/help/14085

In May 2017, a Skype for Business Server 2015 Cumulative Update was released, enabling "Hybrid Modern Authentication" for Hybrid and On-Premises Skype for Business customers.

Modern Authentication allows customers to enable many modern security features, such as Azure Active Directory Conditional Access or multi-factor authentication. It also enables the Intune App Protection features for the Skype for Business iOS and Android apps.

Intune App Protection allows organizations to control Data Loss Prevention (DLP) settings for their Skype for Business users.

https://docs.microsoft.com/en-us/intune/app-protection-policy

If you target the Skype for Business app with App Protection policies and Modern Auth is not enabled, your App Protection policies will not apply successfully.

To enable Hybrid Modern Auth, use the steps outlined in the following guide:

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Hybrid-Modern-Authentication-for-Skype-for-Business/ba-p/134751

Once all prerequisites have been met and all steps have been completed, your organization can target their Skype for Business DLP policies and provide another layer of security for your mobile users.

Problem Description

A new installation of SharePoint fails to provision a new farm due to a failure while creating the configuration database.

Example:

Here is the exception stack from the PSCDiagnostics log:

01/11/2018 13:37:00 10 ERR Exception: Microsoft.SharePoint.Upgrade.SPUpgradeException: One or more types failed to load. Please refer to the upgrade log for more details.
at Microsoft.SharePoint.Upgrade.SPActionSequence.LoadUpgradeActions()
at Microsoft.SharePoint.Upgrade.SPActionSequence.get_Actions()
at Microsoft.SharePoint.Upgrade.SPActionSequence.get_ActionsInternal()
at Microsoft.SharePoint.Upgrade.SPUtility.GetLatestTargetSchemaVersionBeforeMajorVersion(Type typeActionSequence, Int32 majorVer)
at Microsoft.SharePoint.Upgrade.SPSiteSequence.get_PreviousTargetSchemaVersion()
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.PopulateSequencesTable(StringBuilder sqlstr, Boolean siteSequence)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.ConstructSiteNeedsUpgradeQuery(Guid siteId)
at Microsoft.SharePoint.Upgrade.SPContentDatabaseSequence.GetSiteNeedsUpgrade(SPUpgradeSession session, SPContentDatabase database, Dictionary`2& dictSitesNeedUpgrade, Dictionary`2& dictSitesNeedFeatureUpgrade)
at Microsoft.SharePoint.Upgrade.SPContentDatabaseSequence.AddNextLevelObjects()
at Microsoft.SharePoint.Upgrade.SPHierarchyManager.Grow(SPTree`1 root, Boolean bRecursing, SPDelegateManager delegateManager)
at Microsoft.SharePoint.Upgrade.SPHierarchyManager.Grow(SPTree`1 root, SPDelegateManager delegateManager)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.NeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.ReflexiveNeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.NeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.ReflexiveNeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.NeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.ReflexiveNeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.NeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.ReflexiveNeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Upgrade.SPUpgradeSession.NeedsUpgrade(Object o, Boolean bRecurse)
at Microsoft.SharePoint.Administration.SPServerProductInfo.DetectLocalUpgradeStatus()
at Microsoft.SharePoint.Administration.SPServerProductInfo.DetectLocalProductVersions(SPProductVersions prodVer)
at Microsoft.SharePoint.Administration.SPServerProductInfo.UpdateProductInfoInDatabase(Guid serverGuid)
at Microsoft.SharePoint.Administration.SPFarm.Join(Boolean skipRegisterAsDistributedCacheHost, Nullable`1 serverRole)
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.CreateOrConnectConfigDb()
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.Run()
at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()

Cause

This issue can occur if you chose to download and install all the prerequisite software manually, namely in this case the "WCF Data Services 5.6 Tools". If you are experiencing the error, "One or more types failed to load" , while creating a new SharePoint Farm, it's most likely cause by the installer executable being in a "blocked" state while it was installed.

Example:

When executables are downloaded from the internet, they are put into a "blocked" state by to OS, to prevent users from running malicious code. However, in this case, if the installer was in a blocked state when the "WCF Data Services 5.6 Tools" were installed, the install will "succeed' but will not be installed properly.

Resolution

To resolve this issue:

1. Go to the properties of each prerequisite installer package that was downloaded manually and remove the block flag by selected "Unblock" and applying the changes.

Example:

Before:                                    After:

2. After the file has been unblocked, re-run the installer and choose the repair option.

3. Finally, re-run the SharePoint Configuration Wizard to successfully create a new Farm.

In Azure Security Center you can use the Events dashboard to see the security events (including Windows Firewall) collected over time:

The visualization of security events over time can be very useful for you to observe some patterns, and to have a snapshot of the environment. You can also use this information when performing an investigation, for example to understand for how long certain event is taking place on a particular system. While Security Center shows the most relevant security events, you can also customize and create your own notable event. Let’s say you have an application that uses UDP on port 58343, and you want to monitor this application for packets dropped. In this case you don’t want to raise alerts (if you wanted, you should create a custom alert), you just need to have historical data regarding the amount of dropped packets. To accomplish this task, click Add Notable Event, and type the information in the Add custom notable event page:

For the purpose of this example, I will call this notable event Packets Dropped to MyApp, and will add the following query in the Search Query field:

WindowsFirewall

| search "DROP"

| where DestinationIP == "192.168.1.47"

| where DestinationPort == "58343"

When you finish, click OK to create, and the dashboard will now show you custom notable event: