Author: Trent Steenholdt

Having been in the IT industry for more than 15 years now, I have continued to learn and engage in the use of Microsoft technologies, developing an in-depth skill set for all of their products. My blog here is to hopefully help others who may be stuck with their new and exciting technology! I'm also passionate about software development (.Net mostly), public cloud (Azure), pipeline development (CI/CD), DevOps, IoT and Graphic Design, so I may from time to time post about that too!

Microsoft Partner Network – Resell and or offer free trials for Office 365

So this article is going to help those who may be new to the Microsoft Partner Network and want to resell or even just offer free trials to Office 365. I've seen quite a bit of confusion around the internet especially on TechNet about how a partner gains the ability to resell and offer trials so hopefully this article should clear it up and give the necessary steps to get going!

One thing I do want to raise or warn about however is that for someone who doesn't know Office 365 all that well, especially around the licensing options it offers should refrain from trying to resell it or offer free trials on behalf of your organisation until you do. Office 365 is a beast and shouldn't be treated with someone poking it with a stick! Those who are knowledgeable should be the only professionals offering Office 365! You can really hurt your organisation and even the customers if you start offering the wrong licenses etc.

For those who may not understand licensing, please refer to https://getlicensingready.com/. This portal is very good in providing you with the right tools to tackle Microsoft licensing.

To begin it's obvious that you'll need to be a Microsoft Partner Network organisation. On top of this you must have completed the competency exam/ test and purchased a Microsoft Action Pack. If you haven't completed your competency exam/ test and subsequently don't have a Microsoft Action Pack you won't be able to resell Office 365. Why? Well the organisation needs Office 365 to resell Office 365 and the only way that is possible without having an Enterprise Agreement or using a reseller like Telstra (Australian customers only) is to be a holder of an Action Pack.

Complete those prerequisites before going on with this article.

Part 1: MOSPA

The first requirement for reselling Microsoft services is to be a member of the Microsoft Online Services Partner Agreement. The following steps should allow you to sign up and register for just that!

First log into the Microsoft Partner Network and view your organisations membership. From there head your "Requirements & Assets > Manage Compentencies".
At the bottom of the new page you'll be presented with a couple of options under the heading of "Additional Programs". In order to sell Office 365 you must enrolled for "Microsoft Online Services Partner Agreement, otherwise known as MOSPA. So click on the "Status" link for that.
Read carefully the agreement and sign up for it if you're happy to proceed.
Complete the relevant documentation around the tax and banking information. This varies from country to country so please make sure you follow the steps very carefully.
Wait for the response email or notification from Microsoft that you have confirmed your billing information.

Part 2: Registering for Office 365

Get your Office 365 subscription as part of you MPN Action Pack by following the steps at https://support.microsoft.com/en-us/kb/3007588. There is no need for me to repeat the robust instructions on that KB article here!

Part 3: Resell and offering free trials in Office 365

After completing parts 1 and 2 you're now ready to resell and offer free trials in Office 365! But you're probably thinking how right? You don't see any option in the Office 365 Administrator Portal to complete such function! Well to do this you need to use an account with "Global Administrator" rights on your Office 365 subscription and head to https://portal.office.com/partner/default.aspx. From here you're able to complete the first trials or purchase orders by using the "Build your business" link on the left hand pane.

Also of interest here is the "Request delegate admin permissions" option. This is for the situation where an existing customer of Office 365 may become a new client of your IT consultancy business. So in other words, you're asking to be able to make changes to their existing Office 365 subscription once you've been given the access.

Part 4: Using Microsoft marketing material (optional)

Personally I really like Microsoft's marketing material around Office 365 for Microsoft Partners. Not only is it just easier to use their advertising and not worry about designing it yourself, the adverts are very professional and do give your organisation that edge in my opinion against others who do it on their own and poorly… Telstra in Australia for example really fail to promote Office 365 for what it does and that's one of the biggest problems with people and organisations alike taking it on. If it doesn't make sense they'll stay away from it.

If you're wanting potential customers to leverage your free trial offers but rather don't want to have to send a unique one out each time, you can use the same trial on one advert that is shared. To to this complete the following:

In the Office 365 Partner Portal, create a free trial with the licenses etc. you want to offer.
On the "Send" page copy the URL from the text are and keep it handy. You'll need it later on.
Click Finish to compelte the trial. Once you've done that you're actually finished with the Office 365 Partner portal and can log out it if you wish.
Log into the Microsoft Partner Network again if you have previously logged out.
Head to "Resources > Marketing > Overview".
On the new page, select "Syndicated Marketing".
Because in this situation we're offering free trials of Office 365 to our potential customers, select the "Office 365 with trial option"
Select "Customize".
Complete all the details on the customise page that you need for the invitation URL, copy and paste the URL you grabbed from step 2.
Click "Generate Code".
With the generated code, use it as you please either in your organisations website, promotional HTML email or any other advertising medium. When uses click on that link and register for the free trial, they'll be using your organisations offering and you'll be able to (if you selected it in step 1) control their subscription with delegated admin rights. Once the trial is over you can speak to the customer and hopefully, if the trial has gone well get them onto Office 365 and secure the deal!

That's it for now. Any questions or queries please don't hesitate to ask!

TOGAF 9 – Quick guide

This is a rare blog post for me as I'm not usually one to reference how-to videos on YouTube but I have recently been watching Craig's videos to really give me a good refresher on the methodology that is TOGAF. I invite others who may be studying towards TOGAF or need a refresher on the methodologies to give these videos a try. Try to make sure you watch all of it through and take notes, especially around the 'Transition Planning' part of the TOGAF ADM cycle. That is where most of the time a IT Solutions Architect or System Engineer will spend his time.

On a bit of a side note it's funny how many who I talk to today that still feel that TOGAF like ITIL and PRINCE2 are those types of fluffy certifications that no on really leverages. While to some extent this may be true, you never really use 100% of the three practices, it's still very handy to have and deploy in your organisation or as part of a transition in IT infrastrcuture. For example you can thank ITIL for Change Management which is now a very common practice in the IT industry!

Remove disabled users from AD groups

I had an interesting request from a client today in so far they wanted AD to be cleaned out completely… Hrrm? Okay? So what do you mean by cleaned? *Insert joke about dcpromo demoting the domain*.

The response I got was – "We want you to delete all the disabled AD accounts".

While I thought okay, that's possible I still had my questions. Why? What are these disabled accounts hurting? Why do they need to vanish off the face of the earth?

It's an interesting topic to discuss around the industry as I'm personally not one to delete users ever! Though I have worked with others who insist on deleting and even moving disabled AD users in another OU. The latter being simply administrative overhead and something that is easily averted by using an LDAP query that doesn't show them. Plus if another administrator later on enables them again and forgets to move them back to the appropriate OU then that account could be getting the right the right Group Policy settings!

Accounts that have been disabled for well beyond 10+ years I believe still have a place in your AD. Why? Well that person could still one day could return at any time. Why not give them their old account again rather than worry about provision a new one. Sure you can delete their mailbox which is consuming space and maybe delete the contents of their home share (not the actual folder thouht) but that account still belongs to someone… It still has an idenity and a face that needs to be kept for historical and future purporses.

To give you an example, I had another client have the same user leave and return three times in as many weeks! Yike right! Well no problem, I didn't have to go repeating the account provisioning process over and over.

Another reason not to go blowing your accounts away to hell is how indenity management is making massive inroads in our industry. For one example Office 365 with one way provisiong (DirSync or the coming WAAD) use your AD as the authoritive source. When you start deleting accounts you're disjoining those objects in the synchronisation metaverse. Not a problem when you delete, but when a new account with the same old UPN comes back, it can be quite a pain.

So after a bit of coming and going with the client they finally came back to me with their reasoning…. "I don't like seeing all the disabled members in ADUC/ ADAC when I'm modifying group memberhship."

This particular client allows their in-line managers to manage group memebership for their files shares and some distribution groups. This was possible thanks to some nifty AD delegation I set up for them a few months earlier.

So no worries I now know what they want me to do. They don't want the accounts to dissappear, but they do want them to be isolated from all their old security groups. I supported this request as it's always good practice for any business to review users group memberships and there is no better time to do that then when the new user or a user returns…. "Okay Jimmy, what access do you actually need".

So rather than go around and delete the same 100 account or so from 500 different security groups I got onto PowerShell again. Scripting is seriously good for things like this!

WARNING: Do not use this script if you has placed all your users and groups so to speak in the original "Users" container (not OU) in a domain. Many Microsoft services etc. can leverage disabled accounts in group membership for delgation etc. and running this script over those groups will pull them out. This script also doesn'y log very well as it justs spits the output to the console… So it will be difficult to go add all the accounts back in, especially if dealing with a lot of users or groups.

Import-Module ActiveDirectory
foreach ($group in (Get-ADObject -Filter { (ObjectClass -eq "group") -and (mailNickname -like "*") } -SearchBase "ou=groups,ou=staff,ou=contoso,dc=contoso,dc=com")) {
  Write-Host $group.Name -Foreground "green";
  foreach ($member in (Get-ADGroupMember -Identity $group)) {
    if ($member.objectClass -eq "user" -and ($member.distinguishedName.ToLower().Contains("ou=users,ou=staff"))) {
      $user = Get-ADUser -Identity $member.distinguishedName
      if ($user.enabled -eq $false) {
        Write-Host $user.Name
        Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
      }
    }
  }
}

There are some important aspects of this groups you should take note of. These are:

The –SearchBase parameter is where your AD groups you wish to clean are.
The $member.distinguishedName.ToLower().Contains is where you store your AD users.
The if ($user.enabled -eq $false) is what makes sure the account is Disabled. You could change this if statement for example if you wanted to remove all users with a particular office location, phone number or event last name!

That's it for now, next blog post will be whenever I feel a need to put something up!

Copy AD groups from one user to another

It seems that a lot of my posts recently have been around AD group membership and I guess that makes sense as for the past few weeks I have been mostly cleaning up a lot of the mistakes by other IT professionals for my new clients. Alas it's coming a long way with PowerShell.

This script is very simple but a goody. It copies the group memberships of one user and gives it to another.

param(
  [parameter(Position=0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, mandatory=$true)][string]$SourceUser,
  [parameter(Position=0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, mandatory=$true)][string]$DestinationUser
)

Import-Module ActiveDirectory;

$originalErrAction = $ErrorActionPreference;
$ErrorActionPreference = "SilentlyContinue";

$groups = (Get-ADUser -Identity $SourceUser -Properties MemberOf).MemberOf;

foreach ($group in $groups) {
  Add-ADGroupMember -Identity $group -Members $DestinationUser;
}

$ErrorActionPreference = $originalErrAction;

Save this as Copy-ADGroups.ps1 or something similar and call is by running .\Copy-ADGroups.ps1 $SourceUser $DestinationUser where the $value is replaced with the AD user idenity. E.g. "Trent Steenholdt".

Audit Active Directory quick and dirty. Find all administrators, disabled users and lastlogin (UTC)

I had the need today to do a quick audit of Active Directory and see where it was at for a client. Not just the norm like dcdiag.exe, repadmin and checking the Event Viewer to see if there were any issues but also how many administrators there are, who is disabled (if any as I had my doubts) and the last last login for each user. PowerShell to the rescue.

if ((Get-Module -Name ActiveDirectory) -eq $nul) { Import-Module ActiveDirectory }

$admins = Get-ADGroupMember -Identity "Administrators" -Recursive
$admins += Get-ADGroupMember -Identity "Domain Admins" -Recursive
$admins += Get-ADGroupMember -Identity "Enterprise Admins" -Recursive

Write-Host "Administrative accounts" -ForegroundColor Green
foreach ($admin in ($admins | Sort-Object -Property sAMAccountName -Unique)) { if ($admin.objectClass -eq "user") {Write-Host $admin.sAMAccountName} }


Write-Host "Disabled users" -ForegroundColor Green
foreach ($user in (Get-ADUser -Filter {Enabled -eq $false} | Sort-Object -Property sAMAccountName)) { Write-Host $user.sAMAccountName }

# I'd STRONGLY recommend using the -SearchBase parameter to reduce query load if at all possible
Write-Host "Last logon times (UTC)" -ForegroundColor Green
foreach ($user in (Get-ADUser -Filter * -Property lastLogonTimestamp | Sort-Object -Property sAMAccountName)) { if ($user.lastLogonTimestamp -eq $null) {$dt = ''} else { $dt = [datetime]$user.lastLogonTimestamp }; Write-Output($user.sAMAccountName +","+ $dt) | Write-Host }

Rename all computers with a Powershell script

It's an activity that all of us will have done numerous times in the past and will do in the future… rename a computer! But what happens when say the organisation you work for changes their workstation naming standard and want to have all the workstations renamed straight away?! Well, a simple powershell script is your answer!

What you need?

RSAT Tools. In particular the Active Directory powershell module. Aka, "Import-Module ActiveDirectory"
Rights to rename these workstations assuming AD delegation is set up. It doesn't have to be Domain Admins!
Permission to run the script from the business (Refer below note).

$organizationalunit = "OU=Computers,OU=Staff,DC=contoso,DC=com"
$computers = Get-ADComputer -SearchBase $organizationalunit | where {$_.name -notlike "Contoso-*"}
$num = 0001
 
Foreach($computer in $computers)
{
	For($num=1;$num -lt $computers.count;$num++)
    {
        Rename-Computer -Computername $computer -NewName "Contoso-$num" -Force -Restart
    }
}

This powershell script will search the OU of "OU=Computers,OU=Staff,DC=contoso,DC=com", get all the AD computers in this OU that doesn't have the name like "Contoso-*" and will rename them "Contoso-0001" and upwards until all the computers are renamed. It's easy to change the 'Get-ADComputer' cmdlet to get say only Windows XP machines! Just add:

		-Filter {OperatingSystem -Like "*XP*"}

Just to note: This script will restart the remote computers! So do this out-of-hours or when you organisation has approved the change. Removing the -restart switch will cause authenication issues until the workstation is of course, restarted.

Hope this helps renaming all thos computers!

Outlook RPC/HTTP impossible with Apache Reverse Proxy

The Apache vs. Microsoft RPC over HTTPS war!

For those who may be thinking of moving to Apache reverse proxy either because they're looking to replace the now discontinued Microsoft TMG (refer here) or are looking to secure their internal CAS/Mailbox servers may need to think again, Outlook RPC/HTTP simply doesn't work.

This week I was hand balled a project (mid-way through) to move some Exchange services to Amazon for a client. While there was no problem (just the minor configuration issues with virtual directories etc.) with the internal Exchange hosts, the way that they were trying to present Exchange to external users with Apache was 'broken'.

An overview of the Exchange environment in AWS

Troubleshooting was pretty easy… I identified the issue by reviewing the IIS logs on the Exchange 2010 CAS host (C:\inetpub\log\) that there was some traffic, but not all the traffic you'd expect for RPC over HTTPS. It was starting a connection (HTTP 200 GET's), but no establishing it. Just to make sure that there wasn't an RPC issue where it couldn't talk to day Active Directory etc., I ran the "Test-OutlookConnectivity -Protocol HTTP" powershell cmdlet and it came back with all "Success"… Hmmm, onto Microsoft Remote Connectivity Analyzer to test for Outlook Anywhere and lo and behold we had a RPC time out (rpc_s_server_unavailable error (0x6ba)). So it's only external users that will see this problem… So what sits between them and the client Exchange hosts!

The Apache Reverse Proxy [mod_proxy] module was identified to be 'man handling' the traffic and dropping it like a hot potato! It was easy to see this within the Apache logs (typically in /var/log/apache2/ on Linux) that the RPC_DATA_IN and RPC_DATA_OUT traffic that is channelled over HTTPS was blocked being by Apache. Poo!

So why is this happening? Well in the opinion of Apache, Microsoft is not following proper RFC standard when it comes to the HTTP protocol. Take a read of the 'bug report' here and see how it's been marked as invalid and therefore resolved with no change to the complied module.

This is an incorrect use of the http protocol. Bad luck for Microsoft. 
-- Apache Team

So what now? What are the options? Well there is a couple… some are okay, some are dirty and some I wouldn't touch with a 20 foot pole!

Move to a hardware based appliance like Microsoft/ Exchange team is suggesting. They're not cheap and are overkill for a small client like the one I'm dealing with.
You could spin up another Reverse Proxy Server like Squid or HA Proxy that is known to allow the RPC over HTTPS traffic through. This option is okay, but you're spinning up another server for just Exchange Reverse Proxy, unless of course you move all your other applications and websites to the same service. Is your applications team ready for that type of migration? Do you have enough IPv4 addresses?!
You could run up Squid on the same server (assuming the host is Linux). Squid could handle Exchange and then pass everything else to Apache! Pretty neat, but again you're managing two services that require patching etc. Hmmm, not ideal.
You could just be lazy and compromise security by using NAT/PAT rules on your external firewall to an Exchange host that is internet facing. (I.e.. The ExternalURL is set on the virtual directories and Outlook Anywhere is enabled.). I hate this, but I know of a major organisation in Australia doing just this with no security or monitoring of traffic!
You could run up an older version of Apache that doesn't have the 'fix' for RPC over HTTPS. Anything version 2.0.X is apparently able to allow the RPC traffic. Yuck! Running out of date Apache is just a disaster waiting to happen. Again, people seem to be falling back to this option.
You could go open source and use something like [mod_proxy_msrpc]. I personally am not a fan of relying on the 'interwebs' for keeping my environment secure! Refer here for [mod_proxy_msrpc] if you're okay with this of course.
Give up… Stick with TMG if you're already on it, or tell the business it's not possible… Not possible.

Unfortunatley for this client, the horse had already bolted and they were becoming a little impatient that things weren't working. Added to this, the client insisted I couldn't move away from the Apache server they had already built. They expected me to get Apache to work /sigh…. The solution I chose after a lot of thinking was option 3. I configured up Squid to deal with Exchange and then let it pass the rest through to Apache for the non-Exchange reverse proxy needs. For reference, here is an example of the config I used:

# CONTOSO Squid Configuration - Trent Steenholdt 30/01/2014
# =======================================================

# Extensions for Exchange RPC over HTTPS
extension_methods RPC_IN_DATA RPC_OUT_DATA

# We listen on 123.123.123.123 This is the internet facining IP
https_port 123.123.123.123:443 accel cert=/LOCATIONOFCERT/contoso_com.crt key=/LOCATIONOFCERTKEY/contoso_com.key defaultsite=contoso.com vhost

# Apache is running locally.
# Exchange Server is 10.100.7.99 
cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER cert=/LOCATIONOFCERT/otherSANcert_contoso_com.crt key=/LOCATIONOFCERTKEY/otherSANcert_contoso_com.key name=webServer
cache_peer 10.1.1.14 parent 443 0 proxy-only no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER cert=/LOCATIONOFCERT/SANcert_contoso_com.crt key=/LOCATIONOFCERTKEY/SANcert_contoso_com.key name=exchangeServer

# List of acceptable URLs to send to the Exchange server
acl exch_url url_regex -i contoso.com/exchange
acl exch_url url_regex -i contoso.com/exchweb
acl exch_url url_regex -i contoso.com/public
acl exch_url url_regex -i contoso.com/owa
acl exch_url url_regex -i contoso.com/ecp
acl exch_url url_regex -i contoso.com/microsoft-server-activesync
acl exch_url url_regex -i contoso.com/rpc
acl exch_url url_regex -i contoso.com/rpcwithcert
acl exch_url url_regex -i contoso.com/exadmin

# Send the Exchange URLs to the Exchange server
cache_peer_access exchangeServer allow exch_url

# Send everything else to the Apache
cache_peer_access webServer deny exch_url

# This is to protect Squid
never_direct allow exch_url

# Logging Configuration
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
cache_log none
cache_store_log none

access_log /SQUIDLOCATION/access.log squid

# Set the hostname so that we can see Squid in the path (Optional)
visible_hostname contoso.com/squid
deny_info TCP_RESET all

# ACL - required to allow
acl all src 0.0.0.0/0.0.0.0

# Allow everyone through, internal and external connections
http_access allow all
miss_access allow all

Cheers,

Trent