How to keep company data secure, in a ‘mobile first, cloud first’ environment












It’s a  Brave new world, a mobile first, cloud first world of technology. In that world there are many new ways of consuming data, on many new devices. Data security is of paramount importance to any user, IT Pro, Small Business or Enterprise, it is a universal requirement of making that data available.

The operating system, platform and delivery method of the data should not cause any increase in the risk to it. In short the corporate entity must have complete control over the access to, consumption of and removal of data in terms of users, devices and platforms at all time.









That’s a fairly big ask. It is also one of the primary barriers to adoption of cloud technologies and people centric IT (PC_IT).

What is Microsoft’s approach to this rather thorny issue then?

As you might imagine, Microsoft has a number of methods of achieving this end game. The adoption of these depends whether you are either fully cloud, hybrid or fully on-premises for your infrastructure and data requirements. One thing is for sure, they certainly have it covered.

For an on premises scenario with a number of BYOD and corporate issued smartphones and tablets, the solution involved a number of products including Windows Server 2012 R2, Windows Intune and System Center Configuration Manager (2012 R2). The elements of the Server platform that assist with this solution are Active Directory Domain Services (AD DS), Dynamic Access Control, Active Directory Rights Management Services (AD RMS), Active Directory Federation Services (ADFS) and the all new Web Application Proxy.

For a Microsoft Azure based solution, the new Enterprise Mobility Suite (EMS) is designed to cater for most of the same functionality. The EMS consists of Azure Active Directory Premium (for Hybrid identity management and Multi Factor authentication as well as other added functions), Windows Intune and Azure Rights Management Services.

The Hybrid cloud customer would be able to take advantage of all these products to manage their data.

As an additional portion of goodness, Windows Server 2012 R2 also comes with Workplace join and Work Folders.











If all of this isn’t enough security, Microsoft also has a scalable and robust Virtual Desktop Infrastructure solution for a whole number of different scenarios that can actually prevent the data leaving the corporate network at all, whilst still giving remote users the ability to enjoy a standard interface and experience. (These include Session Virtualisation, Desktop Virtualisation, both pooled and personal and with Microsoft App-v the ability to stream applications too.)

The final piece of the jigsaw is the new Azure RemoteApp which is currently in preview that now allows a cloud based solution for application virtualization. (RemoteApp is also available for your on premises Windows Servers too).

It is important to point out that the overall People-Centric IT vision is not restricted to data security and management but has a three-pronged approach to PCIT. That of Enabling end users, Unifying the environment and Protecting data. Take a look at the PCIT whitepaper here.

So assuming you have visited the links and read the whitepaper (which after all is why they are linked…), you now know the field but what about the practicalities and what scenarios are covered by this.

Gosh Ed, that’s 500 words where you have pretty much just listed solutions to data security in a whole bunch of scenarios. How do we use these and how do we choose what to use in what situation?

The rest of this post is dedicated to three examples of when to use these solutions. I will then go on to a more detailed technical explanation in a series of future posts dedicated to each solution.

So, Scenario 1.

An iPad user wants access to their corporate intranet and files and folders, some of which are business critical data files. What can we do to allow this access, but control the device and ensure the data is secured?

The iPad has the facility to download the profile settings and join a workplace environment without being domain joined formally. This would allow access to a company portal for access to websites and applications.













Using Windows Intune, an administrator can enforce polices for security and data wipe on the iOS device. Securing the data



For access to secure data or applications incompatible with iOS, then a Virtual desktop could be used (Microsoft VDI) or a Microsoft Azure VM to keep the data off the device and allow access to the application on an incompatible operating system.


Scenario 2

An  Android SmartPhone user wants access to work email and files and folders for work use.

Windows Intune will secure the data and allow remote wipe of the device and or the data if required. Policies may be applied by the administrator to ensure that the device has a password and that encryption is also enforced.


Scenario 3

A  Windows RT 8.1 Tablet user wants to use a non-domain joined Tablet for work access to email and applications as well as work folders for data.

The combination of Windows Server 2012 R2 and the EMS suite will allow the administrator to provide workplace join, work folders and software deployment as well as endpoint protection for the device. Additional polices may be applied with Windows Intune to enforce rules and security of the data and to remotely wipe the device / data if required.

In a ‘Mobile first, cloud first’ world of devices and data, security is always a concern but the solutions available from Microsoft allow complete control of data access, security, integrity and removal. Don’t forget of course EMS is powered by Microsoft Azure and you can control your Azure subscription with, yes you guessed it PowerShell!

Watch this space for the detailed technical solutions for the three scenarios above, with a special one for the Web Application Proxy all on it’s own. This ground breaking server role replaces the Active Directory Federation Services Proxy role and also does so much more!

Office 365 MCSA – 70-347 Study Guide

The Study of this exam content is causing me no end of difficulty. Because of this, I have adopted my usual policy of forcing the issue and have booked my exam for Wednesday 30th July at 1130 AM in Seattle. I will be attending the internal TechReady conference and will be sitting in on as many Office 365 sessions as I can.

But why am I having such difficulty with the study when I have used the component parts of the product suite for many years?

So why then does the conglomeration of these products cause me such a headache?

Well with the constant upgrading of the Microsoft Learning certification exams, the types of questions one is likely to be asked are no longer limited to multiple choice and drag and drop type solutions. Checkout the Active-Screen ,Hot-Area and Build Lists mini videos to see what you will face. The Microsoft learning Experiences page here is a great place to start if you are unfamiliar with taking Microsoft certification exams. (Note here that from September 4th this year, there will be two choices for booking and taking your exam. You can sit your exam either at a Prometric centre or coming back after a seven year break at a Pearson Vue centre. Old hands definitely have a favourite interface and experience. It is equally important to note that the actual exam experience is exactly the same wherever and however you take it.)

This change in the method of asking questions can mean that you are presented with a screen taken from several layers down into the administration of a product that you are not familiar with. Such as the screen below.



any idea which product and where that comes from?

Anyone familiar with these exams can tell you that guessing, really is a last resort. So to be proficient in all the above products takes time, effort and no little patience. The benefit of a cloud solution such as Office 365 is that  there is very little on-premises configuration and installation to do.

I have been madly using my free trial of Office 365 to navigate the products and set up SharePoint Online sites and all the other great features that Office 365 provides.

To do this I have been using a OneNote notebook where I can drag and drop all the cool TechNet links and articles and also run through the MVA course too.

If you haven’t already signed up tot he Microsoft Virtual Academy, you really should its quite simply awesome!

The Office 365 syllabus is not limited to the course linked above, a search for Office 365 brings  up four pages of course content. So pick the correct ones read the synopsis and section headers to make sure you are not wasting valuable study time.

No matter how many courses you take and jump starts you watch, there is absolutely no substitute for using the product – hands on time and testing / breaking / fixing the software.

As a trainer I had many certifications but if I hadn’t used the product in a live environment I was always very reluctant to stand up and teach it, after all IT is not really a hands-off job.

So to end this short study update here is a list of a few key resources I have found and am using for my 70-347 study.

Office 365 Identity and Authentication Poster

MOC 20346A (B version Released July 2014)

MOC 10968B

TechNet Office 365 for IT pro page (great jump off point)

Office 365 Fast Track site (exam covers planning and deployment)

PowerShell Cmdlets for Licensing users (It would be a Blogg( Ed) post without PowerShell now would it)

Also go to the Windows Store and download

Posterpedia and the Microsoft Training and Certification Guide

Several excellent and relevant resources in there as well as a roadmap for your certification needs.

Must dash – studying to do!

Office 365 MCSA – Halfway House

There are two certification examinations that make up the MCSA Office 365. The background, requirements and details are listed here and are partially shown in the graphic below.


In short, to certify you need to pass 70-346 and 70-347 (the 70 simply identifies the retail examination, there are other codes for Academic and Academy exams- the content is identical, as is the passing score).

One of the problems for Microsoft in producing an Office 365 qualification is that the product encompasses so much and is continually changing and updating (so the MCITP in Office 365 or the Office 365 for Small Business qualifications are not that old but the content is not relevant (in my opinion, for today)

Why am I telling you all this, well I wrote a blog post last month about Self-Study, relying on my past life as an MCT (Microsoft Certified Trainer). As a trainer I do advocate all manner of training methods, not least MOC (Microsoft Official Curriculum) and MOAC (Microsoft Official Academic Curriculum), indeed I have written them before now for Windows Server 2012 and for Windows 8. Classroom based training is one of the methods that works very well for thousands of delegates and students every year.

There are those, however, for whom the course is out of financial range or the time required away from work is too great. If that is the case for you, the reader, then this series of blog posts is definitely for you.

To recap, we have so far dealt with the theory of making time, finding resources and actually studying for technical exams. I also decided that since I hadn’t taken any Microsoft exams since March and that I had been exceptionally sub-optimal in the BETA versions of the Office 365 tests, that I would ‘put my money where my mouth is’ (For the reader, Sub-optimal relates to a score below 700 which is the score required to pass the exam. I don’t consider it a fail, especially when teaching young people and apprentices, ‘failure’ is such a hard concept to grasp since the modern schools system doesn’t really have competition or failure in its curriculum – wrongly in my opinion but that is an entirely different subject for a post all of its own).

So I set myself the target of passing the Office 365 MCSA before July (this year) and yes I do like a challenge. Unfortunately I was unable to book both exams within the time limit (I was not about to forego my holiday to the Glastonbury Festival or give my tickets to our editor Steven Mullaghan, much to his disappointment). The second exam will be ‘in July’ sometime.

I wasn’t left with much study time,my role as a Technical Evangelist keeps me on the move, on my toes and rather buy, to say the least. I posted my decision to retake within June on 2nd June and since then I have been on MVP Roadshows presenting on People-Centric IT, System Center 2012 R2 IT Camps, Planning for FY 15 (which starts next week), racing round Donington park grand prix circuit with the Microsoft Motorbike Club (proof below) and manning the Cloud World Forum stand at London Olympia.

bike1 (1 of 1)

In between these great events I have been carrying on with normal family life and preparing for a big year ahead in my role as a Freemason. So I haven’t had all that much time to devote to the exam (can you hear the beginnings of an excuse for being sub optimal?)


The purpose of my little story above is to explain that the time available significantly alters the methods I use to study. Given time, I may explore every avenue of the product and read books, use it in anger, go to the Microsoft Virtual Academy (MVA) and checkout the Jump Starts and other courses. I may even use my status as an MCT to access the MOC courseware library and download the Virtual Machines and the trainer materials and run the course for myself.

Sadly not enough time for those methods this time. Although I did use the MVA course designed to support this 346 test and the 347 one. An excellent resource of free technical training from highly skilled and technical Microsoft staff and partners. Whilst discussing the MVA, why not sign up for the UK initiative, MVA Hero a way of choosing your path for study and having a bit of fun at the same time. If this doesn’t appeal to you don’t worry the MVA search engine will find the course you want.

programmeherosSo with such limited time, having booked the first exam (I booked on 2nd June – so I had to take it! A good trick to stop you backing out – I don’t have £100 to waste on missed or sub optimal exams, for those in the know, MCT’s receive a 50% discount on vouchers for exams – another good reason to become one and Microsoft employees receive free vouchers, another great reason for applying to work here with such great people and resources, although you do have to report your results and the perceived peer pressure to be ‘optimal’ is huge, for me at least.)

I was left with about 6 days to go and in the middle was a really big weekend event that would need preparation and no chance to study for at least 3 of those days.

I took the last minute cramming approach and spent 14 hours on Sunday going through the MVA course and scouring TechNet articles for methods to remove licences from Office 365 using PowerShell, to how to deploy a redundant AD FS infrastructure. Trust me there were so many pointers in the course to areas to really work hard on that I was not short of ideas.

I had booked the exam for 0900 about 60 miles from home (not many seats available in Prometric test centres in Birmingham so its really great news that Pearson Vue have also recently been awarded the contract to provide tests from September 2014).

I set my alarm for 0400 and woke up at 0355 – I set to a last minute or last 3 hours of revision of the key topics. I followed the advice from my previous post. My technique is to copy the areas to be studied into a OneNote notebook and to create links to all areas for TechNet, MVA other blogs and pdf’s.

Remember the people that write the exams have to get the content and ideas from somewhere and when you have taken some exams you will quickly find which Microsoft approved resources are useful and which are not.

Final piece of advice – don’t get bogged down in too much trivia. Do run through wizards live to see what you can and cannot do at each stage to achieve something. As an example (not from my exam – as that would breach the NDA).

If you are looking at Exchange online, and want to work out how to track or manage malware detections in your email. There are several ways to do it but not all of them would answer the question, so read the question carefully.

In this example the exchange online protection section has a malware filter where settings and rules are created, it also has a quarantine section where the relevant message would be listed. But if you wanted to track malware received or sent over a period ranging between 7 days and 60 days then you would not use the Exchange management portal you would use the Office 365 admin portal and choose reports.  See below.



These are taken from the Office 365 portal and clearly show what is asked for but the question may ask specifically for Exchange Online – which may confuse you.


Clicking on the malware detections in received email would show the second screen where you can easily answer the question. None of this is available in Exchange Online.

I stress that this is not a question I have had or have seen. It is representative of the tricks and traps that such a complex product or suite of products can lead you in to.

The question itself (i.e. In your Exchange Online deployment you want to track malware in received email over the last 60 days and identify the recipient of the greatest quantity of malware) is fairly simple)

If you had not drilled down through all the available menus and sections you would NEVER come across this section, buried three levels down.

Oh and for thsoe of you who rightly noticed, I haven’t mentioned PowerShell much, the MSONLINE module is HUGE and the MSOL cmdlets appear very regularly in the study and test. (but you expected that didn’t you!)

So you have all been very patient. I took the exam yesterday. See below


All Microsoft exams require a passing score of 700, a maximum score is 1000. The theory is that once you reach 700, there is absolutely no difference between a score of 700 and 900 because the questions are different and the exam has a set number of types of question and in each area they all get marked and scored differently.

I have read the theory seen the video where Liberty Munson Microsoft’s  PRINCIPAL PSYCHOMETRICIAN, LeX Products explains this and I confess I absolutely do not understand this.

Suffice to say I was happy with the result and will now hope to give myself more time and try to produce a couple of posts mid study for the 70-347 exam.

The exam this week was all about setting up, and getting working with Office 365, security connections etc. The next exam is all about actually working with the products that make up Office 365 (Exchange Online, Sharepoint Online and Lync Online as well as OneDrive).

This is very definitely a greater challenge for me. Watch this space, i cannot commit to a date as I have an even busier July that I did June (I am off to Seattle for the internal version of TechEd called TechReady) and I also have to get ready for my next trip on the race track!

Don’t forget to ping me any questions you may have @edbaker1965 or leave a comment here.

Office 365 Administrative Roles

In Office 365 there are a number of roles available with a myriad of differing levels of access and permissions.

This link on the TechNet site is a huge help, both when deploying and when studying for an exam like I am (on Monday , no less), and these can be set at the users and groups / settings page on Office 365 Admin center page.


Short and sweet but worth remembering how to grant administrative privileges.

Remember those Examination objectives



Will feedback after the exam on Monday (and a full weekend of cramming)

Following up on the Self-Training Challenge – MCSA Office 365

A week or so ago I posted about Self-Training and I thought I would put my money where my mouth is.

On December 23rd last year (I remember the date clearly), I sat two Microsoft Office 365 Beta examinations. Beta examinations differ from the normal ones in their numbering and more significantly they are often a lot longer and have a whole load of questions that may never appear in the generally available versions. The final and most significant difference for me is that instead of seeing the result on screen and walking away with a score report, you simply get a thank you for sitting the examination printout, no result.

I have taken Beta examinations in many technologies and my record up until December was around 75-80% success. This pair of beauties was a very different experience. I usually walk out with a degree of confidence and some home. This time I absolutely knew I had failed both quite comfortably. The examinations in questions were 071-346.

071-346 beta

and 071-347.

071-347 beta

the 071 signifies a beta examination.

My assessment was correct in the examination results, I failed both with no possible suggestion of a mistake!

Shortly after I received the results, I joined Microsoft UK and the last 3 months have been somewhat of a blur of activity and learning but nothing that I could use towards a certification. presenting at conferences and demonstrating products is very different to using them int he field and I have long proclaimed that to know a product you have to deploy and use it either in a lab or production environment. (added to my shame is that I have had an Office 365 subscription since the beginning).

To cut a long story short and to prove I do know the product I have decided to retake these exams and claim my MCSA in office 365. Roles and responsibilities change all the time at Microsoft and one thing is for certain being proficient in Microsoft Cloud technologies will not be a hindrance!

So by the end of June i will retake these exams and keep you up to date with my studies and resources used.

So what do I have to learn. The Microsoft Learning website has a list of every examination and the required skills that will be tested.

For my next project they are here for 346 and here for 347

If you look carefully, there is a huge list of topics. Let’s take 70-346 as an example (got to start somewhere, right!)

My system is simple, copy the list to a OneNote document and from there create a number of links to resources I already have or resources I find that refer to those topics  OneNote allows me to embed audio, video, PowerPoint presentations etc. A large number of these links are likely to be from - a quick search provides a very large number of courses for Office.

So what exactly do I need to study in Office 365 for the first examination. I do have an advantage here. One of the reasons I take a Beta exam is that if I fail it I may have a better idea of where to concentrate my future studies. So when I use my OneNote resource library, I can remove some of the entries or send them green as I know that section.

Here’s an example of the 70-346 list of skills required.


Please note that this section of “Provision Office 365″ may have up to 15-20% of the total examination questions so spend your time wisely. It is also worth noting that this is not an exhaustive list and the forums on BornToLearn are full of complaints about this. Be aware that you can be asked any question about the product and related technology, these are not meant to be easy paper certifications. Microsoft examinations are now a tough and fair test (mostly! some howlers do slip through but are removed as soon as possible).

Also note that some of your research work has been done for you, the blue text at the bottom is linked through to TechNet articles on the correct areas to study.

So – watch this space – I will be posting about my experiences both in learning and in testing, although what can be revealed about the content of the test is limited to NOTHING AT ALL.

For a guide as to the type of question types you are likely to receive check out these short videos (checkout the section Exam Formats and Question Types), particularly this one, on the Best Answer type of question, I really do not like these! Finally, please, at all costs avoid Practice test sites that guarantee a pass, no one can do that! (without cheating) and cheating leads to some pretty career limiting punishments as well as having a certification that means nothing at all.

UPDATE – Exam booked Monday 23rd June 0900. (another good tip – book it in advance to get the best place as places are scarce and it also acts as incentive for me to make sure I study hard0

Wish me luck

Happy studying

IPAM – Part 3

IPAM Part 3 focuses on the integration of System Center Virtual Machine Manager (SCVMM) 2012 R2 into the IPAM managed environment.

What exactly does this mean?

IPAM covers the entire Microsoft DHCP and DNS environment and monitors, manages and audits the deployment. Prior to Windows Server 2012 this was only possible with Spreadsheets, pieces of paper or expensive 3rd party applications. With the release of Windows Server 2012, this became a whole lot easier but there were missing areas. One important part of this was the virtual networks created and managed within SCVMM.


Windows Server 2012 R2 now covers this gap within the IPAM client console. All provider and client network addresses and subnets are included.

This is all included in the box and requires no extra installation steps.

Client and Provider networks addresses. What are those?


System Center Virtual Machine Manager 2012 R2 allows for fully isolated network virtualisation using a protocol called NVGRE – Network Virtualisation Generic Routing Encapsulation. This technology is a topic own its own right and I will post about that another time. For now, if you want more detail try reading this post (be warned technical trauma ahead) NVGRE, a lighter way of looking at it is on the slide above. Each VM has a provider address and a customer address, allowing multi-tenant solutions with the same customer IP address on a network.

It’s easy to see why keeping a close eye on these IP address ranges, subnets and individual IP addresses is a good idea.

Once IPAM has been installed the integration plugin will automatically use Web Services Management (WS Man) to update the IPAM server with all the SCVMM virtual networking data.

Oh and it can also be managed using PowerShell. Here are the network Virtualisation cmdlets and Here are the IPAM Cmdlets

The IPAM client interface is then automatically populated with this data as shown below.


The client application is found in Server Manager within either Windows Server 2012 R2 or in the Server Manager withing the Remote Server Admin Tools (RSAT) which can be downloaded and installed on a Windows 8.1 machine. Be aware that RSAT is paired (i.e. Windows 7 and Windows Server 2008 R2, Windows 8 and and Windows Server 2012 etc.)

Network Virtualisation is a very complex topic, but utilising the IPAM tools to monitor this requires no extra skills or training. A major win!

Why not try them out now. Evaluate Windows Server 2012 R2 and Microsoft System Center 2012 R2 here along with a host of other Microsoft software.

The final part in this tour of IPAM will cover the remaining new features.

Self-Training – 101: How to get started and keep going.

Self-training 101: How to find the time and the motivation and what is available for the IT Professional.

Everybody has their own learning style, most fit into the three primary styles of Visual, Auditory or Kinaesthetic (tactile or learning by doing). These simply describe the way in which learning is most effective for you. To be able to train yourself in leading edge technology matters, a blend of all three is probably required.

I have been taking part in distance learning since 1992 when I started my Open University Degree course. There hasn’t been a time since then when I have been ‘resting’ from study. That does take a lot of self- discipline, motivation and no small measure of selfishness.

The title of this post implies that you can follow my approach and all will be well, that is not necessarily the case. Everyone is different, everyone has a different work routine, home life and family or hobby commitments. What I can do is explain how I approach my own self training and the path to certification which was the secondary purpose of all those years of study.

It would be great if using a particular product for years or being experienced in a role was a guarantee of knowing it to a deep level and to be able to prove to your employer and prospective employers that you were proficient in your trade. This is not the case. I am sure we all know many IT ‘Professionals’ who are not really worth that title and do not really know their stuff. For that reason certification is a really great idea.

So why do I self-study and what do I do to achieve the aims I set myself. More importantly what motivates me to keep going?

Going back to the Learning styles, I use a blend of all three, with regular access to the Microsoft Virtual Academy (MVA) a superb resource of FREE professional training. This includes a number of Jump Start courses which are traditionally held as live events by Microsoft Evangelists and members of the product teams, recorded and hosted for online streaming or downloads. The slide decks and associated supporting material are also available. This really is a rich repository of high quality training in all areas of Microsoft technology. As part of most courses in the MVA, there are short multiple choice quizzes to answer to ensure that learning has taken place.

So my No 1 tip is get on the MVA and start learning. There is currently a neat promotional game attached to the MVA, if you register here you can become an MVA superhero, by taking courses in six defined service or product tracks, you can enter for major or minor prizes and learn at the same time, enter here. For those with a competitive bent, each course earns points and there are league tables on a national and global scale. mvahero1

My area of specialism is Microsoft Infrastructure technologies so the TechNet Library is vital to my study. Recently Microsoft released the whole Server 2012 and Server 2012 R2 library as a single PDF file. Be warned it is a 126 MB big and contains nearly 9000 pages of technical information, but it is not as bad as it sounds since the first 370 pages are the contents table! I also rely on proper paper books when travelling, I never have got used to using a gadget for reading books, but I suppose I will eventually. I use a lot of Microsoft Press titles, they are available in print or as eBooks. Microsoft also offer a large range of FREE eBooks in current and emerging technologies. These are listed here and here. Finally on the TechNet front, there is an endless list of useful Blogs.

One of the reasons I have been studying quite so much over recent years is that I am a Microsoft Certified Trainer (MCT) and to be able to teach the Official Curriculum (MOC) and Official Academic Curriculum (MOAC) course for a product, Microsoft insist that you are certified in that product, which makes sense. One of the major benefits of being an MCT is that you gain access to all the courseware and Virtual Machine lab environments as well. This means that I am able to get hands on experience with all the products I am learning. Of course this requires some fairly powerful hardware, especially if you are studying Private Cloud and other Virtualisation courses. If you don’t have access to these courses and have not got a home lab environment but you would like hands on experience, then TechNet also provide online labs and demos for FREE. Check them out here.

I thoroughly recommend two additional Microsoft Learning Experience (LeX) resources.

The first is the Learning web site here which lists all official courses and certification exams as well as what is required for each one.



The other is the Born To Learn website here, this is another rich resource of learning and certification material with online forums and direct access to Microsoft’s learning Experience staff. b2l

The vast quantity of all this invaluable material should tell you one thing. No way can you read or consume it all. The best way of focussing your energy and attention is to create a useful study plan that takes into account your work life, family life as well as your general aims in terms of study or certification.

So how do you find time and more importantly how do you remain motivated to keep learning, keep on taking exams and courses? Your answer will be different to mine. It could be a new certification will lead to a new job or promotion in your current role, all good motivational stuff. The answer lies in WHY you want to study. When I was at school I had to study and hated it, I therefore did not do as well as I should or could have. When I decided I needed to and wanted to study later in life I found it all too easy to remain motivated, it was my choice, my idea and my time I was giving up to do it.

So what does my typical working / study week look like.

I am a Technical Evangelist working for Microsoft UK so I don’t have a typical week, which is a great aspect of the job. This does however mean that if I want to start a course of study I have to squeeze it in wherever I am. I also have to squeeze it in at strange times of the day. Until recently I was a regular early morning runner and was training for marathons, this meant a good couple of hours out and about. Now I am not doing that, I spend that time on study. I also spend time when my wife is out at Choir practice or other social events. In short I squeeze it in where I can. Invariably this is early morning or late night sessions in hotel rooms, on trains or at home.

Luckily my current role involves a great deal of hands on prep so I can develop the detailed knowledge every day. What I do need to improve at is management of that time. I tend to get side-tracked into the next bit of awesome technology. I was writing an IPAM blog post the other week and ended up playing with System Center VMM virtual networks and looking at Software defined networking. Off topic!

I probably haven’t helped much with motivation, which is entirely down to you the learner, little or no motivation will result in little or no effective study. But hopefully the tips below will help with making time and finding the right resources for self-study as an IT professional.

There are of course many Learning providers that offer both online and in class instructor led courses, if that is your preferred method of learning. There are also many approved online prep tests. But be sure they are approved and not just copies of answers. You can find the approved sites listed on the Microsoft Learning site, such as here for the MCSE Server Infrastructure.

If you take a look at the output from the Microsoft Skills dashboard tool which is based on research conducted with, you can see that there has been a considerable spike in demand for Jobs and roles where Windows Server 2012 certification would assist.


The above graph shows a 12 month period where the Y axis = No. of jobs and the  X axis = Technology-Role.

The data above shows that we have seen most of this spike for IT Professional roles, however demand for IT consultants with Windows Server 2012 skills have been steady.

The data certainly backs up my argument that getting trained is an essential part of normal IT pro life. (The data is skewed in my area of expertise (Windows Server), but as you can see the jobs and skills are out there to be learned and earned.

My final piece of advice is, if you want to stay in the IT industry, NEVER STOP LEARNING, if you do, it will leave you behind quicker than you can say OS/2 or IPv6.

Happy studying. And remember PowerShell is the Future!

IPAM – Part 2

So, what IS new in IPAM in Windows Server 2012 R2?

There is quite a long list here.

One of the big additions is that IPAM now supports RBAC – Role Based Access Control, this now enables you to customise access and operations permissions for users and groups of users with granular control of IPAM objects.

The second really big new feature, especially for a Virtualisation IT Pro is the ability to manage the Virtualisation Address Space. So in addition to your physical device IP address space IPAM now manages the IP space created and managed by System Center Virtual Machine Manager (SCVMM.)

Other cool new facilities include additional DHCP server management capabilities, IPAM also now supports a full SQL Server database rather than just the WID (Windows Internal Database).

The final two bonus items are that

  1.  When you upgrade a Windows Server 2012 IPAM deployment to Windows Server 2012 R2, all current data is migrated for you.
  2. PowerShell support is now greatly enhanced. Improving automation, extensibility and integration. (Regular Blogg(Ed) readers will know this excites me greatly as PowerShell is the future.)

First things first then, let’s assume I have an IPAM deployment as described in Part 1, and I have upgraded my infrastructure to Windows Server 2012 R2 and have deployed System Center 2012 R2 VMM. How do I take advantage of the new goodness?

I would recommend reading my fellow Microsoft Evangelist Simon May’s blog article on installation of IPAM HERE , there are some tricky GPO and other IPAM provisioning gotchas.

I am going to split the series into three with this post covering the RBAC, post 2 being the SCVMM integration and post 3 being the rest!

RBAC has been around for many years and most vendors are slowly integrating full granular control directly into their products.  The initial release of IPAM did have a cut down version limiting administrators and users access based on five different security groups (similar to roles).

  • IPAM Users: Members of this group can view all information in server discovery, IP address space, and server management. They can view IPAM and DHCP server operational events, but cannot view IP address tracking information.
  • IPAM MSM Administrators: IPAM multi-server management (MSM) administrators have IPAM Users privileges and can perform IPAM common management tasks and server management tasks.
  • IPAM ASM Administrators: IPAM address space management (ASM) administrators have IPAM Users privileges and can perform IPAM common management tasks and IP address space tasks.
  • IPAM IP Audit Administrators: Members of this group have IPAM Users privileges and can perform IPAM common management tasks and can view IP address tracking information.
  • IPAM Administrators: IPAM Administrators have the privileges to view all IPAM data and perform all IPAM tasks.

Now whilst this was a good idea to ensure some separation of responsibilities and duties, it was not granular enough to be described as proper RBAC.

RBAC requires three components to be fully functional.

Roles, Access scopes and Access Policies. These are described below

A Role is simply a collection of IPAM operations. A role can be associated with a user or a group (best practice is by group rather than individuals). This association is carried out suing an access policy. IPAM now provides 8 built in administrator roles but more can be created to cater for all your own requirements.

An Access Scope defines the objects that a user has access to. The default scope is Global, meaning that all objects in IPAM are covered. Any new scopes are subsets of this. An organisation may choose to assign scopes by geography or function. In the case of the Global scope, a user or group would have access to all objects that the assigned role allows.

Access Policies match up an Access Scope and a Role to assign a user or group the necessary permissions. As an example a user who has the Role of IP Block administrator and the scope of UK/Eire would have permissions to edit and delete IP Address blocks but only in the area under the scope of UK/Eire. That user would not be granted permission to edit IP Address blocks in the USA.

The table below shows the default roles and scope.

Type Name Description
Role DNS record administrator Manages DNS resource records
Role IP address record administrator Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
Role IPAM administrator Manages all settings and objects in IPAM
Role IPAM ASM administrator Completely manages IP addresses
Role IPAM DHCP administrator Completely manages DHCP servers
Role IPAM DHCP reservations administrator Manages DHCP reservations
Role IPAM DHCP scope administrator Manages DHCP scopes
Role IPAM MSM administrator Completely manages DHCP and DNS servers
Access scope Global By default, all objects in IPAM are included in the global access scope. All additional scopes that are configured are subsets of the global access scope.

Lets walk through a quick creation of a role, scope and policy.

Below is the IPAM client console with the new Access Control pane selected. You can see the Role, Access Scopes and Access Policies settings available for selection on the left hand side. Each section shows the roles / details so that all can be seen at a glance.



Below are shown smaller images (click for full size) of the Scope and Policies sections.















By Right Clicking the role title, you can create a new role as shown below
















It is a simple matter of selecting the IPAM operations you want the role to be able to perform. The next step is to right click the Access scope title and add a new scope. (This will automatically become a sub scope of the Global access scope)
















Having created the Role and the scope, the next step is to connect them within an Access policy, simply right click on the Access policies title and create a new policy


This dialog allows the user to select a policy name and then to match any of the roles to any of the scopes in the IPAM database. So one policy can control more than one role and one scope.

Don,t forget you still have access to the five local security groups on the IPAM server to control a user or administrators access to the console and its tasks.

In the next post I shall cover the newly added Virtualisation IP Address space features.

Meanwhile if you haven’t tried Windows Server 2012 R2 and IPAM, evaluate it now – HERE!

PowerShell Version 5.0 Preview

I know, PowerShell Version 4.0 has only just landed with us as part of Windows Management Framework 4 and Windows Server 2012 R2 BUT the preview of WMF 5 and PowerShell 5.0 is here already.

So a very quick run through of what is new is in order, I think.

Well – since the Future IS PowerShell, it’s no surprise that a number of new features and functionality are included. Check it out by downloading here

The key new functionality includes updates to PowerShell and the Integrate Scripting Environment as well as Desired State Configuration.

The two I want to concentrate on here though are Network Switch CmdLets and OneGet.

Don’t forget though that if you do install the preview it is not Generally released or supported so the usual caveats apply about not using it in production etc.

Network Switch Cmdlets

      The Network Switch Cmdlets enable you to do switch, VLAN and basic Layer 2 network switch port configuration to Windows Server 2012 R2 Logo certified Network switches.
      Using these cmdlets you can do:
      • Global switch configuration, such as:
        • Setting host name
        • Setting switch banner
        • Persist configuration
        • Enable or disable feature
      • VLAN configuration:
        • Create or remove VLAN
        • Enable or disable VLAN
        • Enumerate VLAN
        • Set friendly name to a VLAN
      • Layer 2 port configuration:
        • Enumerate ports
        • Enable or disable ports
        • Set port modes and properties
        • Add or associate VLAN to Trunk or Access on the port

Available CmdLets are shown below


Being a preview, the help available is limited for now and attempting to update it results in errors.


      OneGet is a new way to discover and install software packages from around the web. With OneGet, you can:

      • Manage a list of software repositories in which packages can be searched, acquired, and installed
      • Search and filter your repositories to find the packages you need
      • Seamlessly install and uninstall packages from one or more repositories with a single PowerShell command

OneGet CmdLets available are shown below.


again, help is limited but as an example.

Simply entering Find-package results in a huge list of available software products that can be fetch and installed.

Be aware that changing the default script execution policy will be required.

Set-ExecutionPolicy RemoteSigned

will be sufficient.

so to fetch and install zoomit (the SysInternals indeispensible tool) is a simple matter of

Fetch-Package zoomit | Install-Package

This results in the following screens


This shows the warning prior to installation


Installation of the application package


Success of the installation

Only a preview but I can’t wait for this to become Generally Available. The potential for being able to control your Network Switches in conjunction with your System Center Virtual Machine Manager is huge!

Deployment of software through this method may not be the future for an enterprise deployment BUT its a seriously fast way of installing applications without as many of the usual multiple steps.




Convert all your VMWare VMs to Hyper-V – FREE

You could be forgiven for thinking that the 8th April 2014 is only really going to be remembered for the End of Support for Windows XP after almost 15 years of service. Time will tell, but I would venture that a large number of Virtualisation IT Pros are still rubbing their hands with glee at the release of the Microsoft Virtual Machine Converter 2.0 (MVMC) and since the future is PowerShell, they will also be salivating with anticipation at using the Migration Automation Toolkit (MAT) released to support the MVMC 2.0. What is it? Why is it such good news? And who will use it?

MVMC 2.0 and MAT


First and fairly importantly MVMC 2.0 is a completely free toolkit to assist an IT Pro in converting VMWare virtual machines into Hyper-V Virtual Machines and yes also into Microsoft Azure Virtual Machines. The MAT is a PowerShell-based set of scripts and utilities to automate this process over a number of hosts and platforms.

If you are not a VMWare customer or do not use VMWare Virtual Machines and don’t need to know how to convert them and don’t think you will ever need to, then you can stop reading,

‘this is not the blog post you are looking for.’

Otherwise – read on….

Over recent years Hyper-V has, for many good reasons been eating into the installed base of VMWare virtualisation customers. With the advent of this tool, the process of conversion to Hyper-V is dramatically simplified. If you are unsure of the value of such toolkits, it is possible to download the Windows Server 2012 R2 operating system (evaluation) install the Hyper-V role (free) and the MVMC 2.0 and MAT (free) and prepare a test migration to prove it will be fast, efficient and trouble-free to migrate all of your Virtual Machines from VMWare to the Azure or Hyper-V platforms.

 Should you be using Linux as the basis for your VM guest estate, then your final solution will require absolutely no licence fees for Microsoft products. Especially if you choose to use the Microsoft Hyper-V server as your final host (free)

All sound too good to be true, well it’s not, below I explain what MVMC 2.0 and MAT can do for you.  

The installation pre-requisites are


Windows Server 2008 R2 SP1 or above (I just installed it on Windows 8.1 (update 1) the full list is below

Supported Operating Systems

Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2

Before you install Microsoft Virtual Machine Converter (MVMC), you must install the following software on the computer on which you want to run MVMC:

  • Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1 operating systems
  • Microsoft .NET Framework 3.5 and .NET Framework 4 if you install MVMC on Windows Server 2008 R2 SP1
  • Microsoft .NET Framework 4.5 if you install MVMC on Windows Server 2012 [A1] or Windows 8.
    Note Although MVMC installs on all of these versions, using the Windows PowerShell cmdlets that are released as part of MVMC requires Windows PowerShell Runtime 3.0, as the cmdlets function only on Windows Server 2012 [A2] and above or Windows 8.
  • Visual C++® Redistributable for Visual Studio® 2012 Update 1


1. The Microsoft Virtual Machine Converter (MVMC)
3. SQL Express or any other SQL Server Editions
4. A Windows account with rights to execute MVMC locally
5. A Windows account with rights to schedule tasks on remote systems and run MVMC (if using remotes)

MVMC is a wizard driven conversion tool but also works with the System Center automation engine provided in Orchestrator 2012 R2. And can be invoked from the PowerShell command line.

The major new features in MVMC 2.0 are listed below:

  • Converts virtual disks that are attached to a VMware virtual machine to virtual hard disks (VHDs) that can be uploaded to Windows Azure.
  • Provides native Windows PowerShell capability that enables scripting and integration into IT automation workflows. (Completely new, previously MVMC had its own command line interface).
  • Supports conversion of Linux-based guest operating systems.
  • Supports conversion of offline virtual machines.
  • Supports the new virtual hard disk format (VHDX).
  • Supports conversion of virtual machines from VMware vSphere 5.5, VMware vSphere 5.1, and VMware vSphere 4.1 hosts Hyper-V virtual machines.
  • Supports Windows Server® 2012 R2, Windows Server® 2012, and Windows® 8 as guest operating systems that you can select for conversion.

MVMC 2.0 standard features include:

  • Convert and deploy virtual machines from VMware hosts to Hyper-V hosts on Windows Server® 2012 and 2012 R2 or Windows Server 2008 R2 SP1
  • Convert VMware virtual machines, virtual disks, and configurations for memory, virtual processor, and other virtual computing resources from the source to Hyper-V.
  • Add virtual network interface cards (NICs) to the converted virtual machine on Hyper-V.
  • Support conversion of virtual machines from VMware vSphere 5.5, VMware vSphere 5.0, and VMware vSphere 4.1 hosts to Hyper-V.
  • Wizard-driven GUI, which simplifies performing virtual machine conversions.
  • Uninstalls VMware Tools before online conversion only, provides a clean way to migrate VMware-based virtual machines to Hyper-V.
  • Support Windows Server and Linux guest operating system conversion.
  • PowerShell capability for offline conversions of VMDK Disks to Hyper-V .vhd disks

Finally to install MVMC 2.0 – the account in use must be a local administrator on the machine.

The MVMC installation files can be obtained here and consist of an msi setup file that installs the wizard, an admin guide document and a cmdlets document.

MAT is simply collection of PowerShell scripts that will automate conversions using MVMC 2.0 and it is back ended by a SQL instance (SQL Express will work). You can use it to convert several machines at once, on a single server – or scale it out and execute conversions on many servers at the same time.


Although MVMC 2.0 can convert VMWare VM’s to Microsoft Azure, this has not currently been implemented in MAT, so this product is scoped to on-premises conversion only, for the time being.

Most of the MAT changes are minor revisions but it does ship with an example script which demonstrates how a migration can be controlled using a single PowerShell script and PowerShell workflows. In short this demonstration or example script can move all running VM’s from a VMWare host to a Hyper-V host.

Since I aim to keep all my posts close to 1000 words – I will cover more detail in another post – especially the use of PowerShell Workflows and the architecture of MAT.