Loss of SCCM 2007 / FEP 2010 Policies

If you run into the issue that I did after enabling FEP2010 into SCCM 2007, that you lose access to the polices screen after building them, here is the simple solution to correct the issue.

• Make sure that your SCCM is SP2 and R3 first.

• Re-download KB2271736 from here – http://hotfixv4.microsoft.com/SCCM%202007/sp2/SCCM2007_SP2_KB2271736_ENU/4.0.6487.2156/free/417750_ENU_i386_zip.exe

• Rename the microsoft.configurationmanagement.managementprovider.dll located under \Program Files (x86)\Microsoft Configuration Manager Console\AdminUI\BIN\ to “microsoft.configurationmanagement.managementprovider.old”

• Reboot the SCCM server

• Reinstall the KB2271736 hotfix, ensuring it installs successfully.

• Relaunch the SCCM console

• Viola, you are back up and running into the policies screen.

Sam Westfall, PEI

Microsoft Lync and Microsoft Exchange 2010 UM integration

There are a lot of other resources out there that will tell you how to integrate Exchange UM with Microsoft Lync. This blog isn’t going to cover this aspect. It is covering another issue, transferring calls from an UM Auto-attendant to another extension, say a Subscriber Access number. Here is the scenario:

Client has limited amounts of DIDs, so all users use the tel:+1xxxyyyzzzz;ext=aaaa format. They have a single DID that is going to be used for an auto-attendant. They still want a Subscriber Access number, but to have it as an extension versus a DID. The extension used for the Subscriber Access number is +2999. I could not use the format above as it is 21 characters and Exchange 2010 UM has a limit of 20 characters (figures ). When you call into the AA, you press “8” or say “Subscriber Access” to be transferred. The transfers would fail to the Subscriber Access number. Transfers to users (entering extensions and/or saying their name worked every time, but transfers to Subscriber Access failed. Here’s why:

Exchange 2007 UM

First let’s cover the “old” days of OCS R2 and/or Lync integration with Exchange 2007 UM. In the past you had to have your dial-plans match exactly or the integration would fail. Example would be Lync dial-plan of “Test123.local.com”. The dial-plan you create on Exchange would need to be exactly the same “Test123.local.com” or the integration would fail. This is because when a call would come into Exchange 2007 and the call was being transferred to a user and/or another number, it would append the “Test123.local.com” to the “phone-context=” in the INVITE. Lync would see this and handle the call appropriately.

Exchange 2010 UM

With Exchange 2010 the above Exchange 2007 rules no longer apply. You no longer need the dial-plans in Lync and Exchange to match in order for the UM integration to function properly. Why? Well, Microsoft changed the way the calls are transferred. Instead of appending the “phone-context=” with the dial-plan name, it sends the calls with “phone-context=user-default@domainname.com”. This is a great change, but there is a caveat.

Caveat

The problem with the above is when the INVITE is sent using the default dial-plan, Lync matches the Global dial-plan. Some people configure the Global dial-plan, others like more personalized or easily identifiable dial-plans. So they leave the default configuration of the Global dial-plan. If you are using E.164, then this isn’t a problem as the default normalization rule prefixes a “+” to the numbers coming in. Everything and everyone is happy. In this particular installation, this wouldn’t work as the call coming in wasn’t matching the default rules and Lync was giving errors in the translation logging that it found a matching number, but it was in a different dial-plan, and the transfer would fail.

Resolution

To make the transfers work, I needed to modify the normalization rules of the Global dial-plan to match the incoming “2999” number and normalize it too “+2999”. This worked. I know I could have given a bogus E.164 (+15555552999) number instead of using a 4-digit extension, but we didn’t for other reasons.

Emilio Rivera, PEI

Microsoft Lync A/V Authentication Issue

In one of our most recent Lync implementations we ran into some issues of long post-dial-delay (PDD) on internal, external (Federated or Edge) and PSTN calls. The PDD was in the range of 8-10 seconds consistently. After troubleshooting, tracing packets, and pulling logs we found the issue. The issue was between the A/V Authentication service (living on the Edge server on an internal DMZ) and the Front End and Mediation servers (collocated). One of the required ports for TURN/STUN was not being allowed. All other ports were allowed, but port 443 was not specifically allowed. So – if you are experiencing long PDD delays on inbound and outbound calls, verify your firewall rules. The root cause of the issue was a typo in the access policy on the firewall. Fun experience and always a great way to remember to CHECK THE BASICS FIRST!

Emilio Rivera, PEI

Intune 2

If you don’t currently have an Microsoft Enterprise agreement, or you can’t afford a System Center Configuration Manager server, perhaps you should pick up Microsoft’s Intune product.

For a minimal monthly cost per PC, this software offers a great deal of control & reporting to your existing environment. Did I mention that this product also offers a 30 day free trial for 25 systems, and a wealth of free documentation as well.

From simple Microsoft application deployment to remote assistance, Intune offers a great central management platform for smaller companies, or a good entry level product similar to SCCM. This product offers some great core functionality in the forms of process security fixes, and other updates, alerting with things go awry, view of per PC software inventories, reporting, software deployments over the internet connections, and other admin duties.

An overview can be found here – http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy.aspx#_try

Sam Westfall, PEI

TMG (Threat Management Gateway) and Windows Update Error 0x80072f8f

You’ve just installed Microsoft Forefront Threat Management Gateway (TMG) and then head off to install Windows Updates to make sure everything is up to date, when you see the nasty red X and the indecipherable error code: 0x80072f8f.

Never fear, this is simply an indication that TMG, being a firewall, is blocking the Windows Update traffic. To resolve, you just need to tell Windows to use TMG as a proxy. From an elevated command prompt, run:

netsh winhttp set proxy localhost:8080

And then run Windows Update again.

Shane Skriletz , PEI

FBI Crack down on DNSChanger Malware, Six arrested in Estonia

The DNSChanger Trojan quietly alters DNS settings on affected machines allowing the hijackers to redirect web traffic on affected hosts. It is said to still be present on an estimated 500,000 machines in the United States.

The FBI recently, in co-operation with Estonian authorities, arrested six men suspected of developing and managing the Trojan software. The arrests took place in co-ordination with seizure of the DNSChanger infrastructure.

The DNSChanger servers are being used as regular DNS resolvers for the time being to ensure working services to those infected. Infected computers should be moved to regular DNS servers before the FBI scheduled the shutdown of the infrastructure on March 8th.

The FBI has produced a corresponding document explaining how to tell if you are infected and the actions you can take: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf.

Mitch Mahan, PEI

Lync Mobility and Front-end services

This is more of a PSA entry than anything else. It was recently brought to my attention that the supported topologies for Microsoft Lync have changed slightly.

When Microsoft Lync was first released, one of the great things was that we could co-locate the Mediation service on the Front-end. This makes a lot of sense in smaller organizations who may not have a lot of PSTN calls. A lot of times, we see people dual-home the front end server so that the mediation component will utilize its own NIC. What’s wrong with that you say? Well, nothing, until…

Lync Mobility. Microsoft updated the Topologies and Components for Mobility Technet article on 12/18/2012 to reflect the following statement (Note: it is the very last statement on the page):

“The Mobility Service is not supported on dual-homed Front End Servers that are collocated with the Mediation Server role.”

http://technet.microsoft.com/en-us/library/hh690037.aspx

After asking around, it seems that this is a bug with how Lync selects the IP address for RTC and that a fix will hopefully come a future update. For now, if you want to have the Mediation service co-located on the Front-end server, you can only have a single NIC.

Adam Ball, PEI

Recommendations for Rookies – CRM Part II

I know you’re excited for the second installment of Recommendations for Rookies. Again, I will focus on Microsoft Dynamics CRM. If you missed my first article focusing on customization, you can read it here.

Q: How can I make CRM more accessible?

A: Whether you have CRM Online or CRM On-Premise there are 3 ways to make it accessible to your users. The first is through the web client. This CRM has full functionality but if you have it hosted on an internal server, users may have issues with remote access. You will have to make sure you have the proper certificates to ensure it’s available externally. CRM also has a mobile client. There are several apps out there and honestly I don’t know which one is best. I tried a few but what really worked best for me was saving the web version of CRM as a bookmark on my phone. The great thing about this approach is within the CRM customization settings you can modify the mobile view of your forms and tables. The last way is through the CRM for Outlook add-in. I’ll go into more detail later, but with the add-in, your users won’t even have to leave their e-mail to create entries and search the database.

Q: Which is better the web version of CRM or the Outlook Add-in?

A: To each their own. I prefer using web access because that is the interface I used to do all the customizations and to familiarize myself with the program. The one thing I use the Outlook client is to track e-mails, which seems obvious. The reason is, if you create an e-mail activity within the web client you must click “Send e-mail” in order to close the activity. I don’t necessarily want CRM sending those e-mails or I’m logging an incoming e-mail. One thing to look out for is the synchronization settings within Outlook. If you create a set of phone calls within the web client they will sync down to your Outlook tasks, which is fine but then if you mark a phone call as “Canceled” in CRM, Outlook thinks the call is “Complete.” Then when they sync again the value in CRM overrides to “Complete.” We like to track the number of calls our account managers are making each week and this is no bueno as it skews the data.

Q: How long will it take to bring new users up to speed?

A: Well that really depends on a couple of factors. Have they ever used a CRM program before? How technically literate are they? How is CRM configured? How many access points do they have? What is your training process? And the list goes on… As a reference point, our CRM went live about 6 months ago and our sales team, who had to transfer from our old methods of tracking, is now entering data well and consistently using the tool. Not quite perfect yet, but getting there. Our newer hires are catching on as well. I’d say the timeline ranges anywhere from 1 to 4 months to really grasp the basics of creating and updating the data, and 4+ months to learn the more advanced features, like creating personal views, dashboards, goals, workflows and queries. The best way I’ve found to speed up the process is to really familiarize yourself with the system. Click every button you can and see where everything is. Also, during our training sessions, we had users bring their laptop and practice together.

Hope my recommendations help out my fellow rookies.

Heidi Christensen, PEI

Updating AntiVirus

THE SCENARIO

Joe got a laptop several months ago. It came with a preinstalled trial version of antivirus software. Over the past few weeks, Joe has noticed that he can’t connect to the Internet consistently any more, and his machine is running incredibly slow. When he takes his laptop in for a checkup, he is shocked to learn that his machine has no current virus protection and is infested with viruses, worms, and spyware. What happened?

THE SYMPTOMS

• You have poor or no connection to the Internet
• Your computer is running very slowly
• Your homepage in your browser is set to something else
• Your files are corrupt

THE KNOWLEDGE

Antivirus software expires! Even though antivirus software may come with your computer, it is usually a trial version. It may work and be updated for a time (usually 60 days), but at the end of the trial period it expires. If you do not sign up and pay for a subscription, you will not receive updates. This leaves your computer vulnerable to attack.

Viruses, worms, and spyware constantly change. These malware are constantly being created and changed to bypass antivirus software. If your antivirus software is not up to date with the latest virus definitions, there is a good chance you will be infected.

If you are a home user, check with your IT staff on seeing if you can get a remote copy of your company’s AV program. If you are in a corporate environment, make sure you have a server that is up to date and licensed so it can push out the newest definition files.

Myke Schwartz, PEI

Flat Earth Blog

This IT industry has been my home for over 35 years — I’ve seen a lot of change in that time!

In 1976, mainframe computers were giving up their dominance to smaller, faster, cheaper and infinitely more flexible mini-computers, and that loss of dominance rocked the mainframe world to it’s core. Ultimately mainframes went “bye bye.”

By 1980, the personal computer was becoming the “toy at home” that every IT professional tinkered with. Lacking software, connectivity and horsepower, these small systems didn’t seem to have “the right stuff” to displace anything, much less the now entrenched mini-computers; but, that changed too!

Through informal adoption, starting with actual owners and users bringing their “toys” to the office, and the new networking models from Banyan, Novell, IBM, DEC, the same improvements in size, speed, cost and flexibility, led IT to value and then rely on PC’s as the replacement for the dumb-terminal and much, much, more.

Same with Servers. Then the Internet. Yada, yada.

Now we stand at another radical (and pardon the hideously overused phrase) “paradigm shift.” — Tablets and SmartPhones.

I’m not unique in calling this new trend a game-changer. I’m jumping on the bandwagon for one particular purpose — My mid-market customers (small corporations, large privately held companies, and orgranizations) are typically underserved in getting guidance on how to take advantage of new trends, and often lag months or years in getting any strategy for the newest advances to help them leverage IT.

These same mid-market IT environs often have early adoption impacts of new technologies that provide potential for them to innovate for their businesses and get the greatest gains, I believe, from new IT trends.

The Flat Earth Blog is devoted to bringing Tablet/SmartPhone strategies and tactics of “how”, “why” and “when” to mid-market IT.

Stay tuned.

(Next week: “Flat Earth Vocabulary: Speaking the Same Lingo”)

Chris Krueger, PEI