BDD 2007 overview

Posted on By Mark Wilson

It’s been almost three years since I wrote a post about the Microsoft Solution Accelerator for Business Desktop Deployment (BDD) and since then it’s been updated twice – first with BDD v2.5 and now with BDD 2007 (the latest version of which is now known simply as Microsoft Deployment).

According to Microsoft:

The Solution Accelerator for Business Desktop Deployment (BDD) is best-practice guidance for desktop deployment. BDD is targeted at companies that want to reduce deployment time, effort, and cost by increasing the level of automation. It allows administrators to deploy desktops with Zero Touch and Lite Touch interaction at the target PCs. This solution also helps organizations move to a managed environment with standardized desktop images.

Effectively, BDD is a framework that brings together a variety of deployment tools with business logic in order to implement best practices.  In it’s simplest form, known as Lite Touch Installation (LTI), BDD allows administrators to create/capture operating system images, customise these and deploy them to other workstations.  This requires very little infrastructure and as such is suitable for small and mid-size business; however there is also a Zero Touch Installation (ZTI) option that integrates with Microsoft Systems Management Server (SMS) 2003 or System Center Configuration Manager (SCCM) 2007 for enterprises that have the required infrastructure in place.

Supported on Windows X, Server 2003, Server 2003 R2 and Vista, BDD can be used to deploy Windows clients, together with applications (e.g. Office 2007) and customisations.  Available in both x86 and x64 editions (with both versions supporting installation of clients on either architecture), BDD 2007 is finally looking like a product, rather than a collection of tools glued together with scripts and HTML applications.  There’s still a few strange interfaces, but the hub of BDD 2007 is the BDD Workbench – an MMC 3.0 snap-in.  Other requirements for BDD are Windows Script Host (WSH) 5.6 and it also makes use various other tools that may be downloaded from within the BDD Workbench:

  • Windows Automated Installation Kit (WAIK).
  • Application Compatibility Toolkit (ACT) 5.0.
  • User State Migration Tool (USMT) 3.0.
  • MSXML 6.0.
  • Key Management Server (KMS) (and associated management pack).
  • Volume Activation Management Tool.
  • Office Migration Planning Manager.
  • Windows Vista Hardware Assessment

Screenshot of the BDD 2007 Workbench

After installation of BDD (supplied as Windows Installer .MSI file, together with a quick start guide and deployment tools overview – both of which are worth reading), the primary folders are held in %programfiles%\BDD 2007\ and consist of:

  • \BIN – BDD Workbench console and supporting files.
  • \Documentation – documentation.
  • \Downloads – storage for components downloaded by BDD 2007.
  • \ManagementPack – BDD management pack files.
  • \Samples – sample task sequence scripts.
  • \Scripts – scripts used by the BDD Workbench.
  • \Templates – master template files used for defaults in unattended Windows installations.
  • \Temporary – temporary storage space.

Other tools (e.g. the WAIK and ACT) add their own folders to the BDD file structure.

The installation also creates a \Distribution folder on the drive with the largest amount of free space (or at a custom location supplied during installation).  This contains the following subfolders and except \Scripts and \Tools are empty at installation time:

  • \$OEM$ – files and folders to be copied to the destination computer during Windows Vista setup.
  • \Applications – any application files that are installed as part of deployment.
  • \Captures – images captured using ImageX.
  • \Control – storage of files used by the BDD execution engine.
  • \Operating Systems – any operating system files that are installed as part of deployment.
  • \Out-of-Box Drivers – driver files not delivered by default with Windows Vista.
  • \Packages – Windows Vista-compatible packages for installation with the operating system (security updates, language packs, service packs, etc.) in cabinet file (.CAB) or Windows Update (.MSU) format.
  • \Scripts – scripts used by the Lite Touch deployment engine.
  • \Tools – tools used by the deployment engine and the location of USMT source files.

Configuring BDD to deploy an operating system and applications consists of:

  1. Install BDD.
  2. Update/install additional components (e.g. WAIK, USMT) from within the BDD Workbench.
  3. Add one or more operating systems to the distribution share from within the BDD Workbench.  This could be a full set of source files, a custom image (.WIM) file (i.e. an image captured from a reference computer) or an image from a Windows Deployment Services server.  This operation can either copy the installation or move it from another location.
  4. Add any applications to the master image from within the BDD Workbench – applications can be moved/copied to the distribution share or existing locations may be referenced via a UNC path.  Specify any application settings (e.g. command line switches for a silent installation, or a working directory).
  5. Add any additional device drivers that are required within the master image, using the BDD Workbench.  The BDD tools will look for .INF files in the process of scans all subfolders in the specified directory.
  6. Add any additional packages, such as operating system updates and language packs, using the BDD Workbench.

Once the master image is established, it’s necessary to define one or more builds.  Each build has an identifier (which must not contain spaces) as well as a name and a number of associated comments.  The build defines an operating system, along with key details such as product keys and the Administrator password and, once created, the build properties can be amended to customise settings, optionally launching the Windows System Image Manager to edit the unattend.xml file that controls the Vista installation.

Finally, the deployment point must be configured:

  • Builds may be deployed using the local BDD distribution point (shared as \\%computername%\Distribution$), a separate share on the local or a remote computer, as a .ISO image for use on removable media (DVD, USB flash drive, etc.), or via SMS 2003/SCCM 2007 (which facilitates ZTI installations).  Note that SMS 2003 requires the SMS 2003 Operating System Deployment (OSD) Feature Pack whereas SCCM has OSD functionality built into the product.
  • Various options exist to control the user experience during deployment (e.g. the selection of other applications during installation).
  • It may be necessary to create/update the Windows pre-installation environment (WinPE) images that are used to connect to a deployment point.  The resulting .WIM files (found on the distribution point in a \Boot folder) can be added to a Windows Deployment Services (WDS) server as a bootable PXE image for bare-metal deployment whereas the .ISO file equivalents can be mounted in a virtual machine or booted from removable media.  During the creation of these images, tasks are logged in %temp%\DeployUpdates_x86.log.  Generic images are generic_x86.wim and generic_x86.iso.

At this stage, BDD is ready to deploy builds to workstations; however there are some additional capabilities:

  • It is possible to define a SQL Server database to store details of deployed computers.
  • Images may be captured using BDD deployment points such that there is no requirement to separately run SysPrep or ImageX.  The Windows Deployment Wizard (invoked from the Windows PE images created earlier) automatically runs both of these utilities in order to prepare and capture an image.

Now is the time to start planning for Windows Server 2008

Posted on By Mark Wilson

I recently attended a presentation at which the CA (formerly Computer Associates) Directory of Strategic Alliances, Dan Woolley, spoke about how CA is supporting Windows Server 2008.

CA is not a company that I associate with bringing products to market quickly and I understand why companies are often reticent to invest in research and development in order to support new operating system releases.  Hardware and software vendors want to see customer demand before they invest – just look at the debacle with Windows Vista driver support! There are those that blame Microsoft for a lack of device support in Windows Vista but they worked with vendors for years (literally) before product launch and even now, a full year later, many items of hardware and software have issues because they have not been updated. That’s not Microsoft’s fault but a lack or foresight from others.

It’s true that some minor releases are probably not worth the effort, but supporting a new version of Windows, or a new version of a major server product like Exchange Server or SQL Server should be a no-brainer.  Shouldn’t it?

It’s the same with 64-bit driver support (although Microsoft is partly to blame there, as their own 64-bit products seem to lag behind the 32-bit counterparts – hopefully that will change with the "Longhorn" wave of products.

Dan Woolley’s presentation outlined the way that CA views new product releases and, whilst his view was that they are ready when the customers are ready, from my perspective it felt like a company justifying why they wait to provide new product versions.

CIOs expect infrastructure to be extensible, stable, flexible and predictable

He made the point that CIOs expect infrastructure to be extensible, stable, flexible and predictable (they abhor change as the impact of change on thousands of customers, users, and servers is difficult to understand) and how they:

  • Deliver services to facilitate corporate business (so require a stable infrastructure platform).
  • Work to maximise IT investments.

That may be true but Woolley didn’t consider the cost of running on legacy systems.  Last year I was working with a major accounting firm that was desperate to move away from NT because the extended support costs were too high (let alone the security risks of running on an operating system for which no new patches are being developed).  As recently as 2005, I worked with a major retailer whose back office systems in around 2000 outlets are running on Windows NT 3.51 and whose point of sale system depends on FoxPro for MS-DOS!  Their view is that it works and that wholesale replacement of the infrastructure is expensive.  The problem was that they were struggling to obtain spare parts for legacy hardware and modern hardware didn’t support the old software.  They were literally running on borrowed time (and still are, to the best of my knowledge).

CA’s view is that, when it comes to product deployment, there are five types of organisation:

  • Innovators – investigating new products in the period before it is launched  – e.g. Microsoft’s Technology Adoption Programme (TAP) customers.
  • Early adopters – who work with new products from the moment they are launched up to around about the 9 month point.
  • General adoption – product deployment between 9 months and 4 years.
  • Late adopters – deploying products towards the end of their mainstream support (these organisations are probably running Windows 2000 and are only now looking at a move to Windows Server 2003).
  • Laggards – the type of customers that I described earlier.

Looking at the majority of that group, there are a number of deployment themes:

  • Inquiring (pre-launch).
  • Interest and testing (post-launch).
  • Budgeting (~4 months after launch)
  • Prototyping and plots (~1 year after launch)
  • Deployment (~18 months after launch)
  • Replacement/upgrade programmes (~5 years after launch – co-incidentally at the end of Microsoft’s mainstream support phase)
  • Migration (7+ years after launch – onto another platform altogether).

What is interesting though is that there are also two distinct curves for product deployment:

  • Sold licenses.
  • Deployed enterprise licenses.

This is probably because of the way that project financing works.  I know from bitter experience that it’s often better to buy what I need up front and deploy later because if I wait until the moment that I need some more licenses, the budget will not be forthcoming.  It seems that I’m not alone in this.

CA view their primary market as the customers on a general/late adoption timescale.  That sounds to me like a company trying to justify why it’s products are always late to market.  Windows Server 2008 will launch early next year and serious partners need to be there with products to work with the new operating system right from the launch – innovators expect a few problems along the way but when I’m trying to convince customers to be early adopters I don’t want to be held back by non-existent management agents, backup clients, etc.

Windows Server 2008 is built on shared code with Windows Vista so the early hiccups and device adoption should already have been ironed out

CA’s view supports the "wait for service pack 1" mentality but then Woolley closed his presentation by stating that CA builds on Microsoft platforms because they consider them to be extensible, stable, flexible and predictable and because they will allow the delivery of service to facilitate corporate business imperatives and maximise IT investments.  He stated that CA has been working with Microsoft on Windows Server 2008 architecture reviews, design previews, TAPs and logo testing but if they are truly supportive of Microsoft’s new server operating system, then why do they consider their primary market as not being ready for another year?

Once upon a time hardware led software but in today’s environment business is supported by software and the hardware is just something on which to run the software.  In today’s environment we have to consider a services model.  Microsoft’s move towards regular monthly patches supports this (they are certainly less focused on service packs with the last service pack for Windows XP – the client operating system with the largest installed base – having shipped over three years ago).

Windows Server 2008 is built on shared code with Windows Vista so the early hiccups and device adoption should already have been ironed out.  That means that Windows Server 2008 should not be viewed as "too new", "too disruptive" (it will actually ship at service pack 1 level) and, all being well, the adoption curve may be quicker than some think.

First post from Windows Live Writer

Posted on By Mark Wilson

I have a strange relationship with Microsoft’s Windows Live services.  To some extent, I have the same issue with Google in that sometimes I find them really useful but then I get uncomfortable with storing all of my information "in the cloud", rather than on a server that I control (and don’t get me started on the data that the UK Government stores on me…).

Well, for once, Microsoft seems to have the right idea.  It may all be based around shoring up their traditional cash cows of Windows and Office, but instead of saying "forget the desktop… switch to the webtop", they are developing applications that bridge the gap between desktop and web (as are Google with Google Gears).

A few months back I wrote about blogging from within Microsoft Office and this is my first post using Windows Live Writer.  Although I’ve only been using it for a few minutes I’m impressed – and this is why:

  • Firstly, although the installer told me about the other Windows Live applications that I might like to try, it didn’t force them on me.
  • Secondly, it was perfectly happy to accept that I don’t use Windows Live Spaces for blogging.
  • Thirdly, it was able to detect the settings for my WordPress site without me supplying any more than a URL, username and password – and then the advanced settings were quite happy with the idea that I publish images via FTP rather than storing them in the WordPress database.
  • It also downloaded the stylesheet that I use, so as I write this (offline), I can see what the post will look like when I publish (there are options to view unstyled, with the layout that I use on the site, preview the post on the site, or view the code).  I can also see that it’s also using valid XHTML.

For the last few years, I’ve been writing on the train using Windows Notepad or gedit, then coming home and finishing the post with weblinks and additional information.

Now I can streamline the process with Windows Live Writer (including setting categories and a publishing date) so that the rework when I get home should be fairly minimal.

Links

Windows Live Writer team blog

25 million people caught up in UK Government data security fiasco

Posted on By Mark Wilson

I’m treading carefully here to avoid political comment but, for those who haven’t seen tonight’s news, a UK Government department has lost the personal details for 25 million people including names, dates of birth, national insurance/child benefit numbers and bank details. On a CD. In the post.

So, I’d like to thank HM Revenue and Customs for making such a monumental **** up with my family’s personal information. In this day and age, I find it amazing that two government departments have to transfer data between one another on CD (isn’t that why they have a Government Secure Intranet?) but to send that in the internal mail (unregistered) is amazingly inept (and, according to tonight’s BBC News, against Government guidelines). Furthermore, the news report I heard said that the passwords protecting the data could be cracked in seconds, so I’m interpreting that as a statement that the data wasn’t even encrypted.

What makes it so galling is that the information was being transferred to the National Audit Office. Surely they can be trusted to access the Revenue’s systems directly without needing a database extract on CD? And why did it take nearly 3 weeks for someone to report that the data was missing?

Fair enough, names and dates of birth are public information and bank details are not exactly top secret (my bank has told me it’s not something to be too concerned about) but it puts my own attempts to maintain data security into perspective. If the Government can’t keep my identity safe, who can?

Anybody who is concerned about the implications of this data breach should check out the HMRC and APACS information on the data loss.

A clear virtualisation licensing and support statement from Microsoft

Posted on By Mark Wilson

I’ve commented before about the licensing implications for Windows Server in a virtual infrastructure but yesterday, I was at a Microsoft partner event during which Microsoft UK’s Clive Watson gave an extremely clear explanation of Microsoft’s position and I thought that it was worth repeating here:

  • The current version of Windows Server (Windows Server 2003 R2) is licensed by association (not installation). This means is that, regardless of whether the operating system is actually installed or not, a purchased operating system license can be associated with a device. In practice I can run any operating system I like on a server and, if I associate a legally purchased copy of Windows Server 2003 R2 with it, then I’m licensed to run Windows Server 2003 R2 on it.
  • Each Windows Server 2003 R2 Enterprise Edition license also allows up to four virtual copies of Windows Server 2003 R2 – so if I associate a Windows Server 2003 R2 Enterprise Edition license with a server, I can run any virtualisation product on the server and I am licensed for 4 virtual machines (VMs) running Windows Server 2003 R2.
  • Multiple licenses can be associated with a device, so if I associate two Windows Server 2003 R2 Enterprise Edition licenses with a server then I can run 8 Windows Server 2003 R2 virtual machines, 3 licenses allows 12 VMs, etc.
  • There is a point after which it becomes more cost-effective to use Windows Server 2003 R2 Datacenter Edition, which is licensed per physical CPU. This allows unlimited virtual instances of Windows Server 2003 R2 to be run. Datacenter Edition used to be available exclusively from OEMs but that is no longer the case.
  • There are also grandfathering rights, so the Windows Server 2003 R2 licenses can be used for previous versions of Windows Server, as long as they are still supported (i.e. back to Windows 2000, which is currently in its extended support phase). For client operating systems (i.e. Windows 2000 Professional, XP and Vista) and operating system versions that are out of support (e.g. Windows NT), a separate non-OEM license must be owned in order for a virtual machine to be legally licensed. For volume license customers, there are arrangements to allow upgrade from an OEM copy of Windows and there is also the Vista Enterprise Centralised Desktop (VECD) programme for customers who are looking at running a virtual desktop infrastructure.
  • Only active VMs need to be licensed – so an unlimited number of virtual machines can be held in a library for activation on a host server (subject to the limits on the number of running VMs at any one time.

The long and short of it is that I can run VMware ESX Server, Citrix XenSource or any other virtualisation product and by associating one or more Windows Server 2003 R2 Enterprise/Datacenter Edition licenses with the physical server(s), I am licensed for a number of active (and unlimited inactive) Windows Server 2003 R2/Server 2003/2000 Server virtual machines. A licensing calculator is also available.

With regards to support, the situation is less clear. Microsoft’s common engineering criteria ensures that all products since 2005 have shipped with support for Microsoft Virtual Server 2005 and this has now been updated to include Hyper-V. There are a few exceptions to this (products that are in the process of being retired and products with hardware requirements that cannot be met through virtualisation). Microsoft knowledge base article 897615 discusses the support policy for Microsoft software running in non-Microsoft hardware virtualisation environment and, crucially says that:

Microsoft does not test or support Microsoft software running in conjunction with non-Microsoft hardware virtualization software

Effectively, Microsoft will use commercially reasonable endeavours where a customer has a Microsoft support agreement but may require an issue to be replicated on physical hardware (or using Microsoft virtualisation).

One more point that’s worth mentioning – Microsoft doesn’t just support its own operating systems in a virtual environment – Microsoft knowledge base article 867572 lists the supported guest and host OSs including Red Hat Enterprise Linux and Novell SUSE Linux Enterprise Server – and Microsoft are keen to stress that support is end-to-end (i.e. Microsoft applications, any supported operating system and the Microsoft virtualisation product) with agreements in place to back off Linux operating system support to XenSource/Novell where required with Microsoft remaining the primary point of contact.

Windows Live OneCare 2.0… proof readers required?

Posted on By Mark Wilson

Overnight, I received an e-mail from the Windows Live OneCare team announcing the end of the OneCare 2.0 beta. That’s good news (OneCare is not exactly inexpensive and new features would be welcome) but then I read a bit more closely:

[…] Beta to Close at End of December 2007
We wanted to give you an advance notice that the (v2.0) beta will be closing at the end of February […] To thank you for your participation, we’re extending a special introductory offer […] at 39.95 AUD for a year[…]

[Emphasis added by the author]

Let’s just hope that the beta testing was better than the proof reading and mail merge on the communications. I have a .co.uk e-mail address and I haven’t lived in Australia for six years. At least when I click on the link the special price is £14.99 (i.e. pounds sterling).

Using an iPhone for e-mail with Exchange Server

Posted on By Mark Wilson

Whilst I’m not trying to suggest that the Apple iPhone is intended for business users (I’d suggest that it’s more of a consumer device and that businesses are wedded to their Blackberries or, more sensibly in my opinion, Windows Mobile devices) it does seem to me that there’s been a lot of talk about how it can’t work with Microsoft Exchange Server – either blaming Apple for not supporting the defacto standard server for corporate e-mail or Microsoft for not being open enough. Well, I’d like to set the record straight – the iPhone does work with Exchange Server (and doesn’t even need the latest version).

My mail server is running Microsoft Exchange Server 2003 SP2 and has nothing unusual about it’s configuration. I have a relatively small number of users on the server, so have a single server for secure Outlook Web Access (OWA, via HTTPS) and Outlook Mobile Access (OMA, via HTTP) and mailbox access (MAPI-RPC for Outlook, IMAP for Apple Mail, WebDAV via OWA for Entourage). I have also enabled HTTP-RPC access (as described by Daniel Petri and Justin Fielding) so that I can use a full Outlook client from outside the firewall.

It’s the IMAP access that’s the critical component of the connection as, whichever configuration is employed, the iPhone uses IMAP for communication with Exchange Server and so two configuration items must be in place:

  • The server must have the IMAP service started.
  • The user’s mailbox must be enabled for IMAP access.

Many organisations will not allow IMAP access to servers, either due to the load that POP/IMAP access places on the server or for reasons of security (IMAP can be secured using SSL, as I have done – Eriq Neale has written a step by step guide on how to do this for Windows Small Business Server 2003 and the process is identical for Exchange Server 2003).

In addition, firewalls must allow access to the Exchange server on the appropriate TCP ports – IMAP defaults to port 143; however secure IMAP uses TCP port 993. SMTP access will also be required (typically on TCP port 25 or 587). Using telnet to test port access for IMAP and SMTPYou can confirm that the ports are open using telnet servername portnumber.

Note that even if the connection between the iPhone and Exchange Server is secure, there are no real device access controls (or remote wipe capabilities) for an iPhone. Eriq Neale also makes the point that e-mail is generally transmitted across the Internet in the clear and so is not a secure method of communication; however it is worth protecting login credentials (if nothing else) by securing the IMAP connection with SSL.

Interestingly, the iPhone has two mail account setup options that could work with Exchange Server and experiences on the ‘net seem to be varied. IMAP should work for any IMAP server; however there is also an Exchange option, which didn’t seem to work for me until I had HTTP-RPC access properly configured on the server. That fits with the iPhone Topic article on connecting the iPhone to Exchange, which indicates that both OWA (WebDAV) and HTTP-RPC are required (these would not be necessary for pure IMAP access).

The final settings on my iPhone are:

Settings – Mail – Accounts – accountname
Exchange Account Information Name displayname
Address username@domainname.tld
Description e.g. Work e-mail
Incoming Mail Server Host Name servername.domainname.tld
User Name username
Password password
Outgoing Mail Server Host Name servername.domainname.tld
User Name username
Password password
Advanced – Mailbox Behaviors Drafts Mailbox Drafts
Sent Mailbox Sent Items
Deleted Mailbox Deleted Items
Advanced – Deleted Messages Remove Never
Advanced – Incoming Settings Use SSL On
Authentication NTLM
IMAP Path Prefix
Server Port 993
Advanced – Outgoing Settings Use SSL On
Authentication NTLM
Server Port 25

(Advanced settings were auto-configured.)

A few more points worth noting:

Hyper-V is the new name for Windows Server Virtualization

Posted on By Mark Wilson

Last week I was in Redmond, at a Windows Server 2008 technical conference. Not a word was said about Windows Server 2008 product packaging (except that I think one speaker may have said that the details for the various SKUs were still being worked on). Well, it’s amazing how things can change in a few days, as one of the big announcements at this week’s TechEd IT Forum 2007 in Barcelona is the Windows Server 2008 product pricing, packaging and licensing. I don’t normally cover “news” here – there are others who do a much better job of that than I would – but I am interested in the new Hyper-V announcement.

Hyper-V is the new name for the product codenamed Viridian, also known as Windows Server Virtualization, and expected to ship within 180 days of Windows Server 2008. Interestingly, as well as the SKUs that were expected for web, standard, enterprise, datacenter and Itanium editions of Windows Server 2008, there will be versions of Windows Server 2008 standard, enterprise and datacenter editions without the Hyper-V technology (Hyper-V will only be available for x64 versions of Windows Server 2008) as well as a separate SKU for Hyper-V priced at just $28.

$28 sounds remarkably low – why not just make it free (and greatly simplify the product model)? In any case, this places Hyper-V in a great position to compete on price with Citrix Xen Server or VMware ESX Server 3i (it should be noted that I have yet to see pricing announced for VMware Server 3i) – I’ve already written that I think Hyper-V has the potential to compete on technical merit (something that its predecessor, Virtual Server 2005 R2, couldn’t).

At the same time, Microsoft announced a Windows Server Virtualisation validation programme – designed to validate Windows Server with virtualisation software and enable Microsoft to offer co-operative technical support to customers running Windows Server on validated, non-Windows server virtualisation software platforms (such as Xen) as well as virtualisation solution accelerators and general availability of System Center Virtual Machine Manager 2007.

Whilst VNU are reporting that VMware are “unfazed” by the Microsoft Hyper-V announcement, I have absolutely no doubt that Microsoft is serious about making a name for itself in the x86/x64 server virtualisation market.

The great iPhone insurance swindle

Posted on By Mark Wilson

A few days ago, I wrote about my purchase of the latest consumer gadget – the Apple iPhone.

Unlike many others, I didn’t queue and the transaction was smooth but I was concerned that I was mis-sold insurance for the device. The conversation went something like this (I didn’t record the exact words at the time – but I wish I had):

O2 sales representative – let’s call her Emma (because, according to my sales receipt, that was her name): “Would you like any insurance for your iPhone? It’s only £7.50 a month and covers you for theft, accidental loss or damage not covered by the warranty but it’s only available at the time of purchase – not afterwards – so you would need to take it out now.”

Me: “No thanks – I know I’d be committed to the contract but even so that that’s a lot of money over 18 months. I’ll take the risk of another £269 to replace the iPhone.”

Emma: “Are you sure, because it wouldn’t be £269 – it’s more like £600 for a new iPhone from O2?”

Me: “How can that be – the handset isn’t subsidised, so I should only need to pay for a new handset at the normal retail price?”

Emma: “We don’t make the rules… that’s Apple.”

I subsequently agreed to buy the insurance, after checking that I could cancel at any time.

Yesterday, I asked about insurance in a Carphone Warehouse store and was given a similar response. I also asked in an Apple Store and was told that they thought it was just the cost of a new iPhone but that I’d need to check with O2.

Hmm… I smell a rat here. Especially when the O2 website says that:

“[…]insurance must be purchased within 28 days of activating your iPhone account with O2.”

So, not at the time of purchase then.

If got even worse when I read a PC Pro article about iPhone first impressions, from which I quote:

[in respect of] “O2 pushing £7.50/month insurance, to cover the situation that in the case of a lost iPhone, O2 will require the unlucky punter to buy a new phone and undertake a second contract”

[…]

We checked with O2 this morning and, unbelievably, this is true. If you lose your iPhone without insurance, then you will have to splash out on a new handset, and take out a new contract, paying two monthly tariffs at once. Now that is a costly mistake.

UPDATE

O2 has changed tack this morning, and is now claiming that customers won’t have to pay for two contracts at once, but they will have to source an iPhone on their own.

Now, the exact wording in the terms of service (under “Ending the agreement”) is:

“8.3 If this Agreement is ended during the Minimum Period, you may be required to pay us the monthly subscription charges up to the end of that Minimum Period. This does not apply if you end the Agreement for the reasons in paragraph 8.4 or if you purchase a new iPhone from us, but in this case you agree that a new Minimum Period will apply.

8.4 You may end this Agreement by giving us written notice if:

(a) we break this Agreement in any material way and we do not correct the situation within 7 days of receipt of your written request;

(b) we go into liquidation or a Receiver is appointed over our assets; or

(c) we increase charges for calls, messages or data that form part of your inclusive allowance or your Line Rental Charges, or change this Agreement to your significant disadvantage, in accordance with paragraph 9.2 of the General Terms, provided you give us a minimum of 30 days’ written notice (and provided you notify us within one month of our telling you about the changes). This does not apply where the increase or change relates solely to Additional Services in which case you may cancel, or stop using, that Additional Service.”

[Emphasis added by the author for clarity]

I’m no lawyer (so please don’t interpret anything written here as legal advice) but that sounds like I can just buy a new iPhone (from O2) and connect it to the account whereby a new 18 month contract will start but, crucially, there is no mention of the price of the replacement.

After spending much of the day responding on the Apple discussion forums (and not having received a response to my online query via the O2 website), I called O2’s customer service department on 08705860860. After a 20 minute discussion, I got confirmation that:

  1. A replacement handset would be available at the current recommended retail price of the iPhone.
  2. The original contract would be ended if a new iPhone was purchased; however a new 18 month contract period would commence.

The exact text of the response I received from O2 was:

“Hello Mark,

As per our discussion today. If you were to purchase a replacement handset you would pay the Recommended Retail Price for the replacement (as of the 13/11/07 it is £269, this price is subject to change). However, please be assure that you will only have to pay the same price as any new customer and would not be required to pay a premium due to the lose [sic].

The only concession you would need to make is that your contract would have to start again from the time of purchasing the replacement please see terms and conditions (relevant section follows).

“8.3 If this Agreement is ended during the Minimum Period, you may be required to pay us the monthly subscription charges up to the end of that Minimum Period. This does not apply if you end the Agreement for the reasons in paragraph 8.4 or if you purchase a new iPhone from us, but in this case you agree that a new Minimum Period will apply.”

[…]

Kind regards and enjoy your I-phone [sic],

[Name removed to protect the O2 employee’s privacy]
O2 Customer Service.”

That sounds perfectly fair to me, so why are the iPhone retailers pushing insurance on people who probably don’t need it? Sure, £269 is a lot to stump up if you lose your phone but it’s a big difference from the £600 that I was quoted for a new handset and £135 is not a small amount for insurance that I probably don’t need (chances are my household contents insurance covers me – albeit with a large excess). It seems to me that O2 are preying on consumers’ insecurities (and Carphone Warehouse seem to be even worse, based on the contents of an Apple forum thread).

I’m surprised that Apple would risk their strong brand dealing with companies that operate in this manner (I guess that’s what happens when you deal with the Devil – i.e. pretty much any telecommunications company) but I’m now seeking confirmation that my insurance has been cancelled without charge (I believe that UK law gives me 14 days to cool off from any insurance policy and I’ve yet to receive any written details of the cover) as well as a goodwill credit on my O2 account to cover me for the worry and inconvenience that this has caused. I’ll post an update if there’s any significant news on this…

Managing simultaneous access to resources from both internal and external DNS namespaces

Posted on By Mark Wilson

When I originally set up my Active Directory, I used an internal DNS namespace, with a .local TLD (as was the advice at the time – no longer recommended). Essentially, my external domains are managed by my hosting providers and I manage the internal namespace. Simple.

Then I set up a few Internet-facing resources at home. I decided to create a secondary forest using a subdomain of my main external DNS namespace so that:

  • domain.local was the AD-integrated DNS for internal (private) resources.
  • domain.tld was managed by my hosting provider for external resources.
  • subdomain.domain.tld was the AD-integrated DNS for Internet-facing resources under my control.

I also added a forwarding rule on the DNS server to send requests for subdomain.domain.tld to the authoritative DNS server for the domain (under my control) but to send requests for domain.tld and all other domains to the ISP’s DNS servers.

That worked well but, because my mail server is known by two different names internally and externally (mailserver.domain.tld for external access and mailserver.subdomain.domain.tld for internal access) and these actually resolve to the same physical server, I get certificate errors when using the internal name. Furthermore, I’m unable to access the server from inside my firewall using the external name, because the mailserver.domain.tld name actually resolves to the IP address of my router, from where which IP filtering and NAT forwarding rules allow the packets to be forwarded to the mail server.

I needed mail clients to work with the same server name (mailserver.domain.tld) whether they were accessing the server on the internal or external networks, so I made some changes:

  1. My hosting provider sent me a copy of the DNS zone file for mailserver.domain.tld and I imported this to my internal DNS server.
  2. Next, I deleted the forwarding rule for mailserver.domain.tld (leaving the one for subdomain.domain.tld in place).
  3. Then, I edited the entries for the servers that needed to be accessed with the same name internally and externally so that instead of resolving to the external IP address of my router, they resolved to the actual IP address of the server (which uses an RFC 1918 internal IP address range).
  4. Finally, nslookup helped me to confirm that the addresses were resolving correctly on the internal and external networks – effectively getting one set of results in the Internet from my hosting provider and another set on the internal network from my DNS server.

The new setup looks like this (note that the IP addresses have been changed to protect the innocent):

Managing internal and external DNS lookups to the same resource

Now I can seamlessly access my mail server using the same DNS name (mailserver.domain.tld) from wherever I roam to.