a microsoft education cloud infrastructure reference...

School of the futureA Microsoft Education Cloud Infrastructure reference architecture

ContentsPreface 3

Introduction 4

Overview 5

The design 9

Design description 13

Partner solutions 33

Moving to the design – key transition scenarios 35

Kit list 39

Resources & links 42

Glossary 43

Financials 44

2

The following document is a Microsoft published whitepaper with the aim of providing high level design guidance as a blue print for a school’s network infrastructure. The design uses currently available Microsoft technologies and is specifically intended to focus on cloud technologies and solutions delivered as a service. Many of the components are modular so they can be deployed, tested and commissioned in a controlled way to minimise the impact on the current environment.

This blueprint should be seen as current best practice for deploying Microsoft technologies in an educational environment and provide a route to take advantage of these technologies in a transition phase.

The design looks to meet the current requirements for a school to deliver a well-rounded educational environment for its staff and students.

This document should not be seen as a step by step manual for installation instead as an overview with specifics where appropriate. Links to technical documentation online are provided for further reading.

Whilst every effort has been made to cater for all eventualities and education contexts the design will not be perfect for all scenarios and will require some adjustments. We recommend that advice should be taken from an accredited Microsoft education partner as part of any proposed solution deployment.

The document is aimed at a mainly technical audience who are responsible for the design and installation of education base IT infrastructures, this includes but is not limited to; ▪ Chief Technology Officers & Network Managers ▪ IT technicians & IT support teams ▪ Solution Architects

A number of specific design assumptions have been made, these assumptions have been made to enable the design to cater for as many institutions as possible. The intent is to provide a solution which can be deployed now and but is also aspirational for the future.

Design Assumptions ▪ Adequate Internet Bandwidth ▪ Device Agnostic for the devices connected to the design

▪ Today’s educational requirements for learning ▪ Day-to-day running of a school requirements

Preface

3

Historically the IT infrastructure in schools has evolved around requirements to logically group and manage users and machines, typically around a local ‘domain’ in networking terminology. The services such as file storage, email, printing and applications are provided over a network by servers within the school. The actual user devices are sometimes managed and configured by solutions also running on more servers in the network. And the better managed systems have some form of back-up solution for the data and servers within the school. As ever increasing volumes of data and media are stored in email and file stores, more storage is purchased and bolted on to the network.

The infrastructure in today’s schools has usually evolved organically over time, and tends not to be optimised to take advantage of new opportunities enabled by the evolution of cloud services. There are many factors to this evolution. As the availability of high quality internet connections becomes more

pervasive, new ways of delivering teaching and learning experiences become possible. At the same time personal computer devices are available at ever decreasing cost, enabling more ubiquitous use across the curriculum or even one-to-one scenarios with assigned devices.

It is the combination of devices and cloud services that enables the scenarios we see becoming the expected normal. Today’s pupils expect to be able to access and work on their assignments and project work from their device of choice – phone, tablet or laptop, wherever they happen to be. Flipped learning pedagogies encourage pupils to read, listen or watch course material prior to the actual classroom based learning activities.

The aim of this whitepaper is to outline a design or foundation which can realise and maximise the benefits offered to transform the teaching and learning environment with modern cloud services.

Introduction

4

OverviewMicrosoft’s vision for the school of the future is based on our overall vision to ‘Empower every Student and Teacher on the planet to achieve more’ in a world where technology is seen as cloud first, mobile first for the delivery of IT services. This is a model where the majority of staff and students are tech savvy and want to consume their IT services in much the same way they use consumer services today.

5

In this new landscape users will range from cloud connected service users through to the traditional full rich client experience, back office staff who are using line of business applications or those who are power users of Excel spreadsheets or other productivity tools such as graphic design and music.

The challenge in this model is to have a single set of services that cater to this broad range of requirements from low touch to rich experience and enabling different ways of working rather than forcing staff and students to work in a particular way often driven by the limitations set by the IT estate.

It is also important to the delivery of this vision that the tools and services deployed integrate tightly and natively making interoperability a function of the toolset and not the IT department’s ability to stitch often complex tools and applications together with custom solutions. The benefit of this approach releases valuable IT staff’s time and knowledge to add value to overall effectiveness of IT within schools.

Microsoft sees this integration starting with the device and working though the layers of services all held together with a common identity model using Azure Active Directory.

Keeping these tools and services within the Microsoft product stack ensures this tight integration and a consistent end user experience.

SwayLogin Content &

ClassroomProductivity &Collaboration

3rd PartyServices

Apps Management

ClassRosters

Students

Azure AD Connect

School Data Sync

Deployment

▪ 11-click MDM enrollment▪ USB, on-premises, or

over-the-air updates▪ 1st or 3rd party management

provided by ecosystem of management solutions

Teachers

AD/LDAP 1:1 | Shared Cart | BYOD

At School

At School

On the Go

SIS

Microsoft Cloud-based classroom

6

There are a number of aspirational design goals for an initial delivery for cloud solutions however, the main one is to maximise the use of O365, which is free and then use native Microsoft Azure and services where possible. The benefits of using native services is that the built-in resiliency and interoperability of the Microsoft platforms is included; such as redundant hardware, fault domains, upgrade domains, and redundant storage. This means that when consuming Microsoft Cloud services in many cases no additional effort is needed to add in resiliency to meet uptime requirements as it is already there in the platform.

The introduction of public cloud introduces the concept of provisioning services with predefined SLAs and performance metrics rather than specifically building servers to host workloads. The cloud model impacts the depth and breadth of skills required within the in house IT teams as you push more of the management of the IT service back onto Microsoft to manage.

Source: Microsoft

YOU

MA

NAG

E

Applications

Data

Runtime

YOU

MA

NAG

E Middleware

O/S

Virtualization

Servers

Storage

Networking

Traditional IT

DEL

IVER

ED A

S A

SER

VICE

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

YOU

MA

NAG

ED

ELIV

ERED

AS

A S

ERVI

CE

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

IaaS PaaS

DEL

IVER

ED A

S A

SER

VICE

Applications

SaaS

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

7

This change enables in house IT staff to move up the value chain and spend more time working on improvements and strategic initiatives rather than working on regular maintenance tasks. In the diagram above we show that as you move from the left side of traditional on premises hosting to the Software as a Service (SaaS) layer on the right, Microsoft takes more responsibility for the environment. The first step of any move to cloud is to assess and correctly fit the services in the current estate into the appropriate Infrastructure, Platform or Software as a service layer in the cloud. The most optimal outcome for an initial cloud migration is likely a hybrid environment with workloads both on premise and in the cloud.

In order to get the maximum benefit when consuming Microsoft Azure services, applications should be moved as far up the cloud service models as technically and economically feasible. The preferred order of cloud service models for consuming Microsoft Azure services, which provide the greatest benefits, in terms of resiliency and management is;

1. SaaS (Software as a Service) 2. PaaS (Platform as a Service) 3. IaaS (Infrastructure as a Service) 4. Hybrid5. On Premise

The table on the right shows how the Microsoft technologies in this document align functionally to the IT estate.

Microsoft Technology

Identity and Access Management Azure Active Directory (Part of EMS Suite)Active Directory Doman Services

Desktop, Device and Server Management Windows 10Intune (Desktop and MDM)WSUSAzure IaaS

Security and Networking Azure Operational InsightsMicrosoft Advanced Threat AnalyticsWindows ServerExchange Online Protection (O365)

Data Protection and Recovery Azure BackupVolume Shadow CopyAzure Site Recovery

IT and Management Microsoft ParatureOperational InsightsAzure AutomationIntune

Security Azure Rights ManagementOperational InsightsMicrosoft Advanced Threat Analytics

8

The design

The design 10

End User Experience 12Students 12Faculty 12Back Office staff 12

9

The design

Management

Azuresubscription

Azure loadbalancer

Scheduler

DHCP

PrimaryFirewall

ADFSProxy

Remote DesktopServices Gateway

Azure Services

Microsoft Azure Office 365

School on Premise Network

Azure Gateway Subnet DMZ

PrintServer

ActiveDirectory

Hyper-VHost 1

Printers Printers

StorSimple Storage(Azure)

VirtualNetwork

ExpressRoute

Virtualmachine

AutoscalingTrafficManager

Remote AppAzureAutomation

Backup Service

Monitoring RootCertificateAuthority

AzureMFA

Server

ActiveDirectory

Active DirectoryFederation

Services

AzureDirectory

Sync

DatabaseServers

WebServers

ApplicationServers

Azure ActiveDirectory

FileServer

Directory Synchronisation

CarrierCircuit

Internet

10

The objective of this design is to provide an environment where staff and students can access the majority of their IT based services whether on site or remotely from a device of their choosing.

Depending on the number of migrated services, the on premise environment will reduce significantly. Based on the size of the school and the number of computers in use, this environment will likely be a single physical server running Hyper V. Although this single on premise server presents a single point of failure, this blueprint is not leaving any mission critical workloads on premise. If your chosen interim or end state design keeps some critical workloads on premise, then multiple servers may be desired. These workloads can be protected with Azure Site Recovery if required.

On premise services will be limited to networking services like DHCP and DNS and Domain services. Some management tools will remain such as server patch management and operating system deployment. Printing will also remain.

The on premise environment will connect to Azure via either a site to site VPN for smaller schools or via express route for larger ones. Much of the connectivity to services like Office 365 is direct over the internet simplifying the wide area network topology significantly.

It is not totally possible to remove on premise Active Directory as yet as there is a need to domain join servers and some staff workstations. There is also a need to provide service accounts for things like Hyper V clusters. This on premise Active directory will be stretched into Azure onto IaaS virtual machines effectivity creating a new AD site and allowing virtual machines in Azure to interact with the domain with a local instance.

Active Directory will be connected to Azure AD using a server, hosted in Azure, running AAD Connect. We highly recommend using Azure AD premium to enable password write back and self-service password reset to reduce the number of password related tickets into the service desk.

Messaging services will move from on premise or hosted email servers to Office 365 Exchange Online where mailboxes for staff and students will be homed each with 50GB of storage.

SharePoint Online/OneDrive is the preferred destination for student and staff personal drives, department drives and other file storage requirements. SharePoint also provides powerful search capability and is accessible from devices both on and remote to the school network.

Instant Messaging and PSTN communication services will be provided by Skype for Business. Skype can also be used for webinars and online classes.

Application hosting and database services will be provided by Azure IaaS virtual machines. Where possible connectivity to the application should be via the internet to allow access remotely. If this is not possible this connectivity will be over the wide area connection to Azure. Remote access, if required, is provided by the Azure RemoteApp service.

Server backups will be carried out using Azure Backup which also supports SQL server natively. If the school has a requirement for DR for some services that remain on premise, this can be achieved using Azure Site Recovery.

PC, Mac and mobile endpoint management as well as software deployment and patching will sit with Intune.

11

End User ExperienceStudentsThis Blueprint assumes, in the majority of cases, students will use Windows 10 devices which are cloud joined to Azure Active Directory. Older Windows desktop operating systems are supported in this design but the end user experience will vary.

Staff and students sign in with their Azure AD credentials and access their VLE, email and documents via a browser session, possibly navigating the different services via a dashboard style landing page hosted in SharePoint online. In order to support a shared device model in classrooms, students will use the Office 365 web app version of Office to create and edit work. Students are licensed for the full version of Office 2016 Pro Plus which can be deployed to these desktops if the preference is to provide a full desktop office experience. Other learning based applications should be delivered via a browser interface wherever possible ensuring that no data is persistent on the device. The device is registered and managed with Intune.

All the technology in this blueprint is available to older versions of the Windows desktop operating system but the ability to cloud join devices to Azure AD is unique to Windows 10.

For students doing courses that require access to the full Office Pro Plus suite this can be deployed on a per machine basis into the classrooms that require it. An added benefit is that students who have a full Office ProPlus license applied can install the desktop version of the product on a PC at home.

Apple Mac based courses like Media and Music can domain join the OSX operating system which allows staff and students to log in to the Mac with on premise AD credentials. Mac users can access email and other Microsoft cloud based services from the Mac browser.

FacultyLike the standard student approach, Faculty devices are cloud joined Windows 10 with their data predominantly in SharePoint online document libraries. Faculty will have full Office Pro Plus installed and Outlook will be the primary mail client.

Faculty-facing applications should be web based as far as this is possible or deployed via RemoteApp if a rich client is required.

Back Office staffGiven the nature of the back office team and the applications they consume it is likely these staff members will remain on domain joined devices with applications deployed locally much as they are now. For these members of staff, Email and file services will still be provided from Office 365 as well as the intranet. Their devices will still be managed with Intune.

12

Design descriptionAzure Subscriptions and Office 365 tenancies 14

Office 365 Tenancy 14Azure subscriptions 15

The Cloud Data Centre 16

Network and Connectivity 16Overview 16Azure VNets 17Connectivity 18

AD and Identity solutions 19Directory Services Overview 19On Premise Windows Server Active Directory 20Azure AD Cloud Identity 21

Servers, Storage & Files 21

Backup and Disaster recovery 22

Application services 24The anatomy of an Azure VM 25

Management and Tools 26IT System tools 26

Learning systems 27Office365 27Email 28Documents 28Archive 30

Data and BI 31

Telephony 32Office 365 E5 Voice capabilities 32

13

Azure Subscriptions and Office 365 tenanciesOne of the early challenges with the transition to Microsoft public cloud services is to understand the relationships between Office 365 tenancies and Azure subscriptions. What are they, how do they fit together and what should you look out for?

Office 365 TenancyAn Office 365 tenancy is basically an instance of Exchange Server, SharePoint server and Skype linked to an identity that is provided by Azure AD. Each Office 365 tenancy has a unique name globally which is often referred to as the vanity name. This name is given an .onmicrosoft.com DNS namespace suffix.

When you register for Office 365 you select a prefix of your choosing ending up with a vanity name like MySchool.onmicrosoft.com

Behind the scenes an Azure subscription has been created and an Azure Active Directory object has been setup in it with the MySchool.onmicrosoft.com namespace.

Once created you can add additional public namespaces to the tenant like .yourschool.sch.uk. These need to be validated by adding some content into your public DNS records.

The majority of the identity management can be performed through the Office 365 management portal unless you wish to enable some advanced features of Azure AD Premium where you will be redirected to the Azure portal.

You only need one tenancy, there is little to no value in creating multiple as all licensing, permissions and management is performed against a single tenant. In fact, by design, Office 365 tenants are logically separated to ensure the data sovereignty of each customer.

14

Azure subscriptionsAzure subscriptions are a little more complex.

Ideally you will procure Azure as a pre-commit as part of your school Campus agreement. In this model you manage your Azure subscriptions through the Enterprise Agreement portal.

There are administrative layers within the Azure structure that need to be understood although in practice most schools will end up with a relatively simple structure.

The top of the tree is your agreement.

The agreement can contain departments. You really only need one of these in most cases as only complex global enterprises require a division at this level. For IT departments centrally managing IT services for a group of schools this level may be used to separate each institution.

Within the department there is an account. This is the login that has complete global admin rights for everything below this point. Ideally this should be a service account from within your active directory like [email protected]

An account can create one or many subscriptions. In practice most schools will have a single subscription for production services. Other subscriptions could be created for specific use cases like one off research projects.

Within the subscription you build your Virtual network and other services.

The final piece of the Azure management entities is the resource group. A resource group is a logical grouping of Azure assets that share the same lifecycle like an application or service.

Role-based access can be granted at the resource group level to user objects via built pre-configured roles from reader to owner. This allows you delegate some tasks to areas of the school. The MIS/SIS team could, for example, get access to some application servers or even be allowed to reboot machines.

Resource Groups are also used as billing boundaries so we can ensure all objects are assigned to the correct department or cost centre.

Each object can only belong to one Resource Group.

Azure Architecture Diagram v1.0 Dot Net solutions

ResourceGroups

Subscriptions

Account

Dept

EA

Subscription

ProjectA Dev

ProjectA Prod

ProjectC

ProjectD

Core ITProd

Core ITDev

Core ITTest

Azure Admin

IT

Azure EA

15

The Cloud Data CentreIt is correct and proper to consider your Azure subscription as a virtual cloud data centre or server room for your IT.

When you think of it this way you will consider all of the elements you need to provide good, robust IT services and ensure you design and build them into your environment.

The questions you need to consider are: ▪ How do I want my network layout to look? ▪ What is my backup requirement? ▪ How am I going to monitor and remotely manage my server estate?

When doing the design for your specific needs there is an order in which to approach things based on how the Azure elements relate to each other.1. Connectivity2. Networks3. AD/Identity4. Backup/Monitoring/Management5. Workloads.6. Migration.

You also need to consider what services you host today that will be replaced or supplemented by Office 365. Exchange email, file services, staff and student intranet and some elements of your VLE can be provided by Office 365 services.

The next section of this document will look in more detail at these elements and provide you guidance on how best to proceed.

Network and ConnectivityOverviewOne of the primary considerations with the consumption of public cloud services is the connectivity to the providers’ environment.

As more and more critical systems are moved into the cloud the dependence on this connectivity becomes more pronounced.

Connectivity needs to consider the following elements: ▪ Client access to cloud based services like Office 365 ▪ Client access to back end services like applications and printing.

▪ Interfaces between systems ▪ Remote access to services.

Connectivity to Microsoft public cloud services can be achieved in a number of ways including over the internet, using site-to-site VPNs or with a direct connection using a circuit from a provider and Microsoft ExpressRoute service in Azure. Schools have an added benefit of receiving free egress from the Azure Data centres thus making costs more predictable.

This school of the future architecture is based on a large number of services being available over the internet to allow for ease of access from off site and from any device. The principle here is that the majority of staff and students will access the majority of services without the need for special software or device configuration to support this connection.

Customer Site 2

Customer Site 1

Customer Site

Publicinternet

WAN

MicrosoftAzure

Network service provider

Connection from WAN provided by Network Service Provider.Azure becomes another site on the customer’s WAN.

Customer Site Express Routepartner location

MicrosoftAzure

Exchange provider

Peer at an ExpressRoute location, an Exchange Provider facility

IPsec VPN over internet

Connect via an encrypted linkover public internet

Publicinternet

Publicinternet

Customer Site

MicrosoftAzure

16

Special consideration is needed around the speed and resilience of internet connectivity as much more load will be placed on existing connectivity services once the transition to the cloud is undertaken.

Azure VNetsFor a group of machines that will communicate with each other in Azure, a virtual network (VNet) is required. A VNet is a resource within a subscription. Each Subscription can have multiple VNets. A VNet cannot see inside another VNet without a VPN connection or via exposed internet ports (endpoints) to connecting services.

Within a virtual network there can be one or more subnets which can provide security boundaries between subnets and for grouping machines with similar roles.

For the majority of School and College environments it is recommended a single VNet is created in Azure. The division into subnets is mainly for ease of management and to apply Network Security Group policies between zones.

To create a VNet you will need to know the IP address space that the VNet can assign. The subnets are groups of IP address ranges within the full VNet address space.

A VNet is part of a Resource Group, within a region and has an address space. This address space can be used to create multiple subnets which can each use a subset of the VNet address space.

These Azure networking items nest in this way.

In its most basic form a VNet will look like this where 10.0.0.0/18 is the address space and the subnets are smaller portions of this. The /18 option gives us a theoretical total of 16834 IP addresses. Azure may reserve some IPs for itself within each subnet. Our first subnet starts with 10.0.0.0 and we have used /28 to allow us to use 16 IP addresses from 10.0.0.0 to 10.0.0.15 and so on for the other subnets.

Within each of these subnets we can place virtual machines that relate to specific roles. The subnets are also used to allocate Azure Internal Load Balancer Addresses.

This VNet can be connected back to the in house network via an IPSEC tunnel using an approved and supported firewall or connected to an ExpressRoute circuit.

Superset of addresses to

be used

Routing configured

here

Gateway or connection point back

to base

SingleLogical

Network

Logical breakdownof address space

Can apply ACLat this level

Address Space (Equates to Layer 2)

Address Space (Equates to Layer 1)

Subnet (Equates to Layer 3)

Figure 2. An example of a basic Azure virtual network.

Virtual Network Address Spaces

ADDRESS SPACE

SUBNETS

10.0.0.0/18

DMZ

AD

ADFS

Application

Database

10.0.0.0

10.0.0.16

10.0.0.32

10.0.0.64

10.0.0.128

/28 (16)

/28 (16)

/28 (32)

/28 (64)

/28 (64)

Web 10.0.0.192 /26 (64)

10.0.0.0 - 10.0.0.15

10.0.0.16 - 10.0.0.31

10.0.0.32 - 10.0.0.63

10.0.0.64 - 10.0.0.127

10.0.0.128 - 10.0.0.191

10.0.0.192 - 10.0.0.255

10.0.0.0 /18 (16384) 10.0.0.0 - 10.0.63.255

STARTING IP USABLE ADDRESS RANGECIDR (ADDRESSCOUNT)

17

Figure 3. Standard Azure VNet with VPN Connectivity to one Site

Figure 4. ExpressRoute Exchange Provider

Azure

ExpressRoute PartnerExchange Provider

Public InternetPrivate and SecureConnectivity

Customer Site

Up to 10Gb/sec

Up to10Gb/sec

Figure 5. ExpressRoute Network Service Provider

Azure

WAN

ExpressRoute PartnerNetwork Service Provider

Public InternetPrivate and SecureConnectivity

Site 2

Site 1

Up to 10Gb/sec

Up to 10Gb/sec

ConnectivityS2S VPNOnce the VNet is configured in Azure you have the ability to create a gateway. This gateway provides a termination point for a site to site (S2S) VPN connection from your school or college. Once this connection is in place you can route network traffic to servers in Azure. Figure 3 on the right shows a logical example of the components of this setup.

When you create the gateway you need to choose if Static or Dynamic routing is used. Unless you are totally sure your device supports dynamic routing AND you have a requirement to join multiple VNets together then choose Static.

ExpressRouteAzure ExpressRoute enables you to create private connections between Azure datacentres and infrastructure that’s in your server room. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet. In some cases, using ExpressRoute connections to transfer data between on-premises and Azure can also yield significant cost benefits.

With ExpressRoute, you can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) as shown above or directly connect to Azure from your existing WAN network (such as the Virgin MPLS cloud) provided by a network service provider as shown in Figure 5.

DMZFirewall IN

Subn

ets

Prod StorageAccount

Productionsubscription

Production VNETVNET Prod_01

X.X.X.0/18Region = N EURPrimary VNET

Storage (Azure)

Azure VPNStatic

GatewayIPV4

Internet IP

Firewall

Enterprise

InternetVPN Tunnel

Belongs To Static RoutingCapable VPN

DeviceIPV4 Internet IP

InfraResource

Group

Customer Data CentreNetworkIP Address RangesX.X.X.0/18.X.X.X/24…

App

Finance BI

DBMarketing

CRM AD

18

As many schools and colleges are in single geographic locations, the exchange provider route is the most likely candidate for connectivity.

Exchange provider is a point to point solution where a dedicated circuit is run to a Microsoft point of presence (POP). The connection is terminated on equipment provided as part of this circuit which in turn will be connected to Azure via a physical port at the POP.

Exchange provider is more costly to provision but is cheaper to run. It also requires a location to host the termination point Customer Premise Equipment (CPE) at the POP which may require the purchasing of rack space at the POP.

Service provider is an option for organisations with existing MPLS interconnectivity between sites as this mode presents Azure VNets as a node on an MPLS network.

It is recommended you consult with your current circuit provider and see what arrangements they may already have for connectivity into Azure via ExpressRoute. Microsoft can also refer partners to assist with this connectivity if required.

AD and Identity solutionsWe have already briefly touched on Azure AD in the section on Azure and Office 365 structure. It cannot be stressed enough how important this service is to everything else in the Microsoft public cloud as the Identity of your staff and students is the foundation of all other services.

Directory Services OverviewTo be clear up front, when we refer to on premise active directory (AD) we are referring to Windows Server AD hosted on a Windows operating system with the full domain services installed. The tools for managing this are the familiar AD sites and services, Users and computers and so on. Instances of domain controllers can be hosted on virtual machines in Azure also and are required in order to provide robust services to virtual machines in Azure that need the domain.

When we refer to Azure AD we are specifically talking about the Azure AD service and not your AD which may be running on VM’s inside your subscriptions.

We will not be discussing best practice for the deployment of on premise domain services into your organisation, there are many guides available on this topic from Microsoft and others. We will start our discussion on this topic with the assumption you have a domain, some domain controllers and all of your user and computer accounts are using this domain to authenticate.

We will also assume you are a single forest, single domain environment. Multiple domain environments do not pose much difficulty as long as they are in the same forest. Multiple Forest environments will present some unique challenges and will need some specialist consultancy to either collapse into a single forest or to configure the sync tools in a custom way to support this model.

Active Directory

Microsoft Identity Manager

Microsoft AzureActive Directory

Your Directory on the cloud

HR Systems

SQL (ODBC)

LDAP v3

Web Services(SOAP, JAVA, REST)

19

On Premise Windows Server Active DirectoryOn premise Windows server AD will be used in a Hybrid deployment for this iteration of the blueprint as for the time being you need to be able to continue to provide some services from here.

The solution to create this Hybrid between the two domains is simple, powerful and elegant. Microsoft has a service called Azure AD Connect which was formally known as AD Sync and Dirsync in its previous iterations. Under the hood this is a simplified version of Forefront Identity Manager (FIM) designed specifically to link on premise AD to Azure AD. If you purchase Azure AD premium licenses you also get access to the new Microsoft Identity Manager (MIM) product to extend your identity management capability if required. This tool would, for example, allow you to automatically provision staff AD accounts out of the HR system and students out of MIS/SIS.

When you create your VNets in Azure, the IP address range you choose should become the basis for your site subnet in AD sites and services. Create the new site in AD and give it the subnet range you specified in the Azure VNet.

The next step is to create the first DC in Azure. A single standard A2 Azure virtual machine should be the first server you build in Azure. You should add a 50GB data drive to this VM with host cache disabled.

Figure 6. Add a Virtual machine in the Azure Portal

Figure 7. Add a disk to an existing Azure Virtual Machine

Search

Resource groups

New Virtual MachinesMicrosoft Azure

New

All resourcesVirtual Machines

New Virtual Machines

Web + Mobile

Windows Server 2012 R2DatacenterEnterprise-class solutions that areSimple to deploy, cost-effective,

MARKETPLACE

Search the marketplace

FEATURED APPSSee all See all

Data + Storage

Recent

App Services

* Storage Container

* Name

* Size (GB)

Host caching

vhds

50

None

Search settings

SUPPORT & TROUBLESHOOTING

DISK

OS DISK

Attach new Attachexisting

DATA DISKS

No data disks.

os-1450371080321.... 128 GB …

SIZE

GENERAL

Audit logs

Boot diagnostics

Check health

Reset password

Troubleshoot

Properties

Disks

New support request

20

Once built, you will need to manually point the DNS server settings to an on premise DC then you can promote this server to be a domain controller.

NOTE: You MUST place the NTDS database files on the 50GB drive you created. Do not leave this defaulted to the system drive and don’t point this to the D:\ drive by mistake as this is the temporary drive of the VM and the data is not persistent between reboots.

Once this server is promoted you need to edit the Azure VNet settings to point to this server for DNS so all other servers in Azure will use this one for Domain and DNS information.

Before you connect your domain to Office 365 you must run a tool called IDFix across your environment. This will discover any issues with objects in the domain that may cause a sync to fail. Address these issues.

You need to ensure the User Principle Name for the accounts in your on premise domain match with the domain namespace information in Azure AD. For example if your internal domain was internal.myschool.local a user account in this domain would have a UPN of [email protected]. This is not a routable email namespace so you will have to add the UPN suffix yourschool.sch.uk to AD and change all your staff and student accounts to this new UPN suffix. Ideally this suffix is the same as your email address namespace. In fact, it is best to ensure that your email address, your UPN and your SIP address for IM, presence and voice are all aligned.

The final preparation step is to enable sync in the user section of the Office 365 management portal.

Now you have a healthy AD instance in Azure and you have enabled sync in Office 365 you need to build a small VM (an A1 will do), domain join it and download and install AAD connect. Configure it with a service account on your domain and an admin account in Office 365 and let it do a full synchronisation.

All users, groups and distribution lists will be replicated into Azure AD. All user and computer administration still needs to be carried out in the on premise AD in this architecture. Systems that were using on premise AD for authentication will continue to work as normal.

Azure AD Cloud IdentityYour staff and students now have access to a powerful identity model which can be used to authenticate against for a large number of SaaS tools as well as Office 365, Intune and even Windows 10 devices that are cloud AD joined.

As this blueprint has students and faculty primarily authenticating against Azure AD for most services it is important to configure this service for password write back to on premise AD and to turn on self-service password reset to allow them to manage their own accounts and passwords without needing to contact the service desk.

Servers, Storage & Files In this section we are giving some high level guidance on the on premise environment. This section is not prescriptive as may organisations will have existing equipment that is still fit for use in this role.

Small EnvironmentSmall environments are up to 100 client devices. In this scenario the in premise hosting requirements are very small. We would see you needing to cater for this in the following way: ▪ 1 Physical server – Hyper V, DNS and Domain Controller

▪ VM 1 – Domain Controller, DNS, DHCP, File and print

Mid-SizeMid-Size organisations have 100 to 500 devices. ▪ 1 Physical server – Hyper V, DNS and Domain Controller

▪ 1 Physical Server – Hyper V

▪ VM 1 – Domain Controller, DNS, DHCP

▪ VM 2 – Domain Controller, DNS, DHCP

▪ VM 3 – File and Print

▪ VM 4 – MDT/WDS (for image deployment)

Large EnvironmentLarge Environments are over 500 devices. ▪ 2 Physical Servers – Hyper V ▪ 1 Physical Server – Domain Controller, DNS ▪ VM 1 – Domain Controller, DNS ▪ VM 2 – Domain Controller, DNS ▪ VM 3 – DHCP ▪ VM 4 – File ▪ VM 5 – Print ▪ VM 6 – MDT/WDS (for image deployment)

21

Backup and Disaster recoveryThe befit of running the bulk of it services out of the Microsoft public cloud environment is the lack of dependency on the local site to access these services.

From a disaster recovery perspective this solves a number of key issues as any problem with the site or access to the site does not have an immediate impact on students and staff getting access to the tools and services they need.

In order to provide data integrity and to protect against system outages it is still advisable to carry out regular backups of key servers.

Microsoft Azure storage is a highly available and robust storage service so you are not protecting yourself from a loss of data in Azure itself. The backup will almost entirely focus on data contained in servers and databases.

In this blueprint most of the day to day document type data will be in OneDrive and as such this is protected by Microsoft as part of the core service. Documents deleted from OneDrive can be recovered by end users for a time and administrators for up to 120 days after deletion.

The remaining data will be files on file servers for the Media and Art students and other data stored in applications which needs to be preserved.

Azure backup is the service we are using for this design blueprint.

You start deploying this service by creating a new Backup Vault in Azure.

Once completed you can navigate to the dashboard for the service in the Azure portal to get access to the backup agent to deploy to servers and to set policy, backup times and retention.

Azure virtual machineAzure Backup service

OS disk

Snapshot

Datatransfer

Resourcedisk

Datadisk 1

Datadisk N

Backupextension

VM agent

DB SQL DATABASE

STORAGE

SITE RECOVERY VAULT

NEW

QUICK CREATENAME

REGIONBACKUP VAULT

HDINSIGHT

RECOVERY SERVICES

MySchool

North Europe

22

You can have multiple policies if you like but each server can only have one policy applied.

Disaster RecoverySchools may have applications and services which require quicker shorter recovery times. For these applications this blueprint recommends the use of the Azure Site Recovery (ASR) tool, which is a Disaster Recovery as a service (DRaaS) hosted natively out of the Microsoft Azure platform, to provide a warm DR standby of the servers hosting these applications.

ASR will allow for the automation of the orderly recovery of services in the event of a site outage at either the primary data centre or any of the primary Azure Production environments.

Applications can be brought up in an orchestrated fashion to help restore service quickly, even for complex multi-tier workloads.

Disaster recovery plans can be created in the Microsoft Azure management portal, where they are stored. The disaster recovery plans can be as simple or as advanced as the requirements demand, including the execution of custom Windows PowerShell scripts and Azure Automation Runbooks and pauses for manual interventions.

Schools can test disaster recovery plans as required without disrupting the services at the primary location.

* Storage Container

* Name

* Size (GB)

Host caching

vhds

50

None

Search settings

SUPPORT & TROUBLESHOOTING

DISK

OS DISK

Attach new Attachexisting

DATA DISKS

No data disks.

os-1450371080321.... 128 GB …

SIZE

GENERAL

Audit logs

Boot diagnostics

Check health

Reset password

Troubleshoot

Properties

Disks

New support request

policy details

schedule

retention range

POLICY NAME

POLICY TYPE

BACKUP FREQUENCY

DAILY RETENTION (RETAIN BACKUP TAKEN EVERY DAY)

WEEKLY RETENTION (RETAIN BACKUP TAKEN EVERY WEEK)

MONTHLY RETENTION (RETAIN BACKUP TAKEN EVERY MONTH)

YEARLY RETENTION (RETAIN BACKUP TAKEN EVERY YEAR)

ON AT FOR

ON AT FOR

WEEK(S)

AT 04:00

Azure Virtual Machines

180FOR DAY(S)

Sunday

Daily 04:00 Local Time (UTC)

04:00 104

First Sunday 04:00 60

ON AT FOR

MONTH(S)

MONTH(S)1 DAY(S) 04:00 60

IN ON FORJanuary First Sunday 04:00

IN ON

AT

ATDAY(S) FOR

YEAR(S)

YEAR(S)January 1 04:00

10

10

BackupRDMDaily

23

Application servicesThe heart of every school is the suite of applications used to administer and operate the organisation. From MIS/SIS systems to the schools VLE and even applications that run the cashless vending and entry barriers.

Most application architectures are based on either a two tier model where the database services reside remotely on a server and the software clients connect directly to this database or they are three tiers with an application server in the middle and the client either a web interface or a rich client that connects to the application tier to function.

There are a number of ways to deploy these applications out of the cloud and remove the hosting burden from the on premise environment.

If you recall the IaaS/PaaS/SaaS diagram from earlier in this document (right).

The further to the right you go on this scale the less administrative effort is required to host and maintain the applications.

In an ideal world you would consume all of your key applications as SaaS products leaving all the hosting, maintenance, patching, backups etc with the vendor. Many of the applications you use today will have a vendor who has a SaaS product in that functional space but this may require you to migrate away from some of the applications you current have.

The next option to consider would be to move your current applications to virtual machines hosted in Azure.

It is technically possible to move a VM from an on premise Hypervisor to Azure. It is often better however to rebuild and reinstall the application and only move the data. This second option allows for a fresh operating system build with no legacy drivers and tools and a clean installation of the application.

It is important to note at this point that only Windows Server 2008 R2 or newer are the currently supported Windows server versions in Azure. If you have applications running on Windows Server 2003 or 2008 you will need to reinstall these on newer servers in Azure. This may require an upgrade to the application if the version you are running on is not supported on the newer OS.

Before you begin this work you need to work out what virtual machines you need in Azure and how to build them. It is really important to plan this before you begin building. Although Azure is a very flexible environment it is possible to build things poorly if you rush into it. Microsoft provides tools to make this transition easier. The MAPS tool (Microsoft Assessment and Planning Toolkit) is a good example of these tools. MAPS is free and is installed on a server in your organisation where is runs a scan to give you an inventory, assessment and reporting tool to assist in these migrations. MAPS can be found here https://www.microsoft.com/en-gb/download/details.aspx?id=7826

YOU

MA

NAG

E

Applications

Data

Runtime

YOU

MA

NAG

E Middleware

O/S

Virtualization

Servers

Storage

Networking

Traditional IT

DEL

IVER

ED A

S A

SER

VICE

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

YOU

MA

NAG

ED

ELIV

ERED

AS

A S

ERVI

CE

Applications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

IaaS PaaS

DEL

IVER

ED A

S A

SER

VICE

Applications

SaaS

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

24

The anatomy of an Azure VMAzure has lots of different components that you may not be familiar with. They are massively important to large scale enterprises but not so much to smaller deployments but you still need to know what they are.

The basic settings include the name of the VM which has to be unique and the username and password for the local administrator account on the server.

The first Azure specific component is known as a resource group. You can have as many or as few as you like, there is no right answer for this one but for neatness and ease of management we would suggest you have a resource group for each service. i.e. AD, Print, File, HR Application, MIS/SIS… and so on.

To correctly size a VM you need to work out how many CPU’s and how much memory it needs ideally to work. The A series servers are hosted on AMD CPU’s and the D series are new Intel CPU’s.

The size of the VM also impacts the number of disks you can attach. We will speak about disks more shortly. Choose an appropriate VM size and move on to the configuration page.

This page introduces a number of concepts we will expand on.

Storage accountsThese come in two types, Standard and Premium. Standard will work for the majority of scenarios. The real key to understanding Storage accounts is to consider it in terms of IOPS.

Each storage account can handle around 8000 IOPS. Each file (i.e. virtual disk) can handle around 500 IOPS.

It is important then to add multiple disks to virtual machines that require performance off the storage. The Microsoft MAPS tool can help assess current IOPS requirements.

As a rule, never install anything on the C: (System) drive, leave this for the OS. The Temp D: drive is for the page file AND GETS DELETED ON REBOOT. Don’t install or put any persistent data like logs etc. on this drive. Always add an additional disk or two for the workload you are installing. In Windows Server 2008 R2 you can RAID these disks in software. In 2012 R2 and 2016 you use storage pools.

For smaller schools a single storage account for the whole environment will suffice. More can be created over time f required. The account itself is free, you only pay for the consumed storage.

The Public IP address and DNS name is the internet facing element of your virtual machines and can provides a software load balancer if you have multiple servers providing the same role. Multiple VM’s can be mapped to the same DNS name and once provisioned the firewall access controls can be managed through the End Point settings in the portal.

1

2

3

4

SizeChoose virtual machine size

BasicsConfigure basic settings

Create virtual machine Basics

* Name

* User name

* Password

Subscription

Select existing

Pay-As-You-Go

North Europe

Location

* Resource group

SettingsConfigure optional features

SummaryWindows Server 2012 R2 Datac…

BasicsDone

SettingsConfigure optional features

SizeDone

SummaryWindows Server 2012 R2 Datac…

1

2

3

4

* Storage account

* Virtual network

Disk type

Standard Premium (SSD)

Disabled Enabled

* Subnet

* Public IP address

* Network security group

* Diagnostics storage account

Diagnostics

(new) mis2301

(new) mis3214

(new) Myschool

(new) Myschool

(new) MIS

default (10.0.0.0/24)

None

Availability

Monitoring

Storage

Network

* Availability set

25

In the example above, the two servers AZNE-DNS-DC03 and AZNE-DNS-DC04 are in the resource group AZNE-DNS-DCNE and share the public DNS name azne-dns-dcne.cloudapp.net and IP address of 191.235.136.49.

Once you have worked out the type, size and storage for each server, you can provision these and join them to the domain. Applications can be installed on Azure VM’s just like you would install them on premise. The Azure VM will appear in the Domain and in DNS just like normal servers and can be connected to in the same way.

Management and Tools

IT System toolsServer MonitoringThis blueprint recommends the core monitoring function for server end points will be provided by Azure Operational Insights. Operational Insights is a software-as-a-service (SaaS) solution hosted out of Microsoft Azure which allows support staff to collect, store and analyse log data from Windows Servers.

This log data is then viewed through any number of Solution Packs which will allow the estate to be monitored and problems identified.

Solution Packs exist today to provide the following features: ▪ Proactive smart alerts ▪ Security Log Collection ▪ Comprehensive operations dashboards, and reporting

▪ Breach and Threat detection ▪ Malware detection and Software update status ▪ Monitoring of OS Resources (CPU, disk, memory, network) for Windows, Linux systems

▪ Detect potential configuration issues or deviations from identified best practices.

▪ Forecast resource utilization trends ▪ Monitor Software, Windows Services, Registry Keys, Group Policy and File changes

▪ Identify storage bottlenecks ▪ Universal log collection and analysis

Patch ManagementServer patching will be centrally managed by using Windows Server Update Services (WSUS) hosted in Microsoft Azure. For organisations running SCCM this can also be deployed in Azure for this purpose.

For best practice, patching policies require a good reboot schedule. In order to automate the reboot process, technicians can utilize GPO, Schedule Tasks and a mixture of PowerShell, VBScripts and Batch scripts.

▪ GPO is used to propagate the script. ▪ Task Scheduler is used to schedule the reboot. ▪ A script is used to apply the reboot with defined parameters to show that this was a schedule reboot for Windows Updates.

This service will only be for the patching of servers. End user desktop patching will be managed through Intune.

Anti-Virus/Anti MalwareIntune provides a license for Windows Endpoint protection for end user devices. Servers in Azure can be provisioned with the Microsoft Anti-virus client at build time.

DevicesFor end user device management, the blueprint recommends the use of Microsoft Intune. Intune can be used as a Mobile Device Management (MDM) tool as well as a mobile application management tool and is equally efficient at managing Windows desktop devices alongside mobile phones and tablets.

AZNE-DNS-AAD01

NAME

Filter items… Essentials

Resource group

StatusRunning

North Europe

Pay-As-You-Go

AZNE-DNS-DCNE

Location

Subscription name

DNS name

Operating SystemWindows

Standard A2 (2 Cores, 3.5GB memory)

191.235.136.49

azne-dns-dcne.cloudapp.net

Size

Virtual IP Address

…

…

…

AZNE-DNS-DC03

AZNE-DNS-DC04

26

As we suggested earlier, Student and faculty desktops are to be deployed so they are not domain joined to the local domain but are joined to your Azure AD instance associated with your Office 365 tenant.

Once joined to the cloud domain the way to manage the Windows 10 device in terms of patching, application deployment and device policy is through Intune.

Learning systemsOffice365The heart of the day to day environment for staff and students will be provided by Office 365.

Office 365 is an ever growing and evolving suite of products that can generally be thought of as a collaboration and communication tool suite.

The Blueprint also calls for EMS licensing for staff which will provide all the features of Azure Active Directory Premium for single sign on, self-service password reset and password write back to the on premise domain. This will allow staff and student to interact almost exclusively with the Office 365 portal to access most of their work.

The key elements of Office 365 are: ▪ Exchange Online – This is a hosted and managed Exchange messaging platform providing email, calendars, contacts and unified messaging services to your organisation

▪ SharePoint online – This is a hosted and managed SharePoint environment which provides Intranet (web portals), document management (Document Libraries), personal drives (OneDrive for Business), Search and Office Web Apps

▪ Skype for Business – This service provides Instant Messaging. Voice and video conferencing and presence information

▪ Yammer – This provides an enterprise wide social networking and newsfeed service.

Office 365 uses the same corporate identity service we have already discussed. Once issued a license in the Office 365 portal staff and students login to office 365 using their email address and password from the domain to access services.

Access to applications can be presented through a school branded and personalised application portal.

CONTOSO

CONTOSOWindows Azure

Windows Azure

Office 365Exchange Online

Outlook WebApp

Box

Concur

©2013 Microsoft Legal Privacy

USER [email protected]

[email protected] | Contoso Cloud Test |

End User

PHONEN/A

CHANGE PASSWORD

PREVIEW PREVIEW

ADDITIONAL SECURITYVERIFICATION

MOBILE PHONE+1 4256287546

OFFICEN/A

Configured

applications

applicationsapplications groups approvals profile

End User

ALTERNATE EMAILN/A

DEPARTMENTN/A

…

Docusign …

Microsoft Bing Ads … Salesforce … SAPBusinessByDesign … ServiceNow … Skype … Twitter … Yammer …

Insightly …

Concur

Keep me signed in

Sign in with your organizational account

Can’t access your account?

Password

[email protected]

Sign in

…

?

My Apps

Carrier 3:22 PM

27

EmailFor the majority of schools, we would anticipate giving all staff and students a functioning email address and inbox.

Once accounts have been synchronised from Windows domain into Office 365 they can have a license applied. The application of a license that includes Exchange Online will create a mailbox for the user.

These mailboxes can be reached from the internet via the Outlook web application (OWA) or via mobile phones. Faculty and support staff will have access to a full version of the Office desktop suite and will therefore have Outlook installed on their devices.

For schools with existing email environments either on premise or hosted elsewhere. There are a number of supported migration approaches to move existing email services into Office 365. For on premise Exchange server the Hybrid approach gives the best end user experience and the most control of migrations. Ideally this is a project for the summer break. You could plan and design in May, do remediation work on your exchange and active directory and set up the cloud identity in June then build the hybrid and migrate mail in July. New students for September could be provisioned directly into Office 365.

DocumentsThe new default for documents is to place them in OneDrive or a SharePoint document library. OneDrive will be used as a replacement for staff and student home drives and SharePoint document libraries can replace traditional departmental file shares. You will need to maintain a smaller file share presence for Media students to use for large video, music and image files but everything else can and should be in one of these locations.

One of the challenges of moving from traditional file shares to a web based file system is the impact to the end user experience.

OneDrive document libraries can be accessed in a number of ways. In a web based model, staff and students would locate or create work through the OneDrive web portal. This work can be created or edited in either the Office web App, Mobile App or the full Office client.

This approach is the best way to tackle the many to one nature of devices to students. If you deploy Office 2016, this model works well as the integration with this version of Office with OneDrive is mature with document history roaming between devices and also with the ability to locate and save documents direct into OneDrive from office applications.

This approach is not currently supported in many non-Microsoft products so alternatives for these are required for now.

You may wish supplement your current file services with OneDrive to make use of the accessibility and mobility features of this product while maintaining traditional file shares for products that don’t support saving direct to cloud. There are also a number of third party products that can be used to sync file shares with OneDrive libraries which could be deployed as an interim solution.

For Staff and as an alternative for students the OneDrive client software can be deployed to end user devices. This software allows a sync to be setup of the library to the local device. This works well in a one to one device model and gives access to an offline copy of the files in the cloud.

The subject of a correct information architecture and taxonomy for where data goes is a complex one and will potentially be very different for different organisations.

This architecture needs to take into account both a logical structure for data but also a simple model for permissions. Ideally permissions would be granted or denied high up in the structure and to groups rather than individuals.

SharePoint has a logical hierarchy of services that need to be understood before you start building things.

28

SharePoint Function Administrative level Can do…

SharePoint Farm Farm Administrator (Office 365 Global Administrator Role)

Global accessEnvironment wide settingsCreate Site collections/sitesDelegate site collection rightsSet quotas on Site collections

Site Collection Site Collection Admin Site collection specific configurationCreate sitesAdminister permissions

Site Site Admin Site configurationSite permissions

Library (or other Web Part) Site Admin

Document (or other object) Site Admin/User Object Permissions

29

Above is an example of a type of SharePoint taxonomy. Yours may be different.

Permissions should be applied at the site collection level. In the example above students enrolled in courses in the business and technology department would have read rights to the site collection which would be inherited by the site and sub site.

Write permissions could be granted, if required, to a document library in a sub site.

Students would not be granted read permissions to the Finance site collection so this would not appear in their navigation or search results.

Departmental sites could grant read access to all staff and read/write to department members. Sensitive areas like HR and the executive team would be strictly controlled with access granted by exception to key members.

All permissions in SharePoint online should be granted to Office 365 groups that are synchronised with the domain.

Versioning can also be enabled on document libraries to ensure a mechanism to roll back to previous versions of a document. This feature is on by default and set to retain the last 10 versions of a document. The number of versions retained can be configured.

ArchiveMany schools have a requirement to archive student data for a period of time after the student has left. Schools should have a policy in place that notifies students of how long this will be retained and the process to access this data if they need it.

As Office 365 has no direct cost for data this is an ideal place to retain an archive of a student’s digital work.

Once a student leaves, the AD account can be disabled but the content of the students OneDrive can be retained for as long as needed. Removing the exchange online licenses from the student will remove their mailbox while maintaining an active OneDrive presence.

If versioning is enabled, this archive will also contain the version history of documents alongside the final version.

Intranet

BusinessStudies

Class 1A

ReferenceMaterial Homework Department

Library

Class 1B

Business andTechnology Finance

IT

Portals

Library

Sub Site

Dept/Faculty(Site Collection)

Site

30

Data and BIMicrosoft Power BI is a collection of online services and features that enables you to find and visualise data and share this within your organisation. It can be used as a powerful tool to aid teachers and school leaders in making data informed decisions.

The new version of Power BI PowerBI.com is an online service where you can quickly create dashboards, share reports, and directly connect to (and incorporate) data from key systems into charts and reports. The toolset also introduces the Power BI Desktop, a dedicated report authoring tool that enables you to transform data, create powerful reports and visualisations, and easily publish to Power BI. This extends to all your mobile devices, too.

To author reports and visualisations, you need at least a basic grasp of power pivot from Excel. You can connect Power BI to a number of data sources and build complex data models quite quickly.

It is more than likely that you already have reports in place within the MIS/SIS system so the introduction of Power BI into the mix will be a phase 2 task. We would recommend starting with the free version of the tool and getting the MIS/SIS team to start working with creating reports by integrating with offline data sources for some key systems. Once the use of the tool is more established you can license it and integrate it with live data to do real time reporting.

For a guided learning experience for Power BI please follow this link: https://powerbi.microsoft.com/en-us/guided-learning/powerbi-learning-0-0-what-is-power-bi

This link below provides some Power BI samples and use cases: https://powerbi.microsoft.com/en-us/documentation/powerbi-sample-datasets/

31

TelephonyDuring 2016 new telephony features have rolled out for Office 365 customers. These include a set of options for telephony voice services such as conferencing and PSTN calling. The specific availability of individual features, will vary by country, please refer to the Office 365 education website for the latest rollout details. The full set of these features is available in the US now and the majority of features are available in the UK from May 2016 onwards with voice integration arriving in the UK in July 2016.

The new telephony features form a major part of the new E5 Office 365 plan, as well as being available as individual add-ons.

Office 365 E5 Voice capabilitiesWhen available in your region, Office 365 E5 plans can include, amongst other things, the following voice capabilities:

PSTN Conferencing ▪ Use a tolled dial-in number to join meetings from any device

▪ Dial-out to bring participants into the meeting

Cloud PBX ▪ Office 365 as the central location to manage users for communications, email and content

▪ Eliminate separate PBX systems and transition to the cloud

PSTN Calling ▪ Subscribe to calling plans from Office 365 ▪ Use existing phone numbers or get new ones

The feature set more specifically will be: ▪ End User call handling (hold, transfer, voicemail) ▪ Team Calling ▪ Support of IP desk phones ▪ Meeting dial in/Dial out ▪ Phone number assignment ▪ Inbound/outbound calling

We suggest that at the point of upgrading telephony systems in your organisation you look to move to this service as an alternative.

SKYPE Meeting Broadcast ▪ Reach up to 10K for very large meetings ▪ Attendees join from virtually any browser and device

32

Partner solutionsHardware – servers 34

Learning systems 34

33

One of the strengths of the Microsoft eco-system is the rich choice of partner solutions which can either fit into the overall design and add additional value or replace and augment existing components. The following lists a selection of these, although not exhaustive provides an overview.

Hardware – serversIn this whitepaper we have referred to some scenarios that may still require on-premises hardware. A range of new hardware solutions has been developed by partners to fit these requirements. Smaller form factors with energy efficient characteristics that can provide the required on-premises services. Examples include: ▪ Hewlett Packard Enterprise (HPE) have developed a range of ProLiant Easy Connect Hybrid solutions. These use virtualisation and cloud management software from a company called Zynstra

▪ Dell and 4ward offer Cloud-in-a-box solutions powered by Dell PowerEdge VRTX

▪ Stone offer Unity solutions that include hybrid options with specially designed hardware options to provide local services as required.

Learning systemsThe Office 365 platform has been customised by many schools and partners. With Microsoft Classroom launching in 2016, another option to customise Office 365 in your school becomes available. As you plan your adoption of Office 365 in the classroom, it may be useful to refer to some of the partner solutions, built on Office 365: ▪ Learning Possibilities – LP+365 ▪ BFC Networks – Cloud Classroom ▪ Ruler – ClassNotebook ▪ Axis12 – Teacher Dashboard 365 ▪ Avantador – Skooler ▪ eLearningForce – LMS365

34

https://adopt.lpplus.net/lp365/Pages/Getting-Started-on-LP-365.aspx

http://www.bfcnetworks.com/?ref=cloudclassroom

http://classnotebook.com/

http://teacherdashboard365.com/

http://www.skooler.com

https://www.elearningforce.com/office-365-lms/overview

Moving to the design – key transition scenariosScenario 1 – No cloud services, Significant Migration to cloud 36

Scenario 2 – Office365 and some SaaS Apps, Significant Migration to cloud 37

Scenario 3 – No Cloud. Hybrid cloud point solutions 38

35

This section of the document will cover different start and end states to give a view of how you would approach the implementation of the blueprint.

Scenario 1 – No cloud services, Significant Migration to cloudFor schools with no cloud usage at all the best place to start is with Office 365 and setting up messaging and cloud identity services in Exchange Online.

In order to deliver this service, you should create a small Azure footprint and place a domain controller and your AD Connect server in here.

Setting this up will build all the core capability out for other workloads but is very low impact to end users and allows you to get familiar with the cloud services in a low risk way.

This approach keeps much of the environment as is but will allow you to remove your dependency on an on premise exchange server and get you up and running in the cloud in a modest way.

Once complete the next workloads to consider would be to move key file services to OneDrive and to start to move some of your intranet functions to SharePoint online.

Application hosting is the next step of this journey followed by the school web site.

The logical order of events for an organisation in this position is as follows.

Task Workload Outcome

1 Identity The ability to authenticate to Office 365 and other SaaS applications with a corporate ID using on premise AD credentials

2 Connectivity The ability to connect to Azure based services across a private link.

3 Messaging The provision of email services out of Exchange Online and the ability to decommission on premise email servers.

4 OneDrive/Portals The ability to consolidate the environment that staff and students use to access services and applications. The ability to provide access and the ability to edit documents remotely to staff and students.

5 Azure DC Build The ability to host applications and services out of Azure in a supportable and managed way.

6 SaaS SSO Identity integration

Remove the need to maintain separate user and password information on externally hosted services.

7 Remote Management and monitoring

The ability to provide a single management and monitoring service across the environment.

8 Backup The ability to cloud backup all back end services and removing the dependency on tape and off site storage solutions.

9 Extend Windows Domain

Provide Domain Authentication to servers and services placed in Azure.

10 Application Migration Applications and services hosted out of the Azure subscription. The decommissioning of on premise servers.

11 Intune The ability to manage Windows end points and mobile devices and to apply policy and deploy applications.

12 Windows 10 An updated desktop estate with the ability to cloud domain join.

13 Reporting A single reporting interface allowing staff to run real time queries against data held in disparate systems.

14 Telephony The ability to host all voice services from the internet and to provide a true unified communications tools et to staff. The decommissioning of legacy on premise PBX solutions.

36

Scenario 2 – Office365 and some SaaS Apps, Significant Migration to cloudIf you have started your journey to the cloud by deploying Office 365 then you will have deployed cloud identity and probably messaging already.

If you are not using Azure at this stage the first workload to deploy here would be the infrastructure that supports your Office 365 deployment.

If you are using ADFS this can be deployed here as well as the AD Connect service. We would recommend decommissioning ADFS as part of this transformation work and moving to cloud managed accounts.

There is a quick win for organisations in this space in using cloud identity for authentication to existing SaaS applications. In parallel to this, the focus for organisations in this space will be to look at moving applications into Azure for hosting.

As you are already in Office 365 the order of events for organisations in this scenario is:






4 Remote Management and monitoring

The ability to provide a single management and monitoring service across the environment.


6 Extend Windows Domain


7 Application Migration Applications and services hosted out of the Azure subscription. The decommissioning of on premise servers.


9 Windows 10 An updated desktop estate with the ability to cloud domain join.

10 Reporting A single reporting interface allowing staff to run real time queries against data held in disparate systems.

11 Telephony The ability to host all voice services from the internet and to provide a true unified communications tools et to staff. The decommissioning of legacy on premise PBX solutions.

37

Scenario 3 – No Cloud. Hybrid cloud point solutionsIn this scenario you have little to no cloud services deployed and are not in a position to undertake a large scale work programme to migrate services in.

As with Scenario 1, for schools with no cloud usage at all the best place to start is with Office 365 and setting up messaging and cloud identity services in Exchange Online.

In order to deliver this service, you should create a small Azure footprint and place a domain controller and your AD Connect server in here.

Setting this up will build all the core capability out for other workloads but is very low impact to end users and allows you to get familiar with the cloud services in a low risk way.

This approach keeps much of the environment as is but will allow you to remove your dependency on an on premise exchange server and get you up and running in the cloud in a modest way.

The core initial workloads are:

Once these are established you can run the following projects to deploy discreet services on your own schedule. These can be run in any order based on your priorities.


1 Identity The ability to authenticate to Office 365 and other SaaS applications with a corporate ID using on premise AD credentials

2 Connectivity The ability to connect to Azure based services across a private link.






4 Windows 10 An updated desktop estate with the ability to cloud domain join. 5 Reporting A single reporting interface allowing staff to run real time queries

against data held in disparate systems.6 Telephony The ability to host all voice services from the internet and to provide

a true unified communications tools et to staff. The decommissioning of legacy on premise PBX solutions.


Extend Windows Domain


Extend Windows Domain


Application Migration Applications and services hosted out of the Azure subscription. The decommissioning of on premise servers.


38

Kit listThe following kit list is based on a school of 1,000 students and 150 staff. Each member of staff has a dedicated workstation/Laptop. This standard school has 10 servers and 350 school managed workstations over and above the staff devices.

39

The servers are: ▪ On Premise Hyper V host ▪ On Premise domain controller ▪ On Premise File Server (for large Media and IT) ▪ On Premise Operating System Deployment (Windows Deployment Server/Microsoft Deployment Toolkit)

▪ On Premise Print Server ▪ Azure IaaS Domain controller ▪ Azure IaaS Application Server x 3 (e.g. SIMS, registry, finance, HR)

▪ Azure IaaS SQL server

The school has 200GB of data in SQL databases and 2 TB of storage in the form of files and media.

Service Delivered with Price Number Total

On Premise Server

HPE ProLiant ML110 Generation9 (Gen9) or equivalent. (776935-B21)

1 x 8 Core Proc (E5-2640v3) 32 GB RAM

2 x SFF HDD (Mirror for system and SWAP

3 x SFF HDD (RAID 5 for VM Disks)

£2,500 1 £2,500

Server Operating System (Physical Server) Windows Server 2012 R2 Standard £35 2 £70

On Premise Virtual Machines x 4 License included in above

Cloud Authentication and SSO (Staff) EMS – Active Directory Premium (Staff) £13.20 150 £1,980

Email Mailbox (Staff) Office 365 Education Free

Office (Staff) As above Free

Cloud Storage (Staff) As above Free

Online Meetings (Staff) As above Free

Voicemail (Staff) As above Free

Telephony (Skype) Delivered with E5 £69.36 150 £10,404

Cloud Authentication and SSO (Students) Azure Active Directory Premium (Students) £1.68 1,200 £2,016

Email Mailbox (Students) Office 365 Education Free

Cloud Storage (Students) As above Free

Office (Students) Office 365 Education E3 for Students Free

Staff Device management and patching. Intune

Included with Staff licence of

EMS150

40

Service Delivered with Price Number Total

Student device management and patching Intune

Included with Staff licence of

EMS

Wan connectivity 100 MB/s Express Route £744

Network Azure VNet 1 £180

Cloud Domain Controller Azure A3 VM 1 £840

Cloud SQL Server Azure D4 VM with SQL Standard 1 £2,802

Cloud Application Server 1 Azure A3 VM 1 £840



Cloud File Server Azure A3 VM 1 £840

Web Site Azure Shared App Service D1 1 £72

Public DNS Azure DNS (1 DNS Zone) 1 £4

Backup Azure Backup 10 instances £660

Storage (VM, Data and Backup) Azure Standard Storage 8TB £1,440

High Performance Storage for SQL Azure Premium Storage 1 P20 £240

Application Publishing (Staff) Azure RemoteApp £96.72 150 £14,520

Client OS (Staff) Windows 10 Professional 150

Client OS (Student) Windows 10 Professional 350

41

Resources & linksOffice 365Service Descriptions https://technet.microsoft.com/library/jj819284.aspx

Exchange Online https://products.office.com/en-gb/exchange/exchange-online

SharePoint Online https://products.office.com/en-us/sharepoint/sharepoint-online-collaboration-software

Skype For Business https://products.office.com/en-gb/skype-for-business/

Plans https://products.office.com/en-gb/academic/office-365-education-plan

AzureVirtual Machines https://azure.microsoft.com/en-us/services/virtual-machines/

ExpressRoute https://azure.microsoft.com/en-us/services/expressroute/

Azure Active Directory https://azure.microsoft.com/en-us/services/active-directory/

Azure Storage https://azure.microsoft.com/en-us/services/storage/

Azure Backup https://azure.microsoft.com/en-us/services/backup/

Azure Site Recovery https://azure.microsoft.com/en-us/services/site-recovery/

Operational Insights https://azure.microsoft.com/en-us/services/log-analytics/

Intune https://www.microsoft.com/en-gb/server-cloud/products/microsoft-intune/overview.aspx

Power BI https://powerbi.microsoft.com/en-us/guided-learning/powerbi-learning-0-0-what-is-power-bihttps://powerbi.microsoft.com/en-us/documentation/powerbi-sample-datasets/

42

GlossaryEMS Enterprise Management Suite. A licensing model to get Azure

Active Directory Premium, Intune, Azure Rights Management and Advanced Threat Analytics.

GPO Group Policy Object. An Active Directory function to enforce policy on users, end user devices and servers.

IaaS Infrastructure as a Service. The hosting of virtual machines and related components in a public cloud service.

IPSEC Internet Protocol Security. The security protocol used to encrypt traffic in Virtual Private Network connections.

MDM/MAM Mobile Device Management/Mobile Application Management. The tools required to enforce policy and deploy applications to end user devices

MDT Microsoft Deployment Toolkit.

Microsoft Azure

Microsoft’s public IaaS and PaaS cloud service.

MPLS Multiprotocol Label Switching.

Office 365 Microsoft’s end user productivity cloud service.

On Premise A term used to describe the elements of the IT infrastructure not in the cloud.

Pedagogies The method and practice of teaching.

PaaS Platform as a Service. A ‘serverless’ presentation of functional IT.

Productivity tools

Software used in the creation of work product. Often a combination of desktop based tools like a work processor and spreadsheet tool along with back end services like search and workflow automation.

Rich client experience

A software client deployed directly onto the end user device. Often more feature rich than a web based counterpart.

SaaS Software as a Service. The presentation of a complete application hosted and maintained by a vendor.

SCCM System Center Configuration Manager. The component of the System Center tool suite used to manage devices and software.

SIP Session Initiation Protocol. Used to support the connection and transmission of multimedia communications.

UPN User Principle Name. An active directory attribute of a user object. Used to map on premise user accounts to accounts in Windows Azure Active Directory.

VLE Virtual Learning Environment.

WDS Windows Deployment Server. A Windows service used to provide a network based image deployment tool for deploying desktop operating systems.

Workload A term to describe an application and or service.

WSUS Windows Server Update Services. A tool to manage patching of desktop and server operating systems from a central management point.

43

FinancialsWe have modelled the financials for an ‘average’ school as a demonstration of the impact of adopting the blueprint. This model makes a number of assumptions and must only be used as a guide, we have tried as far as possible to match the cloud features with an enterprise grade on premise solution. The on premise solution we have costed is based on a school spend for this type of environment but may not be typical for all schools. It should be noted that the cloud enables the infrastructure to be fully up to date with the latest feature set without the need to upgrade. There are also features of the cloud platform which are impossible to replicate on premise for a school budget. Each school has a unique set of licensing and hardware requirements that may materially impact the comparative total cost of ownership of this solution.

This school in the model has 150 faculty staff, 50 support staff and 1200 students. The school has 350 student end point devices and is hosting services on a three node virtualisation cluster with a SAN and on site backup.

The model assumes the school refreshes back end hardware every 5 years with a single, budgeted CAPEX spend and also pays for the effort to deploy these services into the environment. Licensing costs for services that could be superseded by the blueprint are also included.

Current costs include the technician effort to maintain the hardware and server installations and the power and air conditioning costs of running a large on premise IT estate.

This school will spend around £250K over 5 years on maintaining this environment. The cloud blue print can deliver these core features for under £200K and at the end of year 5 the environment will be up to date due to the evergreen nature of cloud services.

44

This document was created by a joint venture between Microsoft UK Education cloud team and Dot Net Solutions, a Microsoft Cloud Services Gold Partner