Still Using Azure Cloud Services (Classic) ? #Azure #ARM #ASM #Cloud #EOL #ESLZ #CAF #WAF

Azure Cloud Services (Classic) was a platform-as-a-service (PaaS) offering from Microsoft Azure that allowed developers to deploy, manage, and scale web applications and services in the cloud. However, Microsoft has announced that Azure Cloud Services (Classic) will reach its end-of-life (EOL) on September 1, 2023. In this blog post, I will provide an overview of Azure Cloud Services (Classic) and explain how to migrate your existing cloud services to the new Azure Resource Manager model.

Azure Cloud Service is a bit like an OS that is EOL, it is still running so why touch it, Well In PaaS someone else makes that choice for you. Preventing you for running Old unsecure apps. A quick query showed me this.

In 2014, Microsoft launched infrastructure as a service (IaaS) on Azure Resource Manager. We’ve been enhancing capabilities ever since. Because Azure Resource Manager now has full IaaS capabilities and other advancements, Microsoft deprecated the management of IaaS virtual machines (VMs) through Azure Service Manager (ASM) on February 28, 2020. This functionality will be fully retired on September 1, 2023. #hardstop

Today, about 90 percent of the IaaS VMs are using Azure Resource Manager. If you use IaaS resources through ASM, start planning your migration now. Complete it by September 1, 2023, to take advantage of Azure Resource Manager.

VMs created using the classic deployment model will follow the Modern Lifecycle Policy for retirement.

But many vendors or apps are still using the old Azure Classic and I must say it is interesting to see what projects are all exposed to the web, a couple of query’s of some apps and some high traffic pages like Cumberland Farms | Convenience Stores and Gas ( anyone can reach out if they need help on migration(shameless plugging)

  • As of February 28, 2020, customers who didn’t utilize IaaS VMs through ASM in the month of February 2020 can no longer create VMs (classic).
  • On September 1, 2023, customers will no longer be able to start IaaS VMs by using ASM. Any that are still running or allocated will be stopped and deallocated.
  • On September 1, 2023, subscriptions that are not migrated to Azure Resource Manager will be informed regarding timelines for deleting any remaining VMs (classic).

This retirement does not affect the following Azure services and functionality:

  • Storage accounts not used by VMs (classic)
  • Virtual networks not used by VMs (classic)
  • Other classic resources

Reference list of Azure domains

So have a good look at your Azure Resources and IF you do use Azure Classic Take Action now!.

Migrate Azure Classic (ASM) To Azure ARM (Azure Resource Manager) Cloud be easy or not, there is no onesize fits all but below I do some basic steps that get you started.

Before starting the migration process, it is important to have the following prerequisites in place:

  1. An Azure subscription with permissions to create and manage resources.
  2. A basic understanding of Azure ARM templates and deployment processes.
  3. Familiarity with the Azure Portal and PowerShell.
  4. Existing Azure Cloud Services (Classic) deployed and running.
  5. Make sure your network is not Classic.
  6. Make sure your storage account is not Classic.

Step-by-step guide:

  1. Create a new Azure Resource Group to contain the resources that will be created during the migration process.
  2. Review the existing Azure Cloud Services (Classic) deployed to identify the resources needed for the migration process.
  3. Export the configuration of each existing Azure Cloud Service (Classic) by running the following command in PowerShell
  4. Get-AzVM –ResourceGroupName <Name> | Export-AzVM
  5. Modify the configuration of each exported VM to work with ARM by replacing the cloud service name with the new resource group name.
  6. Convert each of the exported VMs to ARM templates by running the following command in PowerShell
  7. ConvertTo-AzureRMVMResource –ResourceId <Cloud Service Resource ID> –OutputFolder <Output Folder>
  8. Create a new ARM template to describe the new environment, including the new resource group, virtual network, and storage account.
  9. Modify the ARM template to include the exported VMs and the required configuration for each VM.
  10. Deploy the ARM template to create the new environment and VMs.
  11. Test the new environment to ensure that all VMs are running and that the application is working correctly.
  12. Redirect traffic from the old Azure Cloud Service (Classic) to the new ARM environment by updating the DNS configuration.
  13. Decommission the old Azure Cloud Service (Classic) and associated resources.


The Sample above shows some old AzureRM commands and are replaced by AZ commands. This shows also the methods as not only the Azure portal as resources but also the PowerShell modules needs to be updated!! Migrating from Azure Cloud Services (Classic) to Azure ARM can be a complex process, but it is essential for organizations to take advantage of the latest features and benefits of the Azure platform. By following the (sample) step-by-step guide outlined above, organizations can migrate their existing Azure Cloud Services (Classic) to the new ARM environment, ensuring that their applications and services continue to run smoothly and efficiently.

Also when migration Take a good look at your Azure Foundation does it still Fit is the Governance conform WAF / CAF Enterprise-Scale

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Azure a custom number of vCPUs use Virtual machines selector #Azure #MVPBuzz #Scale #Compute

Some database workloads like SQL Server require high memory, storage, and I/O bandwidth, but not a high number of cores. Many database workloads are not CPU-intensive. Azure offers pre-defined VM sizes with lower vCPU count which can help to reduce the cost of software licensing, while maintaining the same memory, storage, and I/O bandwidth.

The available vCPU count can be reduced to one half or one quarter of the original VM specification. These new VM sizes have a suffix that specifies the number of available vCPUs to make them easier for you to identify. There are no additional cores available that can be used by the VM.

For example, the Standard_E32s_v5 VM size comes with 32 vCPUs, 256 GiB RAM, 32 disks, and 80,000 IOPs or 2 GB/s of I/O bandwidth. The pre-defined Standard_E32-16s_v5 and Standard_E32-8s_v5 VM sizes comes with 16 and 8 active vCPUs respectively, while maintaining the memory, storage, and I/O bandwidth specifications of the Standard_E32s_v5.

The licensing fees charged for SQL Server are based on the avaialble vCPU count. Third party products should count the available vCPU which represents the max to be used and licensed. This results in a 50% to 75% increase in the ratio of the VM specs to available (billable) vCPUs. At this time, the VM pricing, which includes OS licensing, remains the same as the original size. 

Configure a custom number of vCPUs to reduce the number of vCPUs that are available to the virtual machine. This can help you save on vCPU software-based licensing costs. This may have performance and cost implications.

Try the Virtual machine selector to get the right Virtual machine. there are many option to pick the right VM size, at the end the main thing is you application needs to run optimal, and yes the finance department want to have minimal costs. finding the sweet spot is not always easy, do not start with a B type SKU as these are limited in CPU this is perfect if you already know it doesn’t need 90% CPU all the time.

There are many Azure sku types and all based on ACU keep a close look on ACU and cost vs performance, lower vm cost does not mean lower operation costs. try to install a large package on a B SKU and on a Standard_E2bds_v5 and size back if you can. Learn more about how Azure compute units (ACU) can help you compare compute performance across Azure SKUs.

See the link below for more about VM sizes

Microsoft Ignite 2022

As always you are waiting for some good events and #MSIgnite is a great event, this year 2022 is was hybrid, for me to limited to join in person, but as always great content is announced.

Special this year was I joined the Learn Live and I did a Session with Tomasso Groenendijk follow him on Twitter @tlagroenendijk

The session was about Design Azure Site Recovery, basic this is just the learn module from the microsoft learn But we made it a bit more interactive and added some real live experience in it. A big thanks To the Viewers as it was late and not a real topic that has many interests. So thanks and thanks for the rating and comments.

There is an on-demand option so you can watch it again or just leave me a note on twitter / linkedin or blog if you have a question.

Learn Live: Design your site recovery solution in Azure

Start with Cloud Adoption Framework enterprise-scale landing zones #CAF #Azure #Cloud #MVPBuzz

The Cloud Adoption Framework for Azure enterprise-scale landing zone architecture varies between customers. So there is no one size fits all but there is a lot in common that can be reused next time.

Often I hear Azure Enterprise-scale is not for me it is enterprise. Wrong anyone can use the CAF and Azure Enterprise-scale. as it is modular by design. But if you have just 1 VM there is still some usage that you could use say the management groups or monitoring ,RBAC.

Source :

The enterprise-scale approach to construct landing zones includes three sets of assets to support cloud teams:

  • Design guidelines: Guide to the critical decisions that drive the design of the Cloud Adoption Framework for Azure enterprise-scale landing zone.
  • Architecture: Conceptual reference architecture that demonstrates design areas and best practices.
  • Implementations: Azure Resource Manager template of the architecture to accelerate adoption.

But how do we start with this what to build Well Microsoft made this easy there is a accelerator that I will explain below.

With this solution accelerator you can setup the foundation in one process.

Often there is this error showing even if you are an Azure subscription owner

You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’.

This can be fixed by adding the user account to the Owner role at Tenant root scope. This can only be done with powershell assign Owner role at Tenant root scope (“/”) as a User Access Administrator to current user
New-AzRoleAssignment -Scope ‘/’ -RoleDefinitionName ‘Owner’ -ObjectId “user objectID”

go to the user and grab the object ID

Now that everything is ready we can start.

Choose where the instance needs to land, pick the proper region for your azure resources. If your default is west europe then choose west europe here

As I did not want to deploy it in a dedicated subscription, I’ll pick my own. the prefix for the management groups is based on the text that is visible later.

The management groups holds the subscriptions and policys can be placed on the management groups.

Here are the options for the log analytics and the policys. to keep a good governance you need logging and policy’s in the Azure Microsoft defender for cloud you can see later the policys and the secure score.

At this time I don’t want to use the devops pipeline. but it is a great add on and you can start from there with the pipeline deployment

Now you need to choose the deployment go for a hub spoke or Azure virtual wan. Depending on your needs, personally I’m a big fan of Azure virtual wan so I’ll choose this. As optional resources can be added as:

  • DDoS Protection Standard
  • Azure Private DNS Zones for Azure PaaS services
  • VPN and ExpressRoute Gateways
  • Azure Firewall

With these options you may need to choose the right sku and a proper subnet and or zone redundancy.

I choose the standard sku, this is without the IDS and TLS inspection, best option is choose premium.

Always use a NSG on your network, never never never add a vm direct to the web.

In the Enterprise-scale it is best practice to use multiple subscriptions, see also the enterprise-scale layout

Now that the deployment is ready we can view de Azure virtual wan with the firewall.

The deployment of the resources are easy to find as the prefix is used on all the resources

Looking at the log analytics and de policys, always check this. maybe you need to adjust the workload and or add extra settings on the workload the make things compliant.

Overall the template is a great starter, and yes you need to configure a lot more than just the foundation, but this gives you a good understanding on what is needed and what to connect and play with the resources.

Go here for the github template of the enterprise scale

Look on my blog for how to configure the VPN and Azure firewall.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Upgrade – Install System Center Virtual Machine Manager 2022 #SCVMM #Azure #Hybrid #AzureArc #AzOps #Sysctr

System Center – Virtual Machine Manager (VMM) Is there for a long time, many used this as the primary tool for managing the virtual and physical environment, but now days Cloud is playing more and more a big role in the infrastructure, Tools are also switching with Azure Arc or with Windows Admin center you have some powerfull tools that can mange the infrastructure.

Hybrid management with Azure

Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.

I must say I see less and less Vmware and VMM as I move them all to Azure. but in the meantime many of you will still using this so here is a little guide on how to upgrade from VMM 2019 to VMM 2022.

Get started with System Center 2022

Make sure the following steps are taken, else you will see some errors, I tried to simulate that so that you can see the expected error message.

  1. Complete any jobs that are currently running in VMM. note that the jobs history is deleted during the upgrade.
  2. Close any connections to the VMM management server, including the VMM console and the VMM command shell.
  3. Close any other programs that are running on the VMM management server.
  4. Ensure that there are no pending restarts on VMM servers.
  5. Perform a full backup of the VMM database.
  6. If the current SQL Server database used Always On availability groups:
    • If the VMM database is included in the availability group, remove it in SQL Server Management Studio.
    • Initiate a failover to the computer that is running SQL Server, on which the VMM database is installed.
  7. If you’re running Operations Manager with VMM, disconnect the connection between VMM and Operations Manager server.

Uninstall the System Center VMM

  1. Go to Control Panel > Programs > Program and Features, select Virtual Machine Manager and click Uninstall.
  2. On the Uninstall wizard, select Remove Features, select both VMM management Server and VMM Console under the features to remove.
  3. On database options page, select Retain database.
  4. Review the summary and click Uninstall.

Remember if you have multiple consoles you need to upgrade these also.

Now that VMM is uninstalled we can proceed. Make sure the check box is checked RETAIN Database

Now we can start the setup again.

We do a full install Console and Management server.

As my VMM server was based on windows server 2016 see the netbios name, I upgraded the server to Windows server 2022 and with the SQL server 2019.

When selecting the Database make sure you use the correct name, If you don’t know the name you can see the name in de SQL server, the wrong Database name gives you the above error.

With the correct Database name.

The next step is upgrade the Database and install VMM

make sure you use the same library name as before.

make sure you take the upgrade steps that are needed in the article when needed.

Now that the VMM server is up and running we can use VMM again and the Database and the configuration is as before.

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Backup Azure Firewall with virtual wan #Azure #SDWAN #Backup #Runbook

Azure Backup can’t backup the Azure firewall directly additional steps need to be done before you can backup the Firewall rules. If you create all the rules with PowerShell or an ARM / bicep template then it is easy to add all the rules again, but often in time manual rules are changed or added. There for a good backup is needed of the rules to make sure the latest setup is been backuped.

Azure Firewall is a managed stateful network security service

Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.

Details about the Azure firewall can be found here on the microsoft doc site Azure Firewall documentation | Microsoft Docs

A setup in my testlab with some rules and keep in mind the current runbook works only if the Firewall , policys, and the storage account is in the same resource group. In this blog post I may use different naming across the screenshots, it is the method that you need and the things that can go wrong.


  • Automation account
  • Storage Account
  • Runbook

Overview of my demo lab empty shell with rules.

When you are in need to get quickly all the firewall rules and settings you can export the template in the policy manager. as below on my policy’s for the Azure Virtual Machines

Manual is the quick and easy when we want to do this automatically we need an automation account and some runbook that will create a full backup on a storage account, and the storage account can be backup-ed with Azure backup

First we need to setup an Automation Account

Now that the Automation Account is created we can configure it to our needs.

Go to the Automation account and in the Settings blade, under Account settings, create a “Run As” account. This provide the service principal access that will be used to auto-login.

adding the run-as account

This provide the service principal access that will be used to auto-login into the runbook.

The runbook is a PowerShell module and we need to confirm that we have access to network and resources modules. It is important to check if the AZ modules are there else the PowerShell script won’t run. But all you need is already available

The modules that we need are Az.Account, Az.Network, Az.Resources

As you can see all the Az modules are there with the +model from the menu you can add your own modules that you may need.

When running the PowerShell script it needs a storage location, A storage account will be used as storage, keep in mind that the storage account needs to be globally unique It can be also on a storage account that you already have for backup or management then that account can be used.

Create a blob storage account.

This can be done with PowerShell or manual

#Create new RG for the firewall backup

  • $location=”west europe”
  • $ResourceGroupName=”name”

#Create new RG for the firewall backup
New-AzResourceGroup -Name $ResourceGroupName -Location $Location

#Create new Storage account for the firewall backup
New-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $saname
-Location $location -SkuName Standard_LRS
-Kind BlobStorage

Now we save the account name and storagekey and we create a blobcontainer

Press on show keys to make the key visible

Now that the blob is created we create a folder in the blob, you can also do this in the runbook

Now that the Storage account is created we go back to our automation account created earlier and create a runbook, this runbook is used for backup all the firewall rules to the storage account.

create a runbook

just give it a name and choose powershell 5

We are using the Runbook that is on the github page

Select the just created runbook and copy the text into the runbook section Firewall/Runbook – Back Up Azure Firewall/Runbook.txt

Into the new created runbook and click save.

We need to test the runbook to see if it works.

Here we use the created resource group and storage account that we have created for this. you can also make this fixed in the runbook but this is better and also very handy if you want to backup more firewall policy’s

In my case I played to much, if if the folder already exist you will see an error in the test. Also I like to show what kind of errors you could get.

Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...
Container 'firewallbackup' already exists
Starting Azure Firewall current configuration export in json...
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup1' blob container space for storage...

CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission         : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess       : Off
LastModified       : 2/8/2022 11:33:12 AM +00:00
ContinuationToken  : 
Context            : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name               : firewallbackup1
Container 'firewallbackup1' created
Starting Azure Firewall current configuration export in json...

Second error that could be there

The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 – HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

you probably need to change the storage key that is used, or change the access to that storage account .

But when it all run’s

Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...

CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission         : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess       : Off
LastModified       : 2/8/2022 1:05:04 PM +00:00
ContinuationToken  : 
Context            : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name               : firewallbackup
Container 'firewallbackup' created
Starting Azure Firewall current configuration export in json...

Submitting request to dump Azure Firewall configuration
Removing backups older than '7' days from blob: 'firewallbackup'
Azure Firewall current configuration back up completed.

Now that the testing is complete and working we can publish the runbook

Remember if you don’t publish the runbook it won’t work.

As you run the test runbook it will keep asking would you like to save etc when you want to switch to the schedule blade. just say no save. Our final step is to schedule the backup of the firewall

Create the schedule and the retention time

We create a new schedule

Noe we need to fill in all the parameters just as in the test


if you want to turn this off just click on the line on

Looking into the storage blob we see all the json files

With this json file you can redeploy the firewall rules or use it for a new deployment with a different name.

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

How to Create a Windows server 2022 SOFS Cluster on a VM #sofs #ws2022 #winserv #hyperv #Azure #Windows11 #WiMVP

Building a test lab is always depending on the resource you have. Building a Lab in Azure is giving you unlimited resources and the method on building this on your own laptop. I will use the GUI as much as possible else with a powershell script there is no fun in writing the blog. I’ll use a Windows 11 OS for this blog.

For now this blog will demonstrate how to create a scale out fileserver on a windows server 2022 platform.

First we have two domain member servers ws2022 01 / 02 .

Installing the Cluster Roles on the server with powershell or the GUI

Get-WindowsFeature Failover-Clustering
install-WindowsFeature “FS-FileServer”,”Failover-Clustering”,”RSAT-Clustering” -IncludeAllSubFeature -IncludeManagementTools -ComputerName “ws2022-01.mvp.local”,”ws2022-02.mvp.local”
#Create cluster validation report
Test-Cluster -Node ws2022-01,ws2022-02
Start-sleep 8
New-Cluster -Name ws2022CL01 -Node ws2022-01,ws2022-02 -NoStorage -StaticAddress “”

Remember installing the fileserver may take a reboot, you can also do this at a later stage to avoid the extra reboot.

Now that the cluster is created we configure the cluster, Quorum and add storage to the Cluster.

Here is the difference between the local setup and an Azure setup or running on windows 11. Personally I run Windows server as desktop.

Adding storage to the VM is done in the hyper-v manager. If you run Server! If you run Windows 10 or 11 you will face the issue explained below

Make sure you use scsi disk and shared disks else the disks are unusable for the SOFS file cluster. First option is create 3 shared disks

Make sure you using a shared location to store the vhd files.

When using Windows server you can bypass the share location by using a filterdriver fltMC.exe attach svhdxflt I:\ this is not working on windows 11 it is part of the Failover Clustering feature and will only work on Windows Server!

fltmc.exe attach svhdxflt C:\

Attach failed with error: 0x801f0013
The system could not find the filter specified.

To by pass this you can use ISCSI on the VM’s and this can also work perfectly on Azure. As it is a test lab the performance maybe a bit less of the iscsi connection, but works just as good.

So for the shared disk I create 3 iscsi targets each disk is mounted to both VM’s with the build in iscsi initiator. make sure the disks are not formatted and online.

Checking our just created Cluster on ws2022, and make sure it you work on node 1 all the resources are also available on node 1 , not that the disks are sitting on node 2. you could also pause node 2 that way you make sure there are no resources running on that node.

Add disk if you want a normal file server, but we are building a SOFS with CA storage, as I don’t want to wait if the disk is failing over. as a file server is way different that a SOFS!

In this case we want to build a scale out file server so we are not adding the disk here but we going create a disk pool.

A new pool is created , next step is a virtual disk and a volume

When there are no disk available the cluster is not visible here.

a minimum of 3 disks are needed, and in you test lab it can be any size but bigger that 16Gb

creating the pool,

now that the pool is created, we create the disk

The new disk is created in the next step new virtual disk

as we only have 3 disks and two nodes we have limited of configuration options.

I go for a Mirror as this will max my performance, the more disk you have the more performance you will get and different type of disk can also give caching if needed, with modern hardware Gb/s speed is easy done.

I choose here 50Gb but it all depends on the need and disk size you have. I have 1,49TB but i want to create more disk later so i need some space. and I have zero workload here.

When completed we have a virtual disk and just need to create a volume. I did uncheck the box as adding the volume on a different method, same result but just showing you that the cluster is interacting with the file server components.

When created there is a checkbox checked for the blog I unchecked this. Now I have created a Pool With a disk and our last step is creating a volume on that vdisk.

Now that the pool,disk,volume is created we can create the SOFS, must say the SOFS can be created first and add the disk later. but I like to do this this way.

Create the Scale out file server

Make sure you choose Scale out file server, the default is file server.

This will also be your netbios name. Can be changed but better use the correct name. It will be a Distributed network name.

As our final step we add the file share and this share is on top of our CSV volume that we created on the disk pool.

Add a fileshare

Just pick quick

Make sure the disk is also on your connected node, if not then you will not see the cluster storage

Create a share name.

Make sure the checkbox is set on Continuous Availability

Make sure you set the access rights conform your needs.

Make sure you set the permissions right on the file share. and grant the cluster node access to the share.

Then there comes the fun part testing performance

As you can see there is a nice performance on my test lab machine on a 1 core VM.

See good perfromance on just to see how things are working or giving a good demo

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition. #Altaro #Sysadmin #IaaS 

Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition.

With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do

With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control?

Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment. 

Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time.

One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless).

If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed.

Make the cloud work for you – download your free copy today!

How to use Azure proximity placement groups #Azure #SAP #Latency

When moving to Azure or building new infrastructure workloads latency is important and where do I find the numbers of how do I configure it for the best and what is the difference between Azure Availability groups or Azure Availability zones or do I need Azure Site Recovery. Well as a Consultant IT depends.

Availability Sets

Availability Sets takes the virtual machine and configures multiple copies of it.  Each copy is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.

When you create your virtual machine you can specify the Availability Set, you can’t change it or move it in or out of an Availability Set after creation.  If you wanted to make changes you would need to start again and recreate the virtual machine.  Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure. So Local Datacenter redundancy.

Availability Zone

The next level of availability for your virtual machines within Azure is Availability Zones.  With Availability Zones utilized your acceptable downtime a month moves to less than 5 minutes as you’ve got a 99.99% SLA.With Availability Zones you are starting to use zone aware services. Your workload will be spread out across the different zones that make up an Azure region.  An Azure region is made up of multiple datacenters and each zone is made up of one or more datacenters.  Each datacenter is equipped with independent power, cooling and networking.

thumbnail image 1 captioned Availability Zone

You Can imaging when using this there could be some extra latency between the VM’s it all depends on the zone where you are deploying this but that can be tested .

In many Azure regions, the number of datacenters has grown. Azure datacenter latency could be tested here.

In the next setup I use a Azure VM both in west europe and we test the latency in the same region between vm’s. The tool I use is Latte

On the Server sender we placed the remote receiver IP

Here on the receiver we use the local vm IP and after the test the latency is shown. this is a common setup. If we want to improve this or to make sure that these numbers are not getting worse we need to change the setup.

516 Latency(usec)

When running SAP latency is important, Azure has an option that is called Proximity placement groups. An Azure proximity placement group is a logical construct. When a proximity placement group is defined, it’s bound to an Azure region and an Azure resource group.

A single Azure resource group can have multiple proximity placement groups assigned to it. But a proximity placement group can be assigned to only one Azure resource group.

Proximity placement groups offer co-location in the same data center. However, because proximity placement groups represent an additional deployment constraint, allocation failures can occur (for example, you may not be able to place your Azure Virtual Machines in the same proximity placement group.)

When you ask for the first virtual machine in the proximity placement group, the data center is automatically selected. In some cases, a second request for a different virtual machine SKU may fail since it does not exist in the data center already selected. In this case, an OverconstrainedAllocationRequest error will be returned. To troubleshoot, please check to see which virtual machines are available in the chosen region or zone using the Azure portal or APIs. If all of the desired SKUs are available, try changing the order in which you deploy them.

In the case of elastic deployments, which scale out, having a proximity placement group constraint on your deployment may result in a failure to satisfy the request.

Graphic for proximity placement groups

If you want to use availability zones together with placement groups, you need to make sure that the VMs in the placement group are also all in the same availability zone.

In this sample we gona make an Azure proximity placement group and place Two VM’s in it As an sample I also use a Azure Virtual desktop machine

How to create an Azure proximity placement group, In the azure portal type proxi and the Azure proximity placement group are there.

Select Create , add resource group and pick a name that fits your name convention

Add some tags and that is all or do this in powershell

$resourceGroup = "rg-proxim-demo-weu-01"
$location = "West Europe"
$ppgName = "ppg-avd-sap-01"
New-AzResourceGroup -Name $resourceGroup -Location $location
$ppg = New-AzProximityPlacementGroup `
   -Location $location `
   -Name $ppgName `
   -ResourceGroupName $resourceGroup `
   -ProximityPlacementGroupType Standard

Adding a VM to the new created Azure proximity placement group is selecting the configuration of the VM and add it to the VM. In my case I have an availability set added to my VM. So I must upgrade the entire Availability set to add the Azure proximity placement group

Now that we added the Azure proximity placement group to the VM we need to run the same test again.

Both machines are already in the same availability set that is now added with the Azure proximity placement group

testing from outside the avail from a B2 vm to a D2v3 sku

running this on a d4ds_4 as this is in the av set I need to choose what is in the limit of this set so bound to the VM sku

as you can see it really depends vm sku type what kind of latency you will get but basically it is lower when you are using Azure proximity placement groups

Interesting to see in the PowerShell commands from the Azure proximity placement groups there is also an ultra section, this is currently in preview but can give you even better results but keep in mind you can’t fix it with just one setting check your chain and fix that instead of fixing just one link.


Specifies the type of the proximity placement group. Possible values are: Standard or Ultra

$resourceGroup = “rg-proxim-demo-weu-02”
$location = “West Europe”
$ppgName = “ppg-avd-sapultra-02”
New-AzResourceGroup -Name $resourceGroup -Location $location
$ppg = New-AzProximityPlacementGroup -Location $location
-Name $ppgName -ResourceGroupName $resourceGroup
-ProximityPlacementGroupType Ultra

New-AzProximityPlacementGroup: The subscription is not registered for private preview of Ultra Proximity Placement Groups.

Think I need to do some research for this to add my subscription to this preview. Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

#Free #eBook – How to Get the Most Out of Windows Admin Center #Altaro #WAC #Hybrid

Free eBook – How to Get the Most Out of Windows Admin Center – Second Edition.

If you have experience with the Windows Admin Center, you might already have deduced it is a powerhouse of functionality making light of important server management tasks. If you’re just adding it to your system administrator toolbox, welcome to the wonder of Windows Admin Center!

With so much functionality, figuring out where to focus is key. Whether you’re just setting out with Windows Admin Center or wanting to realize its full potential, start with Altaro’s free 160+ page second edition eBook, How To Get The Most Of The Windows Admin Center.  

Written by Microsoft Cloud & Datacenter Management MVP Eric Siron, it covers the latest developments like the Control Azure Stack HCI, use of WinRM over HTTPs and integration with Azure Monitor, amongst others. It’s a comprehensive guide on everything from installation methods and security considerations to integrating Windows Admin Center into an existing environment. There is even a brief history lesson along with a comparison to alternatives so you should get a solid overview of Windows Admin Center, why chose it and how to work with it.  

An all-new server management experience when it was introduced, Windows Admin Center modernized administrative activities with a centralized HTML 5 web application. Just add servers, clusters, desktops, and Azure virtual machines into a personalized, persistent interface, and manage their roles, features, software, registry, PKI certificates, and more. And with Microsoft’s latest investment into the Windows Admin Center and new functionality, there is now even more server management power to work with.

Learn to simplify and optimize your server management tasks – Download your free eBook now!

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Problems on Joining Windows Server 2022 to a domain controller forest functional level is not supported #winserv #AD #Azure

This is the first post in the new layout, personally I think I will change it again as the text frame is to small, but let me know your thoughts

When migration machines to Azure or to a different OS You will often face all kinds of errors and issues. that you think why and that is an old message and didn’t I do this already. Well In the AD there is also dfsrmig.exe yes the DFS migration tool in the old days you had only FRS for the sysvol folder replication. But If you have still a FRS than you can’t join a Windows server 2022 domain controller. In the following steps I’ll show you how to do this. I had to build a server 2003 domain again(painfull)


Joining a Windows server domain controller to a old 2000 domain it will fail.


Windows functional level and domain level are on windows 2000.  We need to raise the DFL and the FFL .

Going to the new ADPrep and it fill be fixed, as I had a greenfield AD site some items maybe different in the production site.



Now that the DFL is 2008 we can go the the next phase.



Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later are using Distributed File System (DFS) for the replication.  DFS is better than FRS.

The dfsrmig.exe tool is supported only on domain controllers which are running in the Windows Server 2008 domain functional level DFL. This is because SYSVOL migration from FRS replication to the DFS Replication service is possible only on domain controllers running in the Windows Server 2008 domain functional level.


In the overview you can see all the options that can be used in the dfsrmig tool.


dfsrmig.exe /GetGlobalState


Now we can see the levels of the domain, and we raise the level , keep in mind a reboot is needed it is not mentioned but you need a reboot of the domain controllers.


PS C:\Users\Administrator> dfsrmig.exe /GetGlobalState

Running the tool will give you the required information

The current domain functional level is not at least Windows Server 2008.
DFSRMig is only supported on at least Windows Server 2008 level domains.
PS C:\Users\Administrator> dfsrmig.exe /GetGlobalState

DFSR migration has not yet initialized. To start migration please
set global state to desired value.PS C:\Users\Administrator>

Global Migration States


‘START’ state


‘PREPARED’ state





In the 4 steps we gona transfer the FRS in DFS

dfsrmig.exe /setGlobalState 1


dfsrmig /getmigrationstate


When it is ready, we can check and go to the next step.


dfsrmig /setglobalstate 2


Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state. every step can be checked with the /getmigration state.



We can set the next step 3 dfsrmig /setglobalstate 3


After these steps we can check if all domain controllers are changed, remember this can take some time when you have multiple domain controllers and long replication schedules.

Checking the migration state is the best way to see if it has finished. dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated stateimage

Checking the proper state can be done with the sysvol share. This completes the migration.image

imageHere are the before and after status.


Also make sure in each domain controller FRS service is stopped and disabled.

Now it should all be good


Now the domain join should work.image

Got another error warning.

Verification of replica failed. The forest functional level is not supported

Let me get the Ad info get-adforestimage

As you can see the forest mode is still windows2000forest so we need to raise this. In domain and trust we can set this.

image image

Now that everything is fixed we can add a new Windows server 2022 domain controller to the existing domain. 


Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Website maintenance

During some events on the blog I need to redo some work. in the next x time this will be fixed.

Little update here, seems my WordPress theme was no longer supported, good time to start with a fresh setup. Still struggling on what to place or not.

let me know if you have suggestions if you find links that are not working place it in the comment and I will try to fix them as quick as I can.

During the website work I’ll point you out to my sponsors check out the products from Altato and

This SysAdmin Day, WIN with Hornet security

For SysAdmin Day  we launched an interesting contest that might interest your audience.

To participate one must sign up for a 30-day free sign up for free to 365 Threat Monitor and set up an account! 

What they can win?

  • Receive a guaranteed €20 Amazon voucher when they sign.
  • Get a chance to WIN one of our Grand Prizes.

If you are seeking a monitoring solution take a look at NiCE

Complex Environments Made Transparent

Intelligent monitoring, data correlation and visualization help you understand the status of any given system at any given point in time.

NiCE Monitoring Solutions enable pinpoint availability, performance and User Experience optimization for better business outcomes. They integrate into Micro Focus OBM, Microsoft SCOM and Microsoft Azure.

Vaak krijg je wel eens de vraag wat doe jij van werk, Oh IT… dus iets met computers eh.. ja maar IT is meer dan capslock uit zetten. #TrotsopIT #patching #MVPBuzz #security #cloudrocks

Soms start je de dag net als alle andere dagen, rustig met een bakkie koffie en je wandelt rusting naar kantoor, ploft neer aan je desk, klop je aan in je mail approved je sign (fido2) en doet je dingetje


Vaak krijg je wel eens de vraag wat doe jij van werk, Oh IT… dus iets met computers eh.. ja maar IT is meer dan capslock uit zetten zo dat jou password weer werkt. Er is een groep die een kei is in het opsporen en misbruiken van de kleine dingetjes die oh ja doe ik morgen wel en worden de volgende dag vergeten, en 4 jaar later druk er iemand op de knop, en de telefoon gaat je kan niet meer aan melden ? hoe zo weer je password vergeten. pfff capslock ?


Mmm ik ook niet reboot dan maar, niks, password reset, niks ondertussen zie je wel dat het data verkeer de afgelopen 5 dagen enorm is toegenomen, zie ook meldingen van c2wasb4m.dll , service accounts die gebruikt worden als login, kortom de omgeving wordt voor jou gepatched en geupdate met de laatste technologie, gelukkig heb je alle picobello in orde en is er niks aan de hand toch, eh virus scanner, updates,os versie, security, domain admin als service account, hardening van servers die direct aan het internet hangen, RDP poort gesloten etc. Er zijn van die dagen dan stap je weer in zo’n museum en het voelt als of je in ene aflevering zit van de gevaarlijkste wegen van de wereld. Er komt maar 1 ding in mij op Hoe dan ?


We gaan de noodrem gebruiken en gaan hunten, wat natuurlijk super cool is om te kijken hoe het zo mis is gegaan dat niks meer werkt. De een zijn D. de ander zijn brood zeg ik maar.En ja IT kost bakken met geld en waar 10 ITers zijn, zijn 11 oplossingen, Waarom is de email spam nog nooit gestopt ? , Oldtimers zijn mooi echter die moet je alleen op zondag gebruiken en niet meer dagelijks in de productie, dat is vragen om problemen, ja is snap dat piet al met pensioen is en zijn access app zo mooi werkt en allemaal ingewikkelde dingen doet waar niemand meer iets van af weet. Wat kost het als het hele bedrijf plat ligt door deze app ? wat kost een nieuwe app ? Denk niet dat je met een nieuwe app failliet gaat..lig je 2 weken stil als bedrijf wat zijn dan de kosten ?

Kijk een goed naar je omgeving en ontdek de weakspots en los het op, gebruik MFA/Fido2, gebruik een supported OS en zorg er voor dat je in control bent en nee de Cloud is niet gevaarlijk maar is wel toegankelijk voor iedereen net als jou eigen datacenter als de deur openstaat. De cloud is een bak met oneindig veel resources en je kan er super snel zaken mee testen en laten zien dat jou concept werkt en kosten kan besparen -pay per use- maar een 15 jaar oude app beschikbaar stellen aan de hele wereld is geen goed idee immers niet iedereen houdt van oldtimers, er zijn ook mensen die van schroot houden.


IT is zo veel meer dan "iets in computers" het is een super gevaarlijke baan, en het klagen en trage systemen nee het is echt geen pretje echt afzien als je "iets in computers" doet.


Het is toch super gaaf als je dagelijks met de nieuwste technologie kan werken en kan laten zien dat het ook anders kan, anderen kan helpen waar het totaal is mis gegaan of gewoon iemand uit de Community helpen met zijn vraagstuk #TrotsopIT zelfs in de cloud wordt de dag niet langer en dat is wel jammer.

Zorg er wel voor dat alles goed op slot zit en dat je niet in een museum zit, tenzij het een showcase is.




Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Hornet Security – FREE Webinar – What’s New in Windows Server 2022 #altaro #winserv #Windows

What’s New in Windows Server 2022

Every three years Windows unveils a new version of its massively widespread OS, Windows Server. But this time it feels different.

The rollout of Windows Server 2022 has felt strangely subdued compared to past iterations and it seems that this is part of Microsoft’s larger strategy to push admins towards a more cloud-hosted future. So, what does this mean for the future of system admins? How will your daily operations change because of this strategy shift?

Get the full lowdown on Windows Server 2022 and its implications for IT admins from expert Microsoft MVPs Andy Syrewicze and Paul Schnackenburg in this unmissable upcoming webinar from Altaro/Hornetsecurity on 13 October.


They will explain the full new feature set, security enhancements, editions and license comparisons, where Hyper-V Server has gone, where Azure Stack HCI fits into this discussion, and more!

The presenters will also be answering all your burning Windows Server 2022 questions so come prepared and make the most out of this event to prepare your organization for the next generation of IT workloads!

Save your seat now!

This Holiday Season, win with Hornetsecurity! #Hornetsecurity #M365 #win #Holiday

This Holiday Season, win with Hornetsecurity!

‘Tis the season to be caring – for your loved ones, for each other, and yes, even for your data and mailboxes. If you’re a Microsoft 365 administrator, celebrate with us. All you have to do is sign up for free to 365 Threat Monitor and set up your account!

How does it work?

  • Sign up to 365 Threat Monitor
  • Receive a guaranteed $10 Amazon voucher and a chance to win one of the Grand Prizes!
  • For every valid entry, we’ll make a $10 donation to One Laptop per Child

What are you waiting for? Sign up now!