Author Archive

Step By Step Troubleshooting Azure Arc-enabled servers with agent connection issues #Windows #WindowsServer #WinServ #Azure #AzureArc #Cloud   Leave a comment

Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.

When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.

This is all test So it may look different in your site.just to say so.

Here I have my two servers managed by Arc

Azure Arc-enabled server

As you can see “Something went wrong while getting your resources. Please try again later.”

Azure Arc-enabled server

yes let me get more info about this as currently I know nothing about the error.

image

Azure Arc-enabled server

So It is all OK according to the Azure troubleshooter and still it doesn’t work

Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also. 

image

Will that be the issue ?  checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022

Let me check the agent version,  well the latest version for now..

image

How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,

let me check the configuration of this and see if I can find something there.

C:\ProgramData\GuestConfig

imageimage

Perfect lots of log files and a config let me check this all

image

time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"

Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–

As I did not update the agent the certificate got expired make sense.

But the device has already the new agent So reconnect ? but how ?

Looking at the Config I see all the details how the agent is been registered and the resource group etc

C:\ProgramData\AzureConnectedMachineAgent\Config

agentconfig.json

{"subscriptionId":"f34","resourceGroup":"AzureBackupRG_westeurope_1","resourceName":"Hyperv1201","tenantId":"0b1","location":"westus2","vmId":"9659193c-f4d8-4a77-b8f9baad507ce9a9","certificateThumbprint":"c2fa453dd43c16e584868c1c762dc91ebec63232","clientId":"0-f012-45ae-8a92-1045e"}

Let me open powershell and maybe I got more details. and reactivate the Agent

With the azcmagent command you can get more details.

image

let me get all the logs

azcmagent logs

image

now we have all the logs in a zip file this could be handy for a next time.

Azure Arc-enabled server

As I reconfigure the agent with the following command

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "AzureBackupRG_westeurope_1" –tenant-id "your tenant id" –location "westus2" –subscription-id "errryh934" –verbose

With the reconnect we need to log in again and all goes well

imageimage

But in the logging there is suddenly another error

image

When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.

Thought this was about an Agent that has an expired Certificate.

Azure Arc-enabled server

Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.

image

image

image

After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "MVPRSG-Azure-Arc" –tenant-id "3078684f-d143-440a-ae40-d391a79950b1" –location "West US 2" –subscription-id "df1e2f32-7adf-48f6-b969-f02376152934" –verbose

image

Starting client connection on: \\\\.\\pipe\\himds"
time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…"
time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"

image

As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)

Azure Arc-enabled server

Perfect reconnecting and waiting for the Agent.

Azure Arc-enabled server

Now I can look at the Azure Arc Insights again.

Flickr Tags: Windows Server 2022,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Posted September 2, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

First hands-on Upgrading to Windows Server 2022 Domain Controller #Windows2022 #Windows2016 #winserv #CloudOS #WIMVP   1 comment

Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.

https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011

As some of my Domain controllers are running on Server 2016 this is a great moment to upgrade them,Upgrading a domain controller is always tricky when you loos you AD, well I got a copy in Azure Winking smile

How ever Windows Server 2016 is supporting Rolling Upgrades Upgrading to Windows Server 2022 but this is only for a Cluster.

For other Servers you can upgrade your server or better reinstall. Bet you all choose for the Clean install. Well For a domain controller, it’s a quick process to redeploy but often there is ton’s of software on the DC that should not be there and makes it hard to loos the DC right ?

So my DC server 2016

image

Finding the FSMO roles

netdom query fsmo

image

You can’t upgrade the server when there is a FSMO role running on the server. Tested this and if failed So move the FSMO roles from your DC.

Yes I hear you you have only one DC well create a virtual second one and move the fsmo roles to that server upgrade and move the roles back and demote the Extra DC and you are back to a single DC.

my other DC is mvpdc22

image

I move the roles to my second DC

image

Quick and Smooth migration

Move-ADDirectoryServerOperationMasterRole -Identity “Your-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

I mounted the ISO to the DC (virtual CD disk)

image

YEs I want to make the product better.

image

Use your Product key or if you are on hyber-v you can use the AVMA key https://docs.microsoft.com/en-us/windows-server/get-started-19/vm-activation-19?WT.mc_id=AZ-MVP-4025011

The following AVMA keys can be used for Windows Server 2022:

Datacenter
W3GNR-8DDXR-2TFRP-H8P33-DV9BG

Standard
YDFWN-MJ9JR-3DYRK-FXXRW-78VHK

image

I still love my gui So I install the desktop experience

image

Read the entire EULA and I agree.

image

My domain Controller desktop (remember this is my lab) Don’t use your DC for any other things than using it for a DC.

I want to keep My files

image

Yes Install

image

Let the Setup running

imageimage

So in just 20 min my DC was upgraded to 2022 lot’s of new stuff is there but that’s all for a next blog post. Hope it was usefull and remember make sure you have a backup things my fail in your environment

https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011

Flickr Tags: Windows Server 2016,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Posted August 24, 2021 by Robert Smit [MVP] in Windows Server 2022

Tagged with ,

Azure Firewall and starting with Azure Firewall Manager step away from Classic #Azure #Firewall #classic #policy #security #AVD   Leave a comment

In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process  https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011

image

Azure Firewall pricing

https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011

Azure Firewall Standard

  • Stateful firewall as a service
  • Built-in high availability with unrestricted cloud scalability
  • Centralized network and application level connectivity policy
  • Threat intelligence-based filtering
  • Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways

Azure Firewall Premium (Public Preview)

  • Built-in TLS Inspection for customer’s selected encrypted applications
  • Ability to detect and block malicious traffic through advanced IDPS engine
  • Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
  • Web Categories provide enhanced content filtering capabilities
  • IDPS signatures and Web categories are fully managed and constantly updated

Initial I setup a Azure Firewall premium

image

Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.

image

As you can see there is an option standard or premium and use the Firewall policy or the Classic.  In premium there is no classic any more the only option is firewall policy.

image

Choosing the Premium and the option firewall management is gray out.

image

As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .

Keep in mind that the firewall must be in the same resource group as your vnet.

image

image

Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place

# Create the firewall
$Azfw = New-AzFirewall `
    -Name $FirewallName `
    -ResourceGroupName $rgNamevnet `
    -Location $Location `
    -VirtualNetworkName $VnetName `
    -PublicIpName $pip01 `
    -SkuTier Premium

Now that The Firewall I created We can see the policy’s attached in the Firewall manager.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

Secured virtual hub

An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

Hub virtual network

This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Azure Firewall Premium Preview in the Azure portal | Microsoft Docs

So now that the firewall is in place and we already had an policy attached but you can change that real quick.

Go to the Firewall blade and her you can see the policy and change it directly

image

Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet

image

Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s

image

Looking at the firewall policys from here you can add them to a hub or a vnet

image 

here you see an overview of the firewall policy’s

image

When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.

image

Adding the Policy to a network,

image

The firewall manager blade with all the rules and options

image

You can  add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group

Also new is the application rules here you can set web category’s that are allowed or denied.

image

using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD

image

Setting up the web categories is easy selectable in the destination type. and then select one or multiple.

imageimage

Remember the naming if you want to find this later in your rules, keep it clean and neat

image

Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that 

Removing the Firewall does not mean that you will loose the policy’s  or removing the policy and loose the firewall unless…

image

Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached

Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

Posted June 28, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

Altaro Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them #Altaro #M365 #Webinar #security   Leave a comment

Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them

Microsoft 365 is an incredibly powerful software suite for businesses, but it is becoming increasingly targeted by people trying to steal your data. The good news is that there are plenty of ways admins can fight back and safeguard their Microsoft 365 infrastructure against attack.

https://www.altaro.com/webinars/m365-vulnerabilities.php?LP=smit-sc-Article-webinar-m365-vulnerabilities-EN&Cat=SC&ALP=webinar-webinar-m365-vulnerabilities-smit-sc-article&utm_source=smit&utm_medium=sc&utm_campaign=webinar-m365-vulnerabilities&utm_content=Article

This free upcoming webinar, on June 23 and produced by Hornetsecurity/Altaro, features two enterprise security experts from the leading security consultancy Treusec – Security Team Leader Fabio Viggiani and Principal Cyber Security Advisor Hasain Alshakarti. They will explain the 5 most critical vulnerabilities in your M365 environment and what you can do to mitigate the risks they pose. To help attendees fully understand the situation, a series of live demonstrations will be performed to reveal the threats and their solutions covering:

· O365 Credential Phishing

· Insufficient or Incorrectly Configured MFA Settings

· Malicious Application Registrations

· External Forwarding and Business Email Compromise Attacks

· Insecure AD Synchronization in Hybrid Environments

This is truly an unmissable event for all Microsoft 365 admins!

The webinar will be presented live twice on June 23 to enable as many people as possible to join the event live and ask questions directly to the expert panel of presenters. It will be presented at 2pm CEST/8am EDT/5am PDT and 7pm CEST/1pm EDT/10am PDT.

Don’t miss out – Save your seat now!

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted June 14, 2021 by Robert Smit [MVP] in Altaro

Tagged with , ,

Step by Step Create a User P2S VPN using Azure Secured Virtual Hub and Azure Active Directory #SDWAN #Azure #Secure   Leave a comment

There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Sign in with the proper credentials

image

Using the wrong account will end up in

AADSTS50020: User account  from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

When Accepted the you will be redirected to the Azure portal.

image

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications  and search for Azure VPN

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

imageimagehttps://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

  • Configuration name – Enter the name you want to call your User VPN Configuration.
  • Tunnel type – Select OpenVPN.
  • Authentication method – Select Azure Active Directory.
  • Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
  • Issuerhttps://sts.windows.net/tenantID/
  • AAD Tenanthttps://login.microsoftonline.com/TenantID

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select open VPN

go to the Azure Active Directory <> properties and grab the Tenant ID

image

image

Set the switch to yes and new fields will open.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

 

#the number is your tenant ID

image

Now that the VPN user profile is created we can configure the HUB

image

Now that the user vpn profile is created we can create the P2S VPN.  Select your hub

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select the user VPN point to site VPN  select create

image

Creating a VPN gateway you need to select the just created User profile.  

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

image

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

  1. On the page for your Virtual WAN, click User VPN configurations.
  2. At the top of the page, click Download user VPN config.
  3. Once the file has finished creating, you can click the link to download it.
  4. Use the profile file to configure the VPN clients.

imageimage

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011image

Open the VPN Client you can add a new VPN or import a Connection

image https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

image

image https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

 

If any thing goes wron with the import it is 99% your pbk file,

 

image

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState

imageimage

Now that the Import worked and you are ready to connect to the VPN in Azure.

image

  Use your Azure AD credentials or your FIDO2 key

imageimage

 

image

  Now we are fully connected to the Secure Virtual WAN in Azure

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

It can take some time to see your connection in the portal

image

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.  

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management 

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

image

image

In our Custom settings we add the Following settings

  • Name: Enter a name for the configuration.
  • Description: Optional description.
  • OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
  • Data type: String (XML file).

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Now that this is done we can create some assign ments and test this on the pilot group

image

 

As you can see there are a few steps involved and are linked together

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 24, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: