Azure and Microsoft Windows Insider Server Cloud Blog
Author: Robert Smit [MVP]
Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009.
Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries.
Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals
who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications:
MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization.
Follow Robert on Twitter @ClusterMVP
Or follow his blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit
Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues.
A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. "
Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project
System Center – Virtual Machine Manager (VMM) Is there for a long time, many used this as the primary tool for managing the virtual and physical environment, but now days Cloud is playing more and more a big role in the infrastructure, Tools are also switching with Azure Arc or with Windows Admin center you have some powerfull tools that can mange the infrastructure.
Hybrid management with Azure
Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.
I must say I see less and less Vmware and VMM as I move them all to Azure. but in the meantime many of you will still using this so here is a little guide on how to upgrade from VMM 2019 to VMM 2022.
Make sure the following steps are taken, else you will see some errors, I tried to simulate that so that you can see the expected error message.
Complete any jobs that are currently running in VMM. note that the jobs history is deleted during the upgrade.
Close any connections to the VMM management server, including the VMM console and the VMM command shell.
Close any other programs that are running on the VMM management server.
Ensure that there are no pending restarts on VMM servers.
Perform a full backup of the VMM database.
If the current SQL Server database used Always On availability groups:
If the VMM database is included in the availability group, remove it in SQL Server Management Studio.
Initiate a failover to the computer that is running SQL Server, on which the VMM database is installed.
If you’re running Operations Manager with VMM, disconnect the connection between VMM and Operations Manager server.
Uninstall the System Center VMM
Go to Control Panel > Programs > Program and Features, select Virtual Machine Manager and click Uninstall.
On the Uninstall wizard, select Remove Features, select both VMM management Server and VMM Console under the features to remove.
On database options page, select Retain database.
Review the summary and click Uninstall.
Remember if you have multiple consoles you need to upgrade these also.
Now that VMM is uninstalled we can proceed. Make sure the check box is checked RETAIN Database
Now we can start the setup again.
We do a full install Console and Management server.
As my VMM server was based on windows server 2016 see the netbios name, I upgraded the server to Windows server 2022 and with the SQL server 2019.
When selecting the Database make sure you use the correct name, If you don’t know the name you can see the name in de SQL server, the wrong Database name gives you the above error.
With the correct Database name.
The next step is upgrade the Database and install VMM
make sure you use the same library name as before.
make sure you take the upgrade steps that are needed in the article when needed.
Now that the VMM server is up and running we can use VMM again and the Database and the configuration is as before.
Azure Backup can’t backup the Azure firewall directly additional steps need to be done before you can backup the Firewall rules. If you create all the rules with PowerShell or an ARM / bicep template then it is easy to add all the rules again, but often in time manual rules are changed or added. There for a good backup is needed of the rules to make sure the latest setup is been backuped.
Azure Firewall is a managed stateful network security service
Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
A setup in my testlab with some rules and keep in mind the current runbook works only if the Firewall , policys, and the storage account is in the same resource group. In this blog post I may use different naming across the screenshots, it is the method that you need and the things that can go wrong.
Requirements
Automation account
Storage Account
Runbook
Overview of my demo lab empty shell with rules.
When you are in need to get quickly all the firewall rules and settings you can export the template in the policy manager. as below on my policy’s for the Azure Virtual Machines
Manual is the quick and easy when we want to do this automatically we need an automation account and some runbook that will create a full backup on a storage account, and the storage account can be backup-ed with Azure backup
First we need to setup an Automation Account
Now that the Automation Account is created we can configure it to our needs.
Go to the Automation account and in the Settings blade, under Account settings, create a “Run As” account. This provide the service principal access that will be used to auto-login.
adding the run-as account
This provide the service principal access that will be used to auto-login into the runbook.
The runbook is a PowerShell module and we need to confirm that we have access to network and resources modules. It is important to check if the AZ modules are there else the PowerShell script won’t run. But all you need is already available
The modules that we need are Az.Account, Az.Network, Az.Resources
As you can see all the Az modules are there with the +model from the menu you can add your own modules that you may need.
When running the PowerShell script it needs a storage location, A storage account will be used as storage, keep in mind that the storage account needs to be globally unique It can be also on a storage account that you already have for backup or management then that account can be used.
Create a blob storage account.
This can be done with PowerShell or manual
#Create new RG for the firewall backup
$location=”west europe”
$ResourceGroupName=”name”
#Create new RG for the firewall backup New-AzResourceGroup -Name $ResourceGroupName -Location $Location
#Create new Storage account for the firewall backup New-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $saname -Location $location -SkuName Standard_LRS -Kind BlobStorage
Now we save the account name and storagekey and we create a blobcontainer
Press on show keys to make the key visible
Now that the blob is created we create a folder in the blob, you can also do this in the runbook
Now that the Storage account is created we go back to our automation account created earlier and create a runbook, this runbook is used for backup all the firewall rules to the storage account.
create a runbook
just give it a name and choose powershell 5
We are using the Runbook that is on the github page
Here we use the created resource group and storage account that we have created for this. you can also make this fixed in the runbook but this is better and also very handy if you want to backup more firewall policy’s
In my case I played to much, if if the folder already exist you will see an error in the test. Also I like to show what kind of errors you could get.
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...
Container 'firewallbackup' already exists
Starting Azure Firewall current configuration export in json...
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup1' blob container space for storage...
CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess : Off
LastModified : 2/8/2022 11:33:12 AM +00:00
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name : firewallbackup1
Container 'firewallbackup1' created
Starting Azure Firewall current configuration export in json...
Second error that could be there
Failed The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 – HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
you probably need to change the storage key that is used, or change the access to that storage account .
But when it all run’s
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...
CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess : Off
LastModified : 2/8/2022 1:05:04 PM +00:00
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name : firewallbackup
Container 'firewallbackup' created
Starting Azure Firewall current configuration export in json...
Path
----
C:\Users\Client\Temp\AzureFirewall_MVPCentral202202081305.json
Submitting request to dump Azure Firewall configuration
Removing backups older than '7' days from blob: 'firewallbackup'
Azure Firewall current configuration back up completed.
Now that the testing is complete and working we can publish the runbook
Remember if you don’t publish the runbook it won’t work.
As you run the test runbook it will keep asking would you like to save etc when you want to switch to the schedule blade. just say no save. Our final step is to schedule the backup of the firewall
Create the schedule and the retention time
We create a new schedule
Noe we need to fill in all the parameters just as in the test
ok
if you want to turn this off just click on the line on
Looking into the storage blob we see all the json files
With this json file you can redeploy the firewall rules or use it for a new deployment with a different name.
Building a test lab is always depending on the resource you have. Building a Lab in Azure is giving you unlimited resources and the method on building this on your own laptop. I will use the GUI as much as possible else with a powershell script there is no fun in writing the blog. I’ll use a Windows 11 OS for this blog.
For now this blog will demonstrate how to create a scale out fileserver on a windows server 2022 platform.
First we have two domain member servers ws2022 01 / 02 .
Installing the Cluster Roles on the server with powershell or the GUI
Remember installing the fileserver may take a reboot, you can also do this at a later stage to avoid the extra reboot.
Now that the cluster is created we configure the cluster, Quorum and add storage to the Cluster.
Here is the difference between the local setup and an Azure setup or running on windows 11. Personally I run Windows server as desktop.
Adding storage to the VM is done in the hyper-v manager. If you run Server! If you run Windows 10 or 11 you will face the issue explained below
Make sure you use scsi disk and shared disks else the disks are unusable for the SOFS file cluster. First option is create 3 shared disks
Make sure you using a shared location to store the vhd files.
When using Windows server you can bypass the share location by using a filterdriver fltMC.exe attach svhdxflt I:\ this is not working on windows 11 it is part of the Failover Clustering feature and will only work on Windows Server!
fltmc.exe attach svhdxflt C:\
Attach failed with error: 0x801f0013 The system could not find the filter specified.
To by pass this you can use ISCSI on the VM’s and this can also work perfectly on Azure. As it is a test lab the performance maybe a bit less of the iscsi connection, but works just as good.
So for the shared disk I create 3 iscsi targets each disk is mounted to both VM’s with the build in iscsi initiator. make sure the disks are not formatted and online.
Checking our just created Cluster on ws2022, and make sure it you work on node 1 all the resources are also available on node 1 , not that the disks are sitting on node 2. you could also pause node 2 that way you make sure there are no resources running on that node.
Add disk if you want a normal file server, but we are building a SOFS with CA storage, as I don’t want to wait if the disk is failing over. as a file server is way different that a SOFS!
In this case we want to build a scale out file server so we are not adding the disk here but we going create a disk pool.
A new pool is created , next step is a virtual disk and a volume
When there are no disk available the cluster is not visible here.
a minimum of 3 disks are needed, and in you test lab it can be any size but bigger that 16Gb
creating the pool,
now that the pool is created, we create the disk
The new disk is created in the next step new virtual disk
as we only have 3 disks and two nodes we have limited of configuration options.
I go for a Mirror as this will max my performance, the more disk you have the more performance you will get and different type of disk can also give caching if needed, with modern hardware Gb/s speed is easy done.
I choose here 50Gb but it all depends on the need and disk size you have. I have 1,49TB but i want to create more disk later so i need some space. and I have zero workload here.
When completed we have a virtual disk and just need to create a volume. I did uncheck the box as adding the volume on a different method, same result but just showing you that the cluster is interacting with the file server components.
When created there is a checkbox checked for the blog I unchecked this. Now I have created a Pool With a disk and our last step is creating a volume on that vdisk.
Now that the pool,disk,volume is created we can create the SOFS, must say the SOFS can be created first and add the disk later. but I like to do this this way.
Create the Scale out file server
Make sure you choose Scale out file server, the default is file server.
This will also be your netbios name. Can be changed but better use the correct name. It will be a Distributed network name.
As our final step we add the file share and this share is on top of our CSV volume that we created on the disk pool.
Add a fileshare
Just pick quick
Make sure the disk is also on your connected node, if not then you will not see the cluster storage
Create a share name.
Make sure the checkbox is set on Continuous Availability
Make sure you set the access rights conform your needs.
Make sure you set the permissions right on the file share. and grant the cluster node access to the share.
Then there comes the fun part testing performance
As you can see there is a nice performance on my test lab machine on a 1 core VM.
See good perfromance on just to see how things are working or giving a good demo
Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition.
With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do
With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control?
Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment.
Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time.
One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless).
If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed.
When moving to Azure or building new infrastructure workloads latency is important and where do I find the numbers of how do I configure it for the best and what is the difference between Azure Availability groups or Azure Availability zones or do I need Azure Site Recovery. Well as a Consultant IT depends.
Availability Sets
Availability Sets takes the virtual machine and configures multiple copies of it. Each copy is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.
When you create your virtual machine you can specify the Availability Set, you can’t change it or move it in or out of an Availability Set after creation. If you wanted to make changes you would need to start again and recreate the virtual machine. Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure. So Local Datacenter redundancy.
Availability Zone
The next level of availability for your virtual machines within Azure is Availability Zones. With Availability Zones utilized your acceptable downtime a month moves to less than 5 minutes as you’ve got a 99.99% SLA.With Availability Zones you are starting to use zone aware services. Your workload will be spread out across the different zones that make up an Azure region. An Azure region is made up of multiple datacenters and each zone is made up of one or more datacenters. Each datacenter is equipped with independent power, cooling and networking.
You Can imaging when using this there could be some extra latency between the VM’s it all depends on the zone where you are deploying this but that can be tested .
In the next setup I use a Azure VM both in west europe and we test the latency in the same region between vm’s. The tool I use is Latte
On the Server sender we placed the remote receiver IP
Here on the receiver we use the local vm IP and after the test the latency is shown. this is a common setup. If we want to improve this or to make sure that these numbers are not getting worse we need to change the setup.
516 Latency(usec)
When running SAP latency is important, Azure has an option that is called Proximity placement groups. An Azure proximity placement group is a logical construct. When a proximity placement group is defined, it’s bound to an Azure region and an Azure resource group.
A single Azure resource group can have multiple proximity placement groups assigned to it. But a proximity placement group can be assigned to only one Azure resource group.
Proximity placement groups offer co-location in the same data center. However, because proximity placement groups represent an additional deployment constraint, allocation failures can occur (for example, you may not be able to place your Azure Virtual Machines in the same proximity placement group.)
When you ask for the first virtual machine in the proximity placement group, the data center is automatically selected. In some cases, a second request for a different virtual machine SKU may fail since it does not exist in the data center already selected. In this case, an OverconstrainedAllocationRequest error will be returned. To troubleshoot, please check to see which virtual machines are available in the chosen region or zone using the Azure portal or APIs. If all of the desired SKUs are available, try changing the order in which you deploy them.
In the case of elastic deployments, which scale out, having a proximity placement group constraint on your deployment may result in a failure to satisfy the request.
If you want to use availability zones together with placement groups, you need to make sure that the VMs in the placement group are also all in the same availability zone.
In this sample we gona make an Azure proximity placement group and place Two VM’s in it As an sample I also use a Azure Virtual desktop machine
How to create an Azure proximity placement group, In the azure portal type proxi and the Azure proximity placement group are there.
Select Create , add resource group and pick a name that fits your name convention
Add some tags and that is all or do this in powershell
Adding a VM to the new created Azure proximity placement group is selecting the configuration of the VM and add it to the VM. In my case I have an availability set added to my VM. So I must upgrade the entire Availability set to add the Azure proximity placement group
Now that we added the Azure proximity placement group to the VM we need to run the same test again.
Both machines are already in the same availability set that is now added with the Azure proximity placement group
testing from outside the avail from a B2 vm to a D2v3 sku
running this on a d4ds_4 as this is in the av set I need to choose what is in the limit of this set so bound to the VM sku
as you can see it really depends vm sku type what kind of latency you will get but basically it is lower when you are using Azure proximity placement groups
Interesting to see in the PowerShell commands from the Azure proximity placement groups there is also an ultra section, this is currently in preview but can give you even better results but keep in mind you can’t fix it with just one setting check your chain and fix that instead of fixing just one link.
-ProximityPlacementGroupType
Specifies the type of the proximity placement group. Possible values are: Standard or Ultra
Free eBook – How to Get the Most Out of Windows Admin Center – Second Edition.
If you have experience with the Windows Admin Center, you might already have deduced it is a powerhouse of functionality making light of important server management tasks. If you’re just adding it to your system administrator toolbox, welcome to the wonder of Windows Admin Center!
With so much functionality, figuring out where to focus is key. Whether you’re just setting out with Windows Admin Center or wanting to realize its full potential, start with Altaro’s free 160+ page second edition eBook, How To Get The Most Of The Windows Admin Center.
Written by Microsoft Cloud & Datacenter Management MVP Eric Siron, it covers the latest developments like the Control Azure Stack HCI, use of WinRM over HTTPs and integration with Azure Monitor, amongst others. It’s a comprehensive guide on everything from installation methods and security considerations to integrating Windows Admin Center into an existing environment. There is even a brief history lesson along with a comparison to alternatives so you should get a solid overview of Windows Admin Center, why chose it and how to work with it.
An all-new server management experience when it was introduced, Windows Admin Center modernized administrative activities with a centralized HTML 5 web application. Just add servers, clusters, desktops, and Azure virtual machines into a personalized, persistent interface, and manage their roles, features, software, registry, PKI certificates, and more. And with Microsoft’s latest investment into the Windows Admin Center and new functionality, there is now even more server management power to work with.
This is the first post in the new layout, personally I think I will change it again as the text frame is to small, but let me know your thoughts
When migration machines to Azure or to a different OS You will often face all kinds of errors and issues. that you think why and that is an old message and didn’t I do this already. Well In the AD there is also dfsrmig.exe yes the DFS migration tool in the old days you had only FRS for the sysvol folder replication. But If you have still a FRS than you can’t join a Windows server 2022 domain controller. In the following steps I’ll show you how to do this. I had to build a server 2003 domain again(painfull)
Joining a Windows server domain controller to a old 2000 domain it will fail.
Windows functional level and domain level are on windows 2000. We need to raise the DFL and the FFL .
Going to the new ADPrep and it fill be fixed, as I had a greenfield AD site some items maybe different in the production site.
Now that the DFL is 2008 we can go the the next phase.
Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later are using Distributed File System (DFS) for the replication. DFS is better than FRS.
The dfsrmig.exe tool is supported only on domain controllers which are running in the Windows Server 2008 domain functional level DFL. This is because SYSVOL migration from FRS replication to the DFS Replication service is possible only on domain controllers running in the Windows Server 2008 domain functional level.
In the overview you can see all the options that can be used in the dfsrmig tool.
dfsrmig.exe /GetGlobalState
Now we can see the levels of the domain, and we raise the level , keep in mind a reboot is needed it is not mentioned but you need a reboot of the domain controllers.
Running the tool will give you the required information
The current domain functional level is not at least Windows Server 2008.
DFSRMig is only supported on at least Windows Server 2008 level domains.
PS C:\Users\Administrator> dfsrmig.exe /GetGlobalState
DFSR migration has not yet initialized. To start migration please
set global state to desired value.PS C:\Users\Administrator>
Global Migration States
0
‘START’ state
1
‘PREPARED’ state
2
‘REDIRECTED’ state
3
‘ELIMINATED’ state
In the 4 steps we gona transfer the FRS in DFS
dfsrmig.exe /setGlobalState 1
dfsrmig /getmigrationstate
When it is ready, we can check and go to the next step.
dfsrmig /setglobalstate 2
Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state. every step can be checked with the /getmigration state.
We can set the next step 3 dfsrmig /setglobalstate 3
After these steps we can check if all domain controllers are changed, remember this can take some time when you have multiple domain controllers and long replication schedules.
Checking the migration state is the best way to see if it has finished. dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state
Checking the proper state can be done with the sysvol share. This completes the migration.
Here are the before and after status.
Also make sure in each domain controller FRS service is stopped and disabled.
Now it should all be good
Now the domain join should work.
Got another error warning.
Verification of replica failed. The forest functional level is not supported
Let me get the Ad info get-adforest
As you can see the forest mode is still windows2000forest so we need to raise this. In domain and trust we can set this.
Now that everything is fixed we can add a new Windows server 2022 domain controller to the existing domain.
During some events on the blog I need to redo some work. in the next x time this will be fixed.
Little update here, seems my WordPress theme was no longer supported, good time to start with a fresh setup. Still struggling on what to place or not.
let me know if you have suggestions if you find links that are not working place it in the comment and I will try to fix them as quick as I can.
During the website work I’ll point you out to my sponsors check out the products from Altato and
This SysAdmin Day, WIN with Hornet security
For SysAdmin Day we launched an interesting contest that might interest your audience.
To participate one must sign up for a 30-day free sign up for free to 365 Threat Monitor and set up an account!
What they can win?
Receive a guaranteed €20 Amazon voucher when they sign.
Get a chance to WIN one of our Grand Prizes.
If you are seeking a monitoring solution take a look at NiCE
Complex Environments Made Transparent
Intelligent monitoring, data correlation and visualization help you understand the status of any given system at any given point in time.
NiCE Monitoring Solutions enable pinpoint availability, performance and User Experience optimization for better business outcomes. They integrate into Micro Focus OBM, Microsoft SCOM and Microsoft Azure.
Vaak krijg je wel eens de vraag wat doe jij van werk, Oh IT… dus iets met computers eh.. ja maar IT is meer dan capslock uit zetten zo dat jou password weer werkt. Er is een groep die een kei is in het opsporen en misbruiken van de kleine dingetjes die oh ja doe ik morgen wel en worden de volgende dag vergeten, en 4 jaar later druk er iemand op de knop, en de telefoon gaat je kan niet meer aan melden ? hoe zo weer je password vergeten. pfff capslock ?
Mmm ik ook niet reboot dan maar, niks, password reset, niks ondertussen zie je wel dat het data verkeer de afgelopen 5 dagen enorm is toegenomen, zie ook meldingen van c2wasb4m.dll , service accounts die gebruikt worden als login, kortom de omgeving wordt voor jou gepatched en geupdate met de laatste technologie, gelukkig heb je alle picobello in orde en is er niks aan de hand toch, eh virus scanner, updates,os versie, security, domain admin als service account, hardening van servers die direct aan het internet hangen, RDP poort gesloten etc. Er zijn van die dagen dan stap je weer in zo’n museum en het voelt als of je in ene aflevering zit van de gevaarlijkste wegen van de wereld. Er komt maar 1 ding in mij op Hoe dan ?
We gaan de noodrem gebruiken en gaan hunten, wat natuurlijk super cool is om te kijken hoe het zo mis is gegaan dat niks meer werkt. De een zijn D. de ander zijn brood zeg ik maar.En ja IT kost bakken met geld en waar 10 ITers zijn, zijn 11 oplossingen, Waarom is de email spam nog nooit gestopt ? , Oldtimers zijn mooi echter die moet je alleen op zondag gebruiken en niet meer dagelijks in de productie, dat is vragen om problemen, ja is snap dat piet al met pensioen is en zijn access app zo mooi werkt en allemaal ingewikkelde dingen doet waar niemand meer iets van af weet. Wat kost het als het hele bedrijf plat ligt door deze app ? wat kost een nieuwe app ? Denk niet dat je met een nieuwe app failliet gaat..lig je 2 weken stil als bedrijf wat zijn dan de kosten ?
Kijk een goed naar je omgeving en ontdek de weakspots en los het op, gebruik MFA/Fido2, gebruik een supported OS en zorg er voor dat je in control bent en nee de Cloud is niet gevaarlijk maar is wel toegankelijk voor iedereen net als jou eigen datacenter als de deur openstaat. De cloud is een bak met oneindig veel resources en je kan er super snel zaken mee testen en laten zien dat jou concept werkt en kosten kan besparen -pay per use- maar een 15 jaar oude app beschikbaar stellen aan de hele wereld is geen goed idee immers niet iedereen houdt van oldtimers, er zijn ook mensen die van schroot houden.
IT is zo veel meer dan "iets in computers" het is een super gevaarlijke baan, en het klagen en trage systemen nee het is echt geen pretje echt afzien als je "iets in computers" doet.
Het is toch super gaaf als je dagelijks met de nieuwste technologie kan werken en kan laten zien dat het ook anders kan, anderen kan helpen waar het totaal is mis gegaan of gewoon iemand uit de Community helpen met zijn vraagstuk #TrotsopIT zelfs in de cloud wordt de dag niet langer en dat is wel jammer.
Zorg er wel voor dat alles goed op slot zit en dat je niet in een museum zit, tenzij het een showcase is.
Every three years Windows unveils a new version of its massively widespread OS, Windows Server. But this time it feels different.
The rollout of Windows Server 2022 has felt strangely subdued compared to past iterations and it seems that this is part of Microsoft’s larger strategy to push admins towards a more cloud-hosted future. So, what does this mean for the future of system admins? How will your daily operations change because of this strategy shift?
Get the full lowdown on Windows Server 2022 and its implications for IT admins from expert Microsoft MVPs Andy Syrewicze and Paul Schnackenburg in this unmissable upcoming webinar from Altaro/Hornetsecurity on 13 October.
They will explain the full new feature set, security enhancements, editions and license comparisons, where Hyper-V Server has gone, where Azure Stack HCI fits into this discussion, and more!
The presenters will also be answering all your burning Windows Server 2022 questions so come prepared and make the most out of this event to prepare your organization for the next generation of IT workloads!
‘Tis the season to be caring – for your loved ones, for each other, and yes, even for your data and mailboxes. If you’re a Microsoft 365 administrator, celebrate with us. All you have to do is sign up for free to 365 Threat Monitor and set up your account!
How does it work?
Sign up to 365 Threat Monitor
Receive a guaranteed $10 Amazon voucher and a chance to win one of the Grand Prizes!
Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.
When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.
This is all test So it may look different in your site.just to say so.
Here I have my two servers managed by Arc
As you can see “Something went wrong while getting your resources. Please try again later.”
yes let me get more info about this as currently I know nothing about the error.
So It is all OK according to the Azure troubleshooter and still it doesn’t work
Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also.
Will that be the issue ? checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022
Let me check the agent version, well the latest version for now..
How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,
let me check the configuration of this and see if I can find something there.
C:\ProgramData\GuestConfig
Perfect lots of log files and a config let me check this all
time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"
Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–
As I did not update the agent the certificate got expired make sense.
But the device has already the new agent So reconnect ? but how ?
Looking at the Config I see all the details how the agent is been registered and the resource group etc
With the reconnect we need to log in again and all goes well
But in the logging there is suddenly another error
When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.
Thought this was about an Agent that has an expired Certificate.
Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.
After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.
Starting client connection on: \\\\.\\pipe\\himds" time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…" time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"
As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)
Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.
As some of my Domain controllers are running on Server 2016 this is a great moment to upgrade them,Upgrading a domain controller is always tricky when you loos you AD, well I got a copy in Azure
How ever Windows Server 2016 is supporting Rolling Upgrades Upgrading to Windows Server 2022 but this is only for a Cluster.
For other Servers you can upgrade your server or better reinstall. Bet you all choose for the Clean install. Well For a domain controller, it’s a quick process to redeploy but often there is ton’s of software on the DC that should not be there and makes it hard to loos the DC right ?
So my DC server 2016
Finding the FSMO roles
netdom query fsmo
You can’t upgrade the server when there is a FSMO role running on the server. Tested this and if failed So move the FSMO roles from your DC.
Yes I hear you you have only one DC well create a virtual second one and move the fsmo roles to that server upgrade and move the roles back and demote the Extra DC and you are back to a single DC.
The following AVMA keys can be used for Windows Server 2022:
Datacenter W3GNR-8DDXR-2TFRP-H8P33-DV9BG
Standard YDFWN-MJ9JR-3DYRK-FXXRW-78VHK
I still love my gui So I install the desktop experience
Read the entire EULA and I agree.
My domain Controller desktop (remember this is my lab) Don’t use your DC for any other things than using it for a DC.
I want to keep My files
Yes Install
Let the Setup running
So in just 20 min my DC was upgraded to 2022 lot’s of new stuff is there but that’s all for a next blog post. Hope it was usefull and remember make sure you have a backup things my fail in your environment
In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011
Built-in high availability with unrestricted cloud scalability
Centralized network and application level connectivity policy
Threat intelligence-based filtering
Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways
Azure Firewall Premium (Public Preview)
Built-in TLS Inspection for customer’s selected encrypted applications
Ability to detect and block malicious traffic through advanced IDPS engine
Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
Web Categories provide enhanced content filtering capabilities
IDPS signatures and Web categories are fully managed and constantly updated
Initial I setup a Azure Firewall premium
Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.
As you can see there is an option standard or premium and use the Firewall policy or the Classic. In premium there is no classic any more the only option is firewall policy.
Choosing the Premium and the option firewall management is gray out.
As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .
Keep in mind that the firewall must be in the same resource group as your vnet.
Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place
Now that The Firewall I created We can see the policy’s attached in the Firewall manager.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
Firewall Manager can provide security management for two network architecture types:
Secured virtual hub
An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.
Hub virtual network
This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.
So now that the firewall is in place and we already had an policy attached but you can change that real quick.
Go to the Firewall blade and her you can see the policy and change it directly
Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet
Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s
Looking at the firewall policys from here you can add them to a hub or a vnet
here you see an overview of the firewall policy’s
When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.
Adding the Policy to a network,
The firewall manager blade with all the rules and options
You can add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group
Also new is the application rules here you can set web category’s that are allowed or denied.
using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD
Setting up the web categories is easy selectable in the destination type. and then select one or multiple.
Remember the naming if you want to find this later in your rules, keep it clean and neat
Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that
Removing the Firewall does not mean that you will loose the policy’s or removing the policy and loose the firewall unless…
Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached
Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring
Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them
Microsoft 365 is an incredibly powerful software suite for businesses, but it is becoming increasingly targeted by people trying to steal your data. The good news is that there are plenty of ways admins can fight back and safeguard their Microsoft 365 infrastructure against attack.
This free upcoming webinar, on June 23 and produced by Hornetsecurity/Altaro, features two enterprise security experts from the leading security consultancy Treusec – Security Team Leader Fabio Viggiani and Principal Cyber Security Advisor Hasain Alshakarti. They will explain the 5 most critical vulnerabilities in your M365 environment and what you can do to mitigate the risks they pose. To help attendees fully understand the situation, a series of live demonstrations will be performed to reveal the threats and their solutions covering:
· O365 Credential Phishing
· Insufficient or Incorrectly Configured MFA Settings
· Malicious Application Registrations
· External Forwarding and Business Email Compromise Attacks
· Insecure AD Synchronization in Hybrid Environments
This is truly an unmissable event for all Microsoft 365 admins!
The webinar will be presented live twice on June 23 to enable as many people as possible to join the event live and ask questions directly to the expert panel of presenters. It will be presented at 2pm CEST/8am EDT/5am PDT and 7pm CEST/1pm EDT/10am PDT.
Robert Smit MVP Blog 