Azure and Microsoft Windows Insider Server Cloud Blog
Author: Robert Smit [MVP]
Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009.
Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries.
Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals
who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications:
MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization.
Follow Robert on Twitter @ClusterMVP
Or follow his blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit
Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues.
A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. "
Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project
Some database workloads like SQL Server require high memory, storage, and I/O bandwidth, but not a high number of cores. Many database workloads are not CPU-intensive. Azure offers pre-defined VM sizes with lower vCPU count which can help to reduce the cost of software licensing, while maintaining the same memory, storage, and I/O bandwidth.
The available vCPU count can be reduced to one half or one quarter of the original VM specification. These new VM sizes have a suffix that specifies the number of available vCPUs to make them easier for you to identify. There are no additional cores available that can be used by the VM.
For example, the Standard_E32s_v5 VM size comes with 32 vCPUs, 256 GiB RAM, 32 disks, and 80,000 IOPs or 2 GB/s of I/O bandwidth. The pre-defined Standard_E32-16s_v5 and Standard_E32-8s_v5 VM sizes comes with 16 and 8 active vCPUs respectively, while maintaining the memory, storage, and I/O bandwidth specifications of the Standard_E32s_v5.
The licensing fees charged for SQL Server are based on the avaialble vCPU count. Third party products should count the available vCPU which represents the max to be used and licensed. This results in a 50% to 75% increase in the ratio of the VM specs to available (billable) vCPUs. At this time, the VM pricing, which includes OS licensing, remains the same as the original size.
Configure a custom number of vCPUs to reduce the number of vCPUs that are available to the virtual machine. This can help you save on vCPU software-based licensing costs. This may have performance and cost implications.
Try the Virtual machine selector to get the right Virtual machine. there are many option to pick the right VM size, at the end the main thing is you application needs to run optimal, and yes the finance department want to have minimal costs. finding the sweet spot is not always easy, do not start with a B type SKU as these are limited in CPU this is perfect if you already know it doesn’t need 90% CPU all the time.
There are many Azure sku types and all based on ACU keep a close look on ACU and cost vs performance, lower vm cost does not mean lower operation costs. try to install a large package on a B SKU and on a Standard_E2bds_v5 and size back if you can. Learn more about how Azure compute units (ACU) can help you compare compute performance across Azure SKUs.
As always you are waiting for some good events and #MSIgnite is a great event, this year 2022 is was hybrid, for me to limited to join in person, but as always great content is announced.
Special this year was I joined the Learn Live and I did a Session with Tomasso Groenendijk follow him on Twitter @tlagroenendijk
The session was about Design Azure Site Recovery, basic this is just the learn module from the microsoft learn But we made it a bit more interactive and added some real live experience in it. A big thanks To the Viewers as it was late and not a real topic that has many interests. So thanks and thanks for the rating and comments.
There is an on-demand option so you can watch it again or just leave me a note on twitter / linkedin or blog if you have a question.
The Cloud Adoption Framework for Azure enterprise-scale landing zone architecture varies between customers. So there is no one size fits all but there is a lot in common that can be reused next time.
Often I hear Azure Enterprise-scale is not for me it is enterprise. Wrong anyone can use the CAF and Azure Enterprise-scale. as it is modular by design. But if you have just 1 VM there is still some usage that you could use say the management groups or monitoring ,RBAC.
The enterprise-scale approach to construct landing zones includes three sets of assets to support cloud teams:
Design guidelines: Guide to the critical decisions that drive the design of the Cloud Adoption Framework for Azure enterprise-scale landing zone.
Architecture: Conceptual reference architecture that demonstrates design areas and best practices.
Implementations: Azure Resource Manager template of the architecture to accelerate adoption.
But how do we start with this what to build Well Microsoft made this easy there is a accelerator that I will explain below.
With this solution accelerator you can setup the foundation in one process.
Often there is this error showing even if you are an Azure subscription owner
You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’.
This can be fixed by adding the user account to the Owner role at Tenant root scope. This can only be done with powershell assign Owner role at Tenant root scope (“/”) as a User Access Administrator to current user New-AzRoleAssignment -Scope ‘/’ -RoleDefinitionName ‘Owner’ -ObjectId “user objectID”
go to the user and grab the object ID
Now that everything is ready we can start.
Choose where the instance needs to land, pick the proper region for your azure resources. If your default is west europe then choose west europe here
As I did not want to deploy it in a dedicated subscription, I’ll pick my own. the prefix for the management groups is based on the text that is visible later.
The management groups holds the subscriptions and policys can be placed on the management groups.
Here are the options for the log analytics and the policys. to keep a good governance you need logging and policy’s in the Azure Microsoft defender for cloud you can see later the policys and the secure score.
At this time I don’t want to use the devops pipeline. but it is a great add on and you can start from there with the pipeline deployment
Now you need to choose the deployment go for a hub spoke or Azure virtual wan. Depending on your needs, personally I’m a big fan of Azure virtual wan so I’ll choose this. As optional resources can be added as:
DDoS Protection Standard
Azure Private DNS Zones for Azure PaaS services
VPN and ExpressRoute Gateways
Azure Firewall
With these options you may need to choose the right sku and a proper subnet and or zone redundancy.
I choose the standard sku, this is without the IDS and TLS inspection, best option is choose premium.
Always use a NSG on your network, never never never add a vm direct to the web.
Now that the deployment is ready we can view de Azure virtual wan with the firewall.
The deployment of the resources are easy to find as the prefix is used on all the resources
Looking at the log analytics and de policys, always check this. maybe you need to adjust the workload and or add extra settings on the workload the make things compliant.
Overall the template is a great starter, and yes you need to configure a lot more than just the foundation, but this gives you a good understanding on what is needed and what to connect and play with the resources.
System Center – Virtual Machine Manager (VMM) Is there for a long time, many used this as the primary tool for managing the virtual and physical environment, but now days Cloud is playing more and more a big role in the infrastructure, Tools are also switching with Azure Arc or with Windows Admin center you have some powerfull tools that can mange the infrastructure.
Hybrid management with Azure
Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.
I must say I see less and less Vmware and VMM as I move them all to Azure. but in the meantime many of you will still using this so here is a little guide on how to upgrade from VMM 2019 to VMM 2022.
Make sure the following steps are taken, else you will see some errors, I tried to simulate that so that you can see the expected error message.
Complete any jobs that are currently running in VMM. note that the jobs history is deleted during the upgrade.
Close any connections to the VMM management server, including the VMM console and the VMM command shell.
Close any other programs that are running on the VMM management server.
Ensure that there are no pending restarts on VMM servers.
Perform a full backup of the VMM database.
If the current SQL Server database used Always On availability groups:
If the VMM database is included in the availability group, remove it in SQL Server Management Studio.
Initiate a failover to the computer that is running SQL Server, on which the VMM database is installed.
If you’re running Operations Manager with VMM, disconnect the connection between VMM and Operations Manager server.
Uninstall the System Center VMM
Go to Control Panel > Programs > Program and Features, select Virtual Machine Manager and click Uninstall.
On the Uninstall wizard, select Remove Features, select both VMM management Server and VMM Console under the features to remove.
On database options page, select Retain database.
Review the summary and click Uninstall.
Remember if you have multiple consoles you need to upgrade these also.
Now that VMM is uninstalled we can proceed. Make sure the check box is checked RETAIN Database
Now we can start the setup again.
We do a full install Console and Management server.
As my VMM server was based on windows server 2016 see the netbios name, I upgraded the server to Windows server 2022 and with the SQL server 2019.
When selecting the Database make sure you use the correct name, If you don’t know the name you can see the name in de SQL server, the wrong Database name gives you the above error.
With the correct Database name.
The next step is upgrade the Database and install VMM
make sure you use the same library name as before.
make sure you take the upgrade steps that are needed in the article when needed.
Now that the VMM server is up and running we can use VMM again and the Database and the configuration is as before.
Azure Backup can’t backup the Azure firewall directly additional steps need to be done before you can backup the Firewall rules. If you create all the rules with PowerShell or an ARM / bicep template then it is easy to add all the rules again, but often in time manual rules are changed or added. There for a good backup is needed of the rules to make sure the latest setup is been backuped.
Azure Firewall is a managed stateful network security service
Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
A setup in my testlab with some rules and keep in mind the current runbook works only if the Firewall , policys, and the storage account is in the same resource group. In this blog post I may use different naming across the screenshots, it is the method that you need and the things that can go wrong.
Requirements
Automation account
Storage Account
Runbook
Overview of my demo lab empty shell with rules.
When you are in need to get quickly all the firewall rules and settings you can export the template in the policy manager. as below on my policy’s for the Azure Virtual Machines
Manual is the quick and easy when we want to do this automatically we need an automation account and some runbook that will create a full backup on a storage account, and the storage account can be backup-ed with Azure backup
First we need to setup an Automation Account
Now that the Automation Account is created we can configure it to our needs.
Go to the Automation account and in the Settings blade, under Account settings, create a “Run As” account. This provide the service principal access that will be used to auto-login.
adding the run-as account
This provide the service principal access that will be used to auto-login into the runbook.
The runbook is a PowerShell module and we need to confirm that we have access to network and resources modules. It is important to check if the AZ modules are there else the PowerShell script won’t run. But all you need is already available
The modules that we need are Az.Account, Az.Network, Az.Resources
As you can see all the Az modules are there with the +model from the menu you can add your own modules that you may need.
When running the PowerShell script it needs a storage location, A storage account will be used as storage, keep in mind that the storage account needs to be globally unique It can be also on a storage account that you already have for backup or management then that account can be used.
Create a blob storage account.
This can be done with PowerShell or manual
#Create new RG for the firewall backup
$location=”west europe”
$ResourceGroupName=”name”
#Create new RG for the firewall backup New-AzResourceGroup -Name $ResourceGroupName -Location $Location
#Create new Storage account for the firewall backup New-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $saname -Location $location -SkuName Standard_LRS -Kind BlobStorage
Now we save the account name and storagekey and we create a blobcontainer
Press on show keys to make the key visible
Now that the blob is created we create a folder in the blob, you can also do this in the runbook
Now that the Storage account is created we go back to our automation account created earlier and create a runbook, this runbook is used for backup all the firewall rules to the storage account.
create a runbook
just give it a name and choose powershell 5
We are using the Runbook that is on the github page
Here we use the created resource group and storage account that we have created for this. you can also make this fixed in the runbook but this is better and also very handy if you want to backup more firewall policy’s
In my case I played to much, if if the folder already exist you will see an error in the test. Also I like to show what kind of errors you could get.
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...
Container 'firewallbackup' already exists
Starting Azure Firewall current configuration export in json...
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup1' blob container space for storage...
CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess : Off
LastModified : 2/8/2022 11:33:12 AM +00:00
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name : firewallbackup1
Container 'firewallbackup1' created
Starting Azure Firewall current configuration export in json...
Second error that could be there
Failed The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 – HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
you probably need to change the storage key that is used, or change the access to that storage account .
But when it all run’s
Starting database backup...
Logging in to Azure...
Creating 'firewallbackup' blob container space for storage...
CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer
Permission : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions
PublicAccess : Off
LastModified : 2/8/2022 1:05:04 PM +00:00
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext
Name : firewallbackup
Container 'firewallbackup' created
Starting Azure Firewall current configuration export in json...
Path
----
C:\Users\Client\Temp\AzureFirewall_MVPCentral202202081305.json
Submitting request to dump Azure Firewall configuration
Removing backups older than '7' days from blob: 'firewallbackup'
Azure Firewall current configuration back up completed.
Now that the testing is complete and working we can publish the runbook
Remember if you don’t publish the runbook it won’t work.
As you run the test runbook it will keep asking would you like to save etc when you want to switch to the schedule blade. just say no save. Our final step is to schedule the backup of the firewall
Create the schedule and the retention time
We create a new schedule
Noe we need to fill in all the parameters just as in the test
ok
if you want to turn this off just click on the line on
Looking into the storage blob we see all the json files
With this json file you can redeploy the firewall rules or use it for a new deployment with a different name.
Building a test lab is always depending on the resource you have. Building a Lab in Azure is giving you unlimited resources and the method on building this on your own laptop. I will use the GUI as much as possible else with a powershell script there is no fun in writing the blog. I’ll use a Windows 11 OS for this blog.
For now this blog will demonstrate how to create a scale out fileserver on a windows server 2022 platform.
First we have two domain member servers ws2022 01 / 02 .
Installing the Cluster Roles on the server with powershell or the GUI
Remember installing the fileserver may take a reboot, you can also do this at a later stage to avoid the extra reboot.
Now that the cluster is created we configure the cluster, Quorum and add storage to the Cluster.
Here is the difference between the local setup and an Azure setup or running on windows 11. Personally I run Windows server as desktop.
Adding storage to the VM is done in the hyper-v manager. If you run Server! If you run Windows 10 or 11 you will face the issue explained below
Make sure you use scsi disk and shared disks else the disks are unusable for the SOFS file cluster. First option is create 3 shared disks
Make sure you using a shared location to store the vhd files.
When using Windows server you can bypass the share location by using a filterdriver fltMC.exe attach svhdxflt I:\ this is not working on windows 11 it is part of the Failover Clustering feature and will only work on Windows Server!
fltmc.exe attach svhdxflt C:\
Attach failed with error: 0x801f0013 The system could not find the filter specified.
To by pass this you can use ISCSI on the VM’s and this can also work perfectly on Azure. As it is a test lab the performance maybe a bit less of the iscsi connection, but works just as good.
So for the shared disk I create 3 iscsi targets each disk is mounted to both VM’s with the build in iscsi initiator. make sure the disks are not formatted and online.
Checking our just created Cluster on ws2022, and make sure it you work on node 1 all the resources are also available on node 1 , not that the disks are sitting on node 2. you could also pause node 2 that way you make sure there are no resources running on that node.
Add disk if you want a normal file server, but we are building a SOFS with CA storage, as I don’t want to wait if the disk is failing over. as a file server is way different that a SOFS!
In this case we want to build a scale out file server so we are not adding the disk here but we going create a disk pool.
A new pool is created , next step is a virtual disk and a volume
When there are no disk available the cluster is not visible here.
a minimum of 3 disks are needed, and in you test lab it can be any size but bigger that 16Gb
creating the pool,
now that the pool is created, we create the disk
The new disk is created in the next step new virtual disk
as we only have 3 disks and two nodes we have limited of configuration options.
I go for a Mirror as this will max my performance, the more disk you have the more performance you will get and different type of disk can also give caching if needed, with modern hardware Gb/s speed is easy done.
I choose here 50Gb but it all depends on the need and disk size you have. I have 1,49TB but i want to create more disk later so i need some space. and I have zero workload here.
When completed we have a virtual disk and just need to create a volume. I did uncheck the box as adding the volume on a different method, same result but just showing you that the cluster is interacting with the file server components.
When created there is a checkbox checked for the blog I unchecked this. Now I have created a Pool With a disk and our last step is creating a volume on that vdisk.
Now that the pool,disk,volume is created we can create the SOFS, must say the SOFS can be created first and add the disk later. but I like to do this this way.
Create the Scale out file server
Make sure you choose Scale out file server, the default is file server.
This will also be your netbios name. Can be changed but better use the correct name. It will be a Distributed network name.
As our final step we add the file share and this share is on top of our CSV volume that we created on the disk pool.
Add a fileshare
Just pick quick
Make sure the disk is also on your connected node, if not then you will not see the cluster storage
Create a share name.
Make sure the checkbox is set on Continuous Availability
Make sure you set the access rights conform your needs.
Make sure you set the permissions right on the file share. and grant the cluster node access to the share.
Then there comes the fun part testing performance
As you can see there is a nice performance on my test lab machine on a 1 core VM.
See good perfromance on just to see how things are working or giving a good demo
Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition.
With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do
With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control?
Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment.
Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time.
One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless).
If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed.
When moving to Azure or building new infrastructure workloads latency is important and where do I find the numbers of how do I configure it for the best and what is the difference between Azure Availability groups or Azure Availability zones or do I need Azure Site Recovery. Well as a Consultant IT depends.
Availability Sets
Availability Sets takes the virtual machine and configures multiple copies of it. Each copy is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.
When you create your virtual machine you can specify the Availability Set, you can’t change it or move it in or out of an Availability Set after creation. If you wanted to make changes you would need to start again and recreate the virtual machine. Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure. So Local Datacenter redundancy.
Availability Zone
The next level of availability for your virtual machines within Azure is Availability Zones. With Availability Zones utilized your acceptable downtime a month moves to less than 5 minutes as you’ve got a 99.99% SLA.With Availability Zones you are starting to use zone aware services. Your workload will be spread out across the different zones that make up an Azure region. An Azure region is made up of multiple datacenters and each zone is made up of one or more datacenters. Each datacenter is equipped with independent power, cooling and networking.
You Can imaging when using this there could be some extra latency between the VM’s it all depends on the zone where you are deploying this but that can be tested .
In the next setup I use a Azure VM both in west europe and we test the latency in the same region between vm’s. The tool I use is Latte
On the Server sender we placed the remote receiver IP
Here on the receiver we use the local vm IP and after the test the latency is shown. this is a common setup. If we want to improve this or to make sure that these numbers are not getting worse we need to change the setup.
516 Latency(usec)
When running SAP latency is important, Azure has an option that is called Proximity placement groups. An Azure proximity placement group is a logical construct. When a proximity placement group is defined, it’s bound to an Azure region and an Azure resource group.
A single Azure resource group can have multiple proximity placement groups assigned to it. But a proximity placement group can be assigned to only one Azure resource group.
Proximity placement groups offer co-location in the same data center. However, because proximity placement groups represent an additional deployment constraint, allocation failures can occur (for example, you may not be able to place your Azure Virtual Machines in the same proximity placement group.)
When you ask for the first virtual machine in the proximity placement group, the data center is automatically selected. In some cases, a second request for a different virtual machine SKU may fail since it does not exist in the data center already selected. In this case, an OverconstrainedAllocationRequest error will be returned. To troubleshoot, please check to see which virtual machines are available in the chosen region or zone using the Azure portal or APIs. If all of the desired SKUs are available, try changing the order in which you deploy them.
In the case of elastic deployments, which scale out, having a proximity placement group constraint on your deployment may result in a failure to satisfy the request.
If you want to use availability zones together with placement groups, you need to make sure that the VMs in the placement group are also all in the same availability zone.
In this sample we gona make an Azure proximity placement group and place Two VM’s in it As an sample I also use a Azure Virtual desktop machine
How to create an Azure proximity placement group, In the azure portal type proxi and the Azure proximity placement group are there.
Select Create , add resource group and pick a name that fits your name convention
Add some tags and that is all or do this in powershell
Adding a VM to the new created Azure proximity placement group is selecting the configuration of the VM and add it to the VM. In my case I have an availability set added to my VM. So I must upgrade the entire Availability set to add the Azure proximity placement group
Now that we added the Azure proximity placement group to the VM we need to run the same test again.
Both machines are already in the same availability set that is now added with the Azure proximity placement group
testing from outside the avail from a B2 vm to a D2v3 sku
running this on a d4ds_4 as this is in the av set I need to choose what is in the limit of this set so bound to the VM sku
as you can see it really depends vm sku type what kind of latency you will get but basically it is lower when you are using Azure proximity placement groups
Interesting to see in the PowerShell commands from the Azure proximity placement groups there is also an ultra section, this is currently in preview but can give you even better results but keep in mind you can’t fix it with just one setting check your chain and fix that instead of fixing just one link.
-ProximityPlacementGroupType
Specifies the type of the proximity placement group. Possible values are: Standard or Ultra
Free eBook – How to Get the Most Out of Windows Admin Center – Second Edition.
If you have experience with the Windows Admin Center, you might already have deduced it is a powerhouse of functionality making light of important server management tasks. If you’re just adding it to your system administrator toolbox, welcome to the wonder of Windows Admin Center!
With so much functionality, figuring out where to focus is key. Whether you’re just setting out with Windows Admin Center or wanting to realize its full potential, start with Altaro’s free 160+ page second edition eBook, How To Get The Most Of The Windows Admin Center.
Written by Microsoft Cloud & Datacenter Management MVP Eric Siron, it covers the latest developments like the Control Azure Stack HCI, use of WinRM over HTTPs and integration with Azure Monitor, amongst others. It’s a comprehensive guide on everything from installation methods and security considerations to integrating Windows Admin Center into an existing environment. There is even a brief history lesson along with a comparison to alternatives so you should get a solid overview of Windows Admin Center, why chose it and how to work with it.
An all-new server management experience when it was introduced, Windows Admin Center modernized administrative activities with a centralized HTML 5 web application. Just add servers, clusters, desktops, and Azure virtual machines into a personalized, persistent interface, and manage their roles, features, software, registry, PKI certificates, and more. And with Microsoft’s latest investment into the Windows Admin Center and new functionality, there is now even more server management power to work with.
This is the first post in the new layout, personally I think I will change it again as the text frame is to small, but let me know your thoughts
When migration machines to Azure or to a different OS You will often face all kinds of errors and issues. that you think why and that is an old message and didn’t I do this already. Well In the AD there is also dfsrmig.exe yes the DFS migration tool in the old days you had only FRS for the sysvol folder replication. But If you have still a FRS than you can’t join a Windows server 2022 domain controller. In the following steps I’ll show you how to do this. I had to build a server 2003 domain again(painfull)
Joining a Windows server domain controller to a old 2000 domain it will fail.
Windows functional level and domain level are on windows 2000. We need to raise the DFL and the FFL .
Going to the new ADPrep and it fill be fixed, as I had a greenfield AD site some items maybe different in the production site.
Now that the DFL is 2008 we can go the the next phase.
Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers. But Windows server 2008 and later are using Distributed File System (DFS) for the replication. DFS is better than FRS.
The dfsrmig.exe tool is supported only on domain controllers which are running in the Windows Server 2008 domain functional level DFL. This is because SYSVOL migration from FRS replication to the DFS Replication service is possible only on domain controllers running in the Windows Server 2008 domain functional level.
In the overview you can see all the options that can be used in the dfsrmig tool.
dfsrmig.exe /GetGlobalState
Now we can see the levels of the domain, and we raise the level , keep in mind a reboot is needed it is not mentioned but you need a reboot of the domain controllers.
Running the tool will give you the required information
The current domain functional level is not at least Windows Server 2008.
DFSRMig is only supported on at least Windows Server 2008 level domains.
PS C:\Users\Administrator> dfsrmig.exe /GetGlobalState
DFSR migration has not yet initialized. To start migration please
set global state to desired value.PS C:\Users\Administrator>
Global Migration States
0
‘START’ state
1
‘PREPARED’ state
2
‘REDIRECTED’ state
3
‘ELIMINATED’ state
In the 4 steps we gona transfer the FRS in DFS
dfsrmig.exe /setGlobalState 1
dfsrmig /getmigrationstate
When it is ready, we can check and go to the next step.
dfsrmig /setglobalstate 2
Type dfsrmig /getmigrationstate to confirm all domain controllers have reached redirected state. every step can be checked with the /getmigration state.
We can set the next step 3 dfsrmig /setglobalstate 3
After these steps we can check if all domain controllers are changed, remember this can take some time when you have multiple domain controllers and long replication schedules.
Checking the migration state is the best way to see if it has finished. dfsrmig /getmigrationstate to confirm all domain controllers have reached eliminated state
Checking the proper state can be done with the sysvol share. This completes the migration.
Here are the before and after status.
Also make sure in each domain controller FRS service is stopped and disabled.
Now it should all be good
Now the domain join should work.
Got another error warning.
Verification of replica failed. The forest functional level is not supported
Let me get the Ad info get-adforest
As you can see the forest mode is still windows2000forest so we need to raise this. In domain and trust we can set this.
Now that everything is fixed we can add a new Windows server 2022 domain controller to the existing domain.
During some events on the blog I need to redo some work. in the next x time this will be fixed.
Little update here, seems my WordPress theme was no longer supported, good time to start with a fresh setup. Still struggling on what to place or not.
let me know if you have suggestions if you find links that are not working place it in the comment and I will try to fix them as quick as I can.
During the website work I’ll point you out to my sponsors check out the products from Altato and
This SysAdmin Day, WIN with Hornet security
For SysAdmin Day we launched an interesting contest that might interest your audience.
To participate one must sign up for a 30-day free sign up for free to 365 Threat Monitor and set up an account!
What they can win?
Receive a guaranteed €20 Amazon voucher when they sign.
Get a chance to WIN one of our Grand Prizes.
If you are seeking a monitoring solution take a look at NiCE
Complex Environments Made Transparent
Intelligent monitoring, data correlation and visualization help you understand the status of any given system at any given point in time.
NiCE Monitoring Solutions enable pinpoint availability, performance and User Experience optimization for better business outcomes. They integrate into Micro Focus OBM, Microsoft SCOM and Microsoft Azure.
Vaak krijg je wel eens de vraag wat doe jij van werk, Oh IT… dus iets met computers eh.. ja maar IT is meer dan capslock uit zetten zo dat jou password weer werkt. Er is een groep die een kei is in het opsporen en misbruiken van de kleine dingetjes die oh ja doe ik morgen wel en worden de volgende dag vergeten, en 4 jaar later druk er iemand op de knop, en de telefoon gaat je kan niet meer aan melden ? hoe zo weer je password vergeten. pfff capslock ?
Mmm ik ook niet reboot dan maar, niks, password reset, niks ondertussen zie je wel dat het data verkeer de afgelopen 5 dagen enorm is toegenomen, zie ook meldingen van c2wasb4m.dll , service accounts die gebruikt worden als login, kortom de omgeving wordt voor jou gepatched en geupdate met de laatste technologie, gelukkig heb je alle picobello in orde en is er niks aan de hand toch, eh virus scanner, updates,os versie, security, domain admin als service account, hardening van servers die direct aan het internet hangen, RDP poort gesloten etc. Er zijn van die dagen dan stap je weer in zo’n museum en het voelt als of je in ene aflevering zit van de gevaarlijkste wegen van de wereld. Er komt maar 1 ding in mij op Hoe dan ?
We gaan de noodrem gebruiken en gaan hunten, wat natuurlijk super cool is om te kijken hoe het zo mis is gegaan dat niks meer werkt. De een zijn D. de ander zijn brood zeg ik maar.En ja IT kost bakken met geld en waar 10 ITers zijn, zijn 11 oplossingen, Waarom is de email spam nog nooit gestopt ? , Oldtimers zijn mooi echter die moet je alleen op zondag gebruiken en niet meer dagelijks in de productie, dat is vragen om problemen, ja is snap dat piet al met pensioen is en zijn access app zo mooi werkt en allemaal ingewikkelde dingen doet waar niemand meer iets van af weet. Wat kost het als het hele bedrijf plat ligt door deze app ? wat kost een nieuwe app ? Denk niet dat je met een nieuwe app failliet gaat..lig je 2 weken stil als bedrijf wat zijn dan de kosten ?
Kijk een goed naar je omgeving en ontdek de weakspots en los het op, gebruik MFA/Fido2, gebruik een supported OS en zorg er voor dat je in control bent en nee de Cloud is niet gevaarlijk maar is wel toegankelijk voor iedereen net als jou eigen datacenter als de deur openstaat. De cloud is een bak met oneindig veel resources en je kan er super snel zaken mee testen en laten zien dat jou concept werkt en kosten kan besparen -pay per use- maar een 15 jaar oude app beschikbaar stellen aan de hele wereld is geen goed idee immers niet iedereen houdt van oldtimers, er zijn ook mensen die van schroot houden.
IT is zo veel meer dan "iets in computers" het is een super gevaarlijke baan, en het klagen en trage systemen nee het is echt geen pretje echt afzien als je "iets in computers" doet.
Het is toch super gaaf als je dagelijks met de nieuwste technologie kan werken en kan laten zien dat het ook anders kan, anderen kan helpen waar het totaal is mis gegaan of gewoon iemand uit de Community helpen met zijn vraagstuk #TrotsopIT zelfs in de cloud wordt de dag niet langer en dat is wel jammer.
Zorg er wel voor dat alles goed op slot zit en dat je niet in een museum zit, tenzij het een showcase is.
Every three years Windows unveils a new version of its massively widespread OS, Windows Server. But this time it feels different.
The rollout of Windows Server 2022 has felt strangely subdued compared to past iterations and it seems that this is part of Microsoft’s larger strategy to push admins towards a more cloud-hosted future. So, what does this mean for the future of system admins? How will your daily operations change because of this strategy shift?
Get the full lowdown on Windows Server 2022 and its implications for IT admins from expert Microsoft MVPs Andy Syrewicze and Paul Schnackenburg in this unmissable upcoming webinar from Altaro/Hornetsecurity on 13 October.
They will explain the full new feature set, security enhancements, editions and license comparisons, where Hyper-V Server has gone, where Azure Stack HCI fits into this discussion, and more!
The presenters will also be answering all your burning Windows Server 2022 questions so come prepared and make the most out of this event to prepare your organization for the next generation of IT workloads!
‘Tis the season to be caring – for your loved ones, for each other, and yes, even for your data and mailboxes. If you’re a Microsoft 365 administrator, celebrate with us. All you have to do is sign up for free to 365 Threat Monitor and set up your account!
How does it work?
Sign up to 365 Threat Monitor
Receive a guaranteed $10 Amazon voucher and a chance to win one of the Grand Prizes!
Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.
When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.
This is all test So it may look different in your site.just to say so.
Here I have my two servers managed by Arc
As you can see “Something went wrong while getting your resources. Please try again later.”
yes let me get more info about this as currently I know nothing about the error.
So It is all OK according to the Azure troubleshooter and still it doesn’t work
Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also.
Will that be the issue ? checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022
Let me check the agent version, well the latest version for now..
How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,
let me check the configuration of this and see if I can find something there.
C:\ProgramData\GuestConfig
Perfect lots of log files and a config let me check this all
time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"
Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–
As I did not update the agent the certificate got expired make sense.
But the device has already the new agent So reconnect ? but how ?
Looking at the Config I see all the details how the agent is been registered and the resource group etc
With the reconnect we need to log in again and all goes well
But in the logging there is suddenly another error
When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.
Thought this was about an Agent that has an expired Certificate.
Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.
After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.
Starting client connection on: \\\\.\\pipe\\himds" time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…" time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"
As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)
Robert Smit MVP Blog 