Start with Cloud Adoption Framework enterprise-scale landing zones #CAF #Azure #Cloud #MVPBuzz

The Cloud Adoption Framework for Azure enterprise-scale landing zone architecture varies between customers. So there is no one size fits all but there is a lot in common that can be reused next time.

Often I hear Azure Enterprise-scale is not for me it is enterprise. Wrong anyone can use the CAF and Azure Enterprise-scale. as it is modular by design. But if you have just 1 VM there is still some usage that you could use say the management groups or monitoring ,RBAC.

Source :

The enterprise-scale approach to construct landing zones includes three sets of assets to support cloud teams:

  • Design guidelines: Guide to the critical decisions that drive the design of the Cloud Adoption Framework for Azure enterprise-scale landing zone.
  • Architecture: Conceptual reference architecture that demonstrates design areas and best practices.
  • Implementations: Azure Resource Manager template of the architecture to accelerate adoption.

But how do we start with this what to build Well Microsoft made this easy there is a accelerator that I will explain below.

With this solution accelerator you can setup the foundation in one process.

Often there is this error showing even if you are an Azure subscription owner

You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’.

This can be fixed by adding the user account to the Owner role at Tenant root scope. This can only be done with powershell assign Owner role at Tenant root scope (“/”) as a User Access Administrator to current user
New-AzRoleAssignment -Scope ‘/’ -RoleDefinitionName ‘Owner’ -ObjectId “user objectID”

go to the user and grab the object ID

Now that everything is ready we can start.

Choose where the instance needs to land, pick the proper region for your azure resources. If your default is west europe then choose west europe here

As I did not want to deploy it in a dedicated subscription, I’ll pick my own. the prefix for the management groups is based on the text that is visible later.

The management groups holds the subscriptions and policys can be placed on the management groups.

Here are the options for the log analytics and the policys. to keep a good governance you need logging and policy’s in the Azure Microsoft defender for cloud you can see later the policys and the secure score.

At this time I don’t want to use the devops pipeline. but it is a great add on and you can start from there with the pipeline deployment

Now you need to choose the deployment go for a hub spoke or Azure virtual wan. Depending on your needs, personally I’m a big fan of Azure virtual wan so I’ll choose this. As optional resources can be added as:

  • DDoS Protection Standard
  • Azure Private DNS Zones for Azure PaaS services
  • VPN and ExpressRoute Gateways
  • Azure Firewall

With these options you may need to choose the right sku and a proper subnet and or zone redundancy.

I choose the standard sku, this is without the IDS and TLS inspection, best option is choose premium.

Always use a NSG on your network, never never never add a vm direct to the web.

In the Enterprise-scale it is best practice to use multiple subscriptions, see also the enterprise-scale layout

Now that the deployment is ready we can view de Azure virtual wan with the firewall.

The deployment of the resources are easy to find as the prefix is used on all the resources

Looking at the log analytics and de policys, always check this. maybe you need to adjust the workload and or add extra settings on the workload the make things compliant.

Overall the template is a great starter, and yes you need to configure a lot more than just the foundation, but this gives you a good understanding on what is needed and what to connect and play with the resources.

Go here for the github template of the enterprise scale

Look on my blog for how to configure the VPN and Azure firewall.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Upgrade – Install System Center Virtual Machine Manager 2022 #SCVMM #Azure #Hybrid #AzureArc #AzOps #Sysctr

System Center – Virtual Machine Manager (VMM) Is there for a long time, many used this as the primary tool for managing the virtual and physical environment, but now days Cloud is playing more and more a big role in the infrastructure, Tools are also switching with Azure Arc or with Windows Admin center you have some powerfull tools that can mange the infrastructure.

Hybrid management with Azure

Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.

I must say I see less and less Vmware and VMM as I move them all to Azure. but in the meantime many of you will still using this so here is a little guide on how to upgrade from VMM 2019 to VMM 2022.

Get started with System Center 2022

Make sure the following steps are taken, else you will see some errors, I tried to simulate that so that you can see the expected error message.

  1. Complete any jobs that are currently running in VMM. note that the jobs history is deleted during the upgrade.
  2. Close any connections to the VMM management server, including the VMM console and the VMM command shell.
  3. Close any other programs that are running on the VMM management server.
  4. Ensure that there are no pending restarts on VMM servers.
  5. Perform a full backup of the VMM database.
  6. If the current SQL Server database used Always On availability groups:
    • If the VMM database is included in the availability group, remove it in SQL Server Management Studio.
    • Initiate a failover to the computer that is running SQL Server, on which the VMM database is installed.
  7. If you’re running Operations Manager with VMM, disconnect the connection between VMM and Operations Manager server.

Uninstall the System Center VMM

  1. Go to Control Panel > Programs > Program and Features, select Virtual Machine Manager and click Uninstall.
  2. On the Uninstall wizard, select Remove Features, select both VMM management Server and VMM Console under the features to remove.
  3. On database options page, select Retain database.
  4. Review the summary and click Uninstall.

Remember if you have multiple consoles you need to upgrade these also.

Now that VMM is uninstalled we can proceed. Make sure the check box is checked RETAIN Database

Now we can start the setup again.

We do a full install Console and Management server.

As my VMM server was based on windows server 2016 see the netbios name, I upgraded the server to Windows server 2022 and with the SQL server 2019.

When selecting the Database make sure you use the correct name, If you don’t know the name you can see the name in de SQL server, the wrong Database name gives you the above error.

With the correct Database name.

The next step is upgrade the Database and install VMM

make sure you use the same library name as before.

make sure you take the upgrade steps that are needed in the article when needed.

Now that the VMM server is up and running we can use VMM again and the Database and the configuration is as before.

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

How to Create a Windows server 2022 SOFS Cluster on a VM #sofs #ws2022 #winserv #hyperv #Azure #Windows11 #WiMVP

Building a test lab is always depending on the resource you have. Building a Lab in Azure is giving you unlimited resources and the method on building this on your own laptop. I will use the GUI as much as possible else with a powershell script there is no fun in writing the blog. I’ll use a Windows 11 OS for this blog.

For now this blog will demonstrate how to create a scale out fileserver on a windows server 2022 platform.

First we have two domain member servers ws2022 01 / 02 .

Installing the Cluster Roles on the server with powershell or the GUI

Get-WindowsFeature Failover-Clustering
install-WindowsFeature “FS-FileServer”,”Failover-Clustering”,”RSAT-Clustering” -IncludeAllSubFeature -IncludeManagementTools -ComputerName “ws2022-01.mvp.local”,”ws2022-02.mvp.local”
#Create cluster validation report
Test-Cluster -Node ws2022-01,ws2022-02
Start-sleep 8
New-Cluster -Name ws2022CL01 -Node ws2022-01,ws2022-02 -NoStorage -StaticAddress “”

Remember installing the fileserver may take a reboot, you can also do this at a later stage to avoid the extra reboot.

Now that the cluster is created we configure the cluster, Quorum and add storage to the Cluster.

Here is the difference between the local setup and an Azure setup or running on windows 11. Personally I run Windows server as desktop.

Adding storage to the VM is done in the hyper-v manager. If you run Server! If you run Windows 10 or 11 you will face the issue explained below

Make sure you use scsi disk and shared disks else the disks are unusable for the SOFS file cluster. First option is create 3 shared disks

Make sure you using a shared location to store the vhd files.

When using Windows server you can bypass the share location by using a filterdriver fltMC.exe attach svhdxflt I:\ this is not working on windows 11 it is part of the Failover Clustering feature and will only work on Windows Server!

fltmc.exe attach svhdxflt C:\

Attach failed with error: 0x801f0013
The system could not find the filter specified.

To by pass this you can use ISCSI on the VM’s and this can also work perfectly on Azure. As it is a test lab the performance maybe a bit less of the iscsi connection, but works just as good.

So for the shared disk I create 3 iscsi targets each disk is mounted to both VM’s with the build in iscsi initiator. make sure the disks are not formatted and online.

Checking our just created Cluster on ws2022, and make sure it you work on node 1 all the resources are also available on node 1 , not that the disks are sitting on node 2. you could also pause node 2 that way you make sure there are no resources running on that node.

Add disk if you want a normal file server, but we are building a SOFS with CA storage, as I don’t want to wait if the disk is failing over. as a file server is way different that a SOFS!

In this case we want to build a scale out file server so we are not adding the disk here but we going create a disk pool.

A new pool is created , next step is a virtual disk and a volume

When there are no disk available the cluster is not visible here.

a minimum of 3 disks are needed, and in you test lab it can be any size but bigger that 16Gb

creating the pool,

now that the pool is created, we create the disk

The new disk is created in the next step new virtual disk

as we only have 3 disks and two nodes we have limited of configuration options.

I go for a Mirror as this will max my performance, the more disk you have the more performance you will get and different type of disk can also give caching if needed, with modern hardware Gb/s speed is easy done.

I choose here 50Gb but it all depends on the need and disk size you have. I have 1,49TB but i want to create more disk later so i need some space. and I have zero workload here.

When completed we have a virtual disk and just need to create a volume. I did uncheck the box as adding the volume on a different method, same result but just showing you that the cluster is interacting with the file server components.

When created there is a checkbox checked for the blog I unchecked this. Now I have created a Pool With a disk and our last step is creating a volume on that vdisk.

Now that the pool,disk,volume is created we can create the SOFS, must say the SOFS can be created first and add the disk later. but I like to do this this way.

Create the Scale out file server

Make sure you choose Scale out file server, the default is file server.

This will also be your netbios name. Can be changed but better use the correct name. It will be a Distributed network name.

As our final step we add the file share and this share is on top of our CSV volume that we created on the disk pool.

Add a fileshare

Just pick quick

Make sure the disk is also on your connected node, if not then you will not see the cluster storage

Create a share name.

Make sure the checkbox is set on Continuous Availability

Make sure you set the access rights conform your needs.

Make sure you set the permissions right on the file share. and grant the cluster node access to the share.

Then there comes the fun part testing performance

As you can see there is a nice performance on my test lab machine on a 1 core VM.

See good perfromance on just to see how things are working or giving a good demo

Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition. #Altaro #Sysadmin #IaaS 

Free eBook – A SysAdmin’s Guide to Azure IaaS – Second Edition.

With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do

With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control?

Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment. 

Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time.

One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless).

If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed.

Make the cloud work for you – download your free copy today!

How to use Azure proximity placement groups #Azure #SAP #Latency

When moving to Azure or building new infrastructure workloads latency is important and where do I find the numbers of how do I configure it for the best and what is the difference between Azure Availability groups or Azure Availability zones or do I need Azure Site Recovery. Well as a Consultant IT depends.

Availability Sets

Availability Sets takes the virtual machine and configures multiple copies of it.  Each copy is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.

When you create your virtual machine you can specify the Availability Set, you can’t change it or move it in or out of an Availability Set after creation.  If you wanted to make changes you would need to start again and recreate the virtual machine.  Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure. So Local Datacenter redundancy.

Availability Zone

The next level of availability for your virtual machines within Azure is Availability Zones.  With Availability Zones utilized your acceptable downtime a month moves to less than 5 minutes as you’ve got a 99.99% SLA.With Availability Zones you are starting to use zone aware services. Your workload will be spread out across the different zones that make up an Azure region.  An Azure region is made up of multiple datacenters and each zone is made up of one or more datacenters.  Each datacenter is equipped with independent power, cooling and networking.

thumbnail image 1 captioned Availability Zone

You Can imaging when using this there could be some extra latency between the VM’s it all depends on the zone where you are deploying this but that can be tested .

In many Azure regions, the number of datacenters has grown. Azure datacenter latency could be tested here.

In the next setup I use a Azure VM both in west europe and we test the latency in the same region between vm’s. The tool I use is Latte

On the Server sender we placed the remote receiver IP

Here on the receiver we use the local vm IP and after the test the latency is shown. this is a common setup. If we want to improve this or to make sure that these numbers are not getting worse we need to change the setup.

516 Latency(usec)

When running SAP latency is important, Azure has an option that is called Proximity placement groups. An Azure proximity placement group is a logical construct. When a proximity placement group is defined, it’s bound to an Azure region and an Azure resource group.

A single Azure resource group can have multiple proximity placement groups assigned to it. But a proximity placement group can be assigned to only one Azure resource group.

Proximity placement groups offer co-location in the same data center. However, because proximity placement groups represent an additional deployment constraint, allocation failures can occur (for example, you may not be able to place your Azure Virtual Machines in the same proximity placement group.)

When you ask for the first virtual machine in the proximity placement group, the data center is automatically selected. In some cases, a second request for a different virtual machine SKU may fail since it does not exist in the data center already selected. In this case, an OverconstrainedAllocationRequest error will be returned. To troubleshoot, please check to see which virtual machines are available in the chosen region or zone using the Azure portal or APIs. If all of the desired SKUs are available, try changing the order in which you deploy them.

In the case of elastic deployments, which scale out, having a proximity placement group constraint on your deployment may result in a failure to satisfy the request.

Graphic for proximity placement groups

If you want to use availability zones together with placement groups, you need to make sure that the VMs in the placement group are also all in the same availability zone.

In this sample we gona make an Azure proximity placement group and place Two VM’s in it As an sample I also use a Azure Virtual desktop machine

How to create an Azure proximity placement group, In the azure portal type proxi and the Azure proximity placement group are there.

Select Create , add resource group and pick a name that fits your name convention

Add some tags and that is all or do this in powershell

$resourceGroup = "rg-proxim-demo-weu-01"
$location = "West Europe"
$ppgName = "ppg-avd-sap-01"
New-AzResourceGroup -Name $resourceGroup -Location $location
$ppg = New-AzProximityPlacementGroup `
   -Location $location `
   -Name $ppgName `
   -ResourceGroupName $resourceGroup `
   -ProximityPlacementGroupType Standard

Adding a VM to the new created Azure proximity placement group is selecting the configuration of the VM and add it to the VM. In my case I have an availability set added to my VM. So I must upgrade the entire Availability set to add the Azure proximity placement group

Now that we added the Azure proximity placement group to the VM we need to run the same test again.

Both machines are already in the same availability set that is now added with the Azure proximity placement group

testing from outside the avail from a B2 vm to a D2v3 sku

running this on a d4ds_4 as this is in the av set I need to choose what is in the limit of this set so bound to the VM sku

as you can see it really depends vm sku type what kind of latency you will get but basically it is lower when you are using Azure proximity placement groups

Interesting to see in the PowerShell commands from the Azure proximity placement groups there is also an ultra section, this is currently in preview but can give you even better results but keep in mind you can’t fix it with just one setting check your chain and fix that instead of fixing just one link.


Specifies the type of the proximity placement group. Possible values are: Standard or Ultra

$resourceGroup = “rg-proxim-demo-weu-02”
$location = “West Europe”
$ppgName = “ppg-avd-sapultra-02”
New-AzResourceGroup -Name $resourceGroup -Location $location
$ppg = New-AzProximityPlacementGroup -Location $location
-Name $ppgName -ResourceGroupName $resourceGroup
-ProximityPlacementGroupType Ultra

New-AzProximityPlacementGroup: The subscription is not registered for private preview of Ultra Proximity Placement Groups.

Think I need to do some research for this to add my subscription to this preview. Hope it was helpfull thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

#Free #eBook – How to Get the Most Out of Windows Admin Center #Altaro #WAC #Hybrid

Free eBook – How to Get the Most Out of Windows Admin Center – Second Edition.

If you have experience with the Windows Admin Center, you might already have deduced it is a powerhouse of functionality making light of important server management tasks. If you’re just adding it to your system administrator toolbox, welcome to the wonder of Windows Admin Center!

With so much functionality, figuring out where to focus is key. Whether you’re just setting out with Windows Admin Center or wanting to realize its full potential, start with Altaro’s free 160+ page second edition eBook, How To Get The Most Of The Windows Admin Center.  

Written by Microsoft Cloud & Datacenter Management MVP Eric Siron, it covers the latest developments like the Control Azure Stack HCI, use of WinRM over HTTPs and integration with Azure Monitor, amongst others. It’s a comprehensive guide on everything from installation methods and security considerations to integrating Windows Admin Center into an existing environment. There is even a brief history lesson along with a comparison to alternatives so you should get a solid overview of Windows Admin Center, why chose it and how to work with it.  

An all-new server management experience when it was introduced, Windows Admin Center modernized administrative activities with a centralized HTML 5 web application. Just add servers, clusters, desktops, and Azure virtual machines into a personalized, persistent interface, and manage their roles, features, software, registry, PKI certificates, and more. And with Microsoft’s latest investment into the Windows Admin Center and new functionality, there is now even more server management power to work with.

Learn to simplify and optimize your server management tasks – Download your free eBook now!

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Website maintenance

During some events on the blog I need to redo some work. in the next x time this will be fixed.

Little update here, seems my WordPress theme was no longer supported, good time to start with a fresh setup. Still struggling on what to place or not.

let me know if you have suggestions if you find links that are not working place it in the comment and I will try to fix them as quick as I can.

During the website work I’ll point you out to my sponsors check out the products from Altato and

This SysAdmin Day, WIN with Hornet security

For SysAdmin Day  we launched an interesting contest that might interest your audience.

To participate one must sign up for a 30-day free sign up for free to 365 Threat Monitor and set up an account! 

What they can win?

  • Receive a guaranteed €20 Amazon voucher when they sign.
  • Get a chance to WIN one of our Grand Prizes.

If you are seeking a monitoring solution take a look at NiCE

Complex Environments Made Transparent

Intelligent monitoring, data correlation and visualization help you understand the status of any given system at any given point in time.

NiCE Monitoring Solutions enable pinpoint availability, performance and User Experience optimization for better business outcomes. They integrate into Micro Focus OBM, Microsoft SCOM and Microsoft Azure.

This Holiday Season, win with Hornetsecurity! #Hornetsecurity #M365 #win #Holiday

This Holiday Season, win with Hornetsecurity!

‘Tis the season to be caring – for your loved ones, for each other, and yes, even for your data and mailboxes. If you’re a Microsoft 365 administrator, celebrate with us. All you have to do is sign up for free to 365 Threat Monitor and set up your account!

How does it work?

  • Sign up to 365 Threat Monitor
  • Receive a guaranteed $10 Amazon voucher and a chance to win one of the Grand Prizes!
  • For every valid entry, we’ll make a $10 donation to One Laptop per Child

What are you waiting for? Sign up now!

Effective March 31, 2021, the Azure portal will no longer support Internet Explorer 11. Start using the new Microsoft Edge for speed, security and privacy

Well on every server or Windows device there is the Internet explorer and prepairing some server workloads you may need some browser and may need to connect to Azure. using an old browser is always an bad idea.

When setting up a new server what ever version it is I always remove the IE icon and install Msedge this works fine and gives me a more secure feeling.

Microsoft Edge

Opening the Azure portal with IE you will see a warning about non supported browser.

Microsoft Edge

With the option to download the Edge directly

Microsoft Edge

The portal still opens in IE but using some functions are not working sample as anything that will use HTML5

Microsoft Edge

Official Download links for Microsoft Edge Stable Enterprise

I’m not 100% sure it’s final but anyone who wishes/wants can test it.

Microsoft Edge Stable Enterprise




Blocker Toolkit to disable automatic delivery of Microsoft Edge

So when you want to auto mate this the following lines could be used to install quickly Microsoft Edge

#Create temp folder
New-Item -Path ‘C:\temp’ -ItemType Directory -Force | Out-Null

#Install Edge
Invoke-WebRequest  -Uri "" -OutFile ‘c:\temp\MicrosoftEdgeEnterpriseX64.msi’
Invoke-Expression -Command ‘C:\temp\MicrosoftEdgeEnterpriseX64.msi /quiet /norestart’

This will install Microsoft Edge and you can set this in a powershell script and in the GPO that way all new servers will get Microsoft Edge.


Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile


Windows Server LTSC vNext Preview Build 20206 #SMB #WindowsServer #StorageSpacesDirect #WinServ #AzureHybrid

A new build of the Windows Server vNext Long-Term Servicing Channel (LTSC) release that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions Build 20206. There are a lot off under water improvements. like the SMB 3.1.1. protocol better security and performance capabilities. Extended Migration options.

Windows Server LTSC vNext Preview Build 20206

What is new :

  • File Services: SMB improvements
  • Storage Migration Services improvements
  • AFS Tiering support preview
  • Compress files copied over SMB with robocopy
  • SMB Direct + RDMA encryption

More in-depth on the improvements :

How to Download ?

Directly on the Windows Server Insider Preview download page.

Choose the LTSC ISO or VHDX, it’s a quick download and ready to start with.


It is great that There are 18 languages for the server OS but personally I really hate this. keep your server English. Issues can easily be found and people can help you better but his is totally my opinion.

Windows Server vNext Long-Term Servicing Channel Preview is available in ISO format in 18 languages, and in VHDX format in English only.

The following keys allow for unlimited activations:
Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67

Windows Server vNext Semi-Annual Preview The Server Core Datacenter and Standard Editions are available in the 18 supported Server languages in ISO format and in VHDX format in English only.

The following keys allow for unlimited activations:
Standard: V6N4W-86M3X-J77X3-JF6XW-D9PRV
Datacenter: B69WH-PRNHK-BXVK3-P9XF7-XD84W

 Windows Server LTSC vNext Preview Build 20206

How to Download

Registered Insiders may navigate directly to the Windows Server Insider Preview download page.  See the Additional Downloads dropdown for Windows Admin Center and other supplemental apps and products. If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.

Want to learn more about Windows Server Hybrid and Windows Server on Azure IaaS VMs?

Manage hybrid workloads with Azure Arc

You will learn to describe Azure Arc, implement Azure Arc with on-premises server instances, deploy Azure policies with Azure Arc, and use role-based access control (RBAC) to restrict access to Log Analytics data.

After completing this module, you will be able to:

  • Describe Azure Arc.
  • Explain how to onboard on-premises Windows Server instances in Azure Arc.
  • Connect hybrid machines to Azure from the Azure portal.
  • Use Azure Arc to manage devices.
  • Restrict access using RBAC.

Check out the learning module here.

Implement scale and high availability with Windows Server VM

You’ll learn how to implement scaling for virtual machine scale sets and load-balanced VMs. You’ll also learn how to implement Azure Site Recovery.

After completing this module, you will be able to:

  • Describe virtual machine scale sets.
  • Implement scaling.
  • Implement load-balancing virtual machines.
  • Implement Azure Site Recovery.

Check out the learning module here.

Start with Azure

Start with Intune

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Deploy Windows Admin Center High Availability running on a Windows Server 2019 Cluster #winserv #WAC #WindowsAdminCenter #AzureArc #Azure #Hybrid

The new new tool Windows Admin Center is THE tool to use when managing your Environment you can install this on almost any server (no Domain Controller) but even this device needs a reboot from time to time. Therefor we make the Windows Admin Center High available. When installing this on a cluster the Tools gets better uptime. And is there when you need it. The resources that are used is minimal.

Windows Admin Center is a new, locally-deployed, browser-based management tool set that lets you manage your Windows Servers with no Azure or cloud dependency. Windows Admin Center gives you full control over all aspects of your server infrastructure and is particularly useful for managing servers on private networks that are not connected to the Internet.

Windows Admin Center is the modern evolution of “in-box” management tools, like Server Manager and MMC. It complements System Center – it’s not a replacement.

First we take our cluster, in this case my test cluster witch runs all kinds of load.


Get the latest Windows Admin center build.

save this on the Cluster node, and remember you can’t run Windows Admin Center with IE – Internet Explorer!

When checking this I saw the Cluster team create already a Powershell Script to make the WAC HA. so there goes my blog.


Well You can run the PowerShell Scripts. But that’s no Fun.  but I understand if you are busy and or you don’t want to know what is behind the script.


In this case I do it all manual, well not all there are some good parts in the Script

First we need a Certificate, I use a self signed and yes this needs to be changed every 90 days

Fill in the Variables 

$tmpPassword = “Temppassword”
$certPath = “c:\temp\sme3.pfx”
Write-Output “Creating self signed certificate”
    $domain= (Get-WmiObject win32_computersystem).Domain
    $dnsName = $clientAccessPoint+”.”+$domain
    $cert = New-SelfSignedCertificate -DnsName $dnsName -CertStoreLocation “cert:\LocalMachine\My” -NotAfter (Get-Date).AddMonths(3)
    $certPassword = ConvertTo-SecureString -String $tmpPassword -Force -AsPlainText
    $cert | Export-PfxCertificate -FilePath $certPath -Password $certPassword | Out-Null 



Import the Certificate

$cert.Import($certPath, $certPassword,’DefaultKeySet’)


Save the Thumbprint for later



Now We are installing the Windows Admin Center , I use a preview but get the latest version here


Don’t forget the trusted site checkbox.


Here is the Thumbprint that is used in the Certificate , Next is installing the Windows Admin Center.


Now that Windows Admin Center is installed We are almost ready.

The next steps are stopping the services and set this to manual as the Failover Cluster Manager controls the run status

Set-Service ServerManagementGateway -startuptype “manual”
Stop-Service ServerManagementGateway


Now that this is ready we need to think about the file location as this is currently on the C drive.


And we don’t want to have two or more configurations. there for we place this on the CSV volume.

Copy all the file into the CSV volume folder


When this is done we are adjusting the Services.



$registryPath = “HKLM:\Software\Microsoft\ServerManagementGateway\Ha”

    New-ItemProperty -Path $registryPath -Name IsHaEnabled -Value “true” -PropertyType String -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name StoragePath -Value $smePath -PropertyType String -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name Thumbprint -Value $certThumbprint -PropertyType String -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name Port -Value $portNumber -PropertyType DWord -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name ClientAccessPoint -Value $clientAccessPoint -PropertyType String -Force | Out-Null
    $staticAddressValue = $staticAddress -join ‘,’
    New-ItemProperty -Path $registryPath -Name StaticAddress -Value $staticAddress -PropertyType String -Force | Out-Null
    New-ItemProperty -Path HKLM:\Software\Microsoft\ServerManagementGateway -Name InstallDir -Value $smePath -PropertyType String -Force | Out-Null
    New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ServerManagementGateway -Name ImagePath -Value $smePath\sme.exe -PropertyType String -Force | Out-Null

    #grant permissions to Network Service for the UX folder
    $Acl = Get-Acl $UxFolder
    $sID = New-Object System.Security.Principal.SecurityIdentifier(“S-1-5-20″)
    $Ar = New-Object$sID,”FullControl”,”ContainerInherit,ObjectInherit”,”None”, “Allow”)
    Set-Acl $UxFolder $Acl


After running this the path changed to the CSV location and the HA values are there




The Windows Admin Center HA values are there.

The last step on this cluster node is creating the cluster resource.

$registryPath2 = “SOFTWARE\Microsoft\ServerManagementGateway\Ha”
Add-ClusterGenericServiceRole -ServiceName ServerManagementGateway -Name $clientAccessPoint -CheckpointKey $registryPath2 -StaticAddress $staticAddress


Remember the HA cluster resource does not need the  HKLM:\ as in the other variables.


Now we have installed the Windows Admin Center in the Cluster.  For all the other nodes in the cluster we need to do almost the same.

Or we could export the Register keys and add them in the nodes as we already placed the files on the CSV and created a cluster resource.

All the other nodes don’t have a Windows Admin Center services. Using the register keys is working but you will need a reboot.  As we create first a fake services and then place the regkeys no reboot is needed. Or just import the register keys and do a reboot of the node.

New-Service -Name ServerManagementGateway -DisplayName “Windows Admin Center” -BinaryPathName “C:\ClusterStorage\vdisk20\ux”

First regkey <>

Windows Registry Editor Version 5.00




Second Regkey <>

Windows Registry Editor Version 5.00

“DisplayName”=”Windows Admin Center”
“ObjectName”=”NT Authority\\NetworkService”
“Description”=”Windows Admin Center”

With this in place all nodes can run Windows admin center in HA mode, but it will not run on IE. and this is the only default browser on the server. To test if it is working you will need Edge or Chrome.


As you can see it is not that simple to make things high available. Using the Powershell scripts provided by microsoft But if using these script you need to rename the MSI file if you are using the insiderspreview or any other build that is not named as ServerManagementGateway.msi

WindowsAdminCenterPreview1808.msi rename to ServerManagementGateway.msi 

You can deploy Windows Admin Center in a failover cluster to provide high availability for your Windows Admin Center gateway service. The solution provided is an active-passive solution, where only one instance of Windows Admin Center is active. If one of the nodes in the cluster fails, Windows Admin Center gracefully fails over to another node, letting you continue managing the servers in your environment seamlessly.

High-availability deployment scripts from Windows Admin Center HA Setup Scripts zip file. Download the .zip file containing these scripts to your local machine and then copy the scripts as needed.


Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

How to join Windows Server 2019 to the Azure AD #AAD #Winserv #WIMVP #AD #Hybrid #Azure

For Some time it is possible to join devices to the Azure AD. Personally I know this was working for Windows 10 but Windows Server 2019, in this blog post I’ll show some ideas and thoughts. It would be nice  if native Azure MFA would work to log on. Also for some options your Azure AD needs to be at least P1.

Organizations can now utilize Azure Active Directory (AD) authentication for their Azure virtual machines (VMs) running Windows Server 2019 Datacenter edition or Windows 10 1809 and later. Using Azure AD to authenticate to VMs provides you with a way to centrally control and enforce policies. Tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM. This Blog shows you how to create and configure a Windows Server 2019 VM to use Azure AD authentication and how to remove the Azure AD join and switch back to Active directory Domain join.

The following Windows distributions are currently supported during the preview of this feature:

  • Windows Server 2019 Datacenter
  • Windows 10 1809 and later

So the machine below is in a workgroup but Azure AD joined. on a server is it not visible that the machine is Azure AD joined in the UI.


In the Configuration properties in an Azure VM we can set the following properties. Login with AAD credentials. This is during creation of the new VM that way the VM is directly Azure AD joined.


Just deployed a new VM. and this VM is Azure AD joined, but what if you want to domain join this machine can we do a hybrid domain join for short NO.


Remember Some options only work if you have a P1 or a P2 Azure AD license here you can find the differences


Looking at the devices in the Azure AD devices we can see the Server is Azure AD Joined.


Giving Access to the VM can be based on RBAC

Two RBAC roles are used to authorize VM login:

  • Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
  • Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.

To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.

Select the VM and choose IAM press Add and add role assignment. just as you do with other workloads.



Or use the Azure CLI

$username=(az account show –query –output tsv)

$vm=(az vm show –resource-group rsg-adjoin001 –name 2019vmadjoin –query id -o tsv)

az role assignment create  –role "Virtual Machine Administrator Login" –assignee $username –scope $vm


But what If we want to do a Domain join ?

There is no hybrid domain join and no console unjoin. Redeploy would not be the best option right.


With the DSRegCmd /Leave we can unregister the VM from the Azure AD.


now back to the Domain join without a reboot we can join the VM direct to the Classic Active directory.


Remember a reboot is needed for this.


Now the VM is normal AD joined.

This option is still in preview and after removing the Azure AD still shows that the VM is Azure Ad joined, it seems there is no trigger to remove the AADLoginForWindows extention in the VM.

The hybrid join could me a great addition to make VM’s connectable with Azure MFA. But for now we can assign policy’s and rules.


Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Migrate VHD Disks to Azure Disks – Direct-upload to Azure managed disks #Azure #Upload #Disk #Migrate #VHD #storage #MVPBuzz #WIMVP

When I saw this new option I thought well could be interesting, prep some disks in advance and upload later the disk.  Looks quicker than staging the vhd first. There are two ways you can bring an on-premises VHD to Azure as a managed disks:

  1. Stage the VHD into a storage account before converting it into a managed disk. 
  2. Attach an empty managed disk to a virtual machine and do copy.

Both these ways have disadvantage.The first option requires extra storage account to manage while the second option has extra cost of running virtual machine. Direct-upload addresses both these issues and provides a simplified workflow by allowing copy of an on-premises VHD directly as a managed disk. You can use it to upload to Standard HDD, Standard SSD, and Premium SSD managed disks of all the supported sizes. With this new option Migration  could speed up and it seems less work.

Now days Microsoft want to do a lot in the Azure CLI, Working with this and personally I like the Azure CLI to do quick things but for testing and building I like the PowerShell options. So in this blog post I show you how to do upload your VHD to a managed Azure disk.

Starting this I noticed the weirdness of PowerShell I did not have the proper options, It seems I run some older versions of the Azure Az module.

SO running new Azure options with PowerShell make sure you run the latest version. This is not needed in the Azure CLI.

I had version 2.7.0 running and I needed 2.8.0 Do a uninstall of the old version  

Uninstall-AllModules -TargetModule Az -Version 2.7.0 –Force

Or if you have a lot of old versions running uninstall them all.

$versions = (Get-InstalledModule Az -AllVersions | Select-Object Version)
$versions[0..($versions.Length-2)]  | foreach { Uninstall-AllModules -TargetModule Az -Version ($_.Version) -Force }



And of course you can run this in the Azure CLI  with the following command

az disk create -n mydiskname1 -g disk1 -l westeurope --for-upload --upload-size-bytes 10737418752 --sku standard_lrs




But where is the fun on doing this, Right.

For creating a Managed disk in the GUI there are only a few steps but then you need to add this to a Virtual machine and copy over the data. time consuming





Lets create a powershell script that will pick the right disk size and upload the VHD to Azure as a Managed disk.

First we need to see what size my VHD file is to make sure the disk has enough disk space.

$vhdSizeBytes = (Get-Item "I:\Hyperv-old\MVPMGTDC01\mvpdc0120161023143512.vhd").length


So I need a disk size of 136367309312

Our next step is create a proper disk configuration. with placement in the correct region and resource group.


#Provide the Azure region where Managed Disk will be located.

$Location = “westeurope”

#Provide the name of your resource group where Managed Disks will be created.

$ResourceGroupName =”rsguploaddisk001”

#Provide the name of the Managed Disk

$DiskName = “mvpdc01-Disk01”

New-AzResourceGroup -Name $ResourceGroupName -Location $location

$diskconfig = New-AzDiskConfig -SkuName ‘Standard_LRS’ -OsType ‘Windows’ -UploadSizeInBytes $vhdSizeBytes -Location $location -CreateOption ‘Upload’




Now that the configuration is set we can actual create a new Disk.

New-AzDisk -ResourceGroupName $ResourceGroupName  -DiskName $DiskName -Disk $diskconfig


Now that the disk is created we can see this in the Azure portal also.



The details of the just created disk.


Comparing the disk configuration this is now empty and the Disk state is ReadyToUpload. 


At this point we don’t have access to the disk and we can’t upload the original disk to the Azure Managed disk. Therefore we need to grand access to this disk. This is done in a time frame like 24 hours or shorter it depends on the time that is needed for the upload.

basic default is 24 hours = 86400 seconds but when done we revoke the access.

$diskSas = Grant-AzDiskAccess -ResourceGroupName $ResourceGroupName -DiskName $DiskName -DurationInSecond 86400 -Access ‘Write’


And in the Portal you can see the Ready status is changed to Active Upload.


When looking at the details of the disk in PowerShell we see the disk state of active upload.

$disk = Get-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $DiskName



Our next step is copy the VHD to the Azure Disk

AzCopy.exe copy "I:\Hyperv-old\MVPMGTDC01\mvpdc0120161023143512.vhd" $diskSas.AccessSAS –blob-type PageBlob

As I did not place any restrictions to the upload It will use my full bandwidth of Internet, this means a full 1Gbps connection.






Now that the Upload is completed we can revoke the access 

Revoke-AzDiskAccess -ResourceGroupName $ResourceGroupName -DiskName $DiskName




As you can see the disk state is now unattached and we can create a VM with this disk.


The Disk type can’t be changed at this point but can be changed when the VM is deployed.


Machine is quickly build and depending on the machine type you can change the disk type to SSD




Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Windows server 2019 Upgrade virtual machine version in Hyper-V #hyperv #winserv #hybrid

Why should I upgrade the virtual machine configuration version?


When you move or import a virtual machine to a computer that runs Hyper-V on Windows Server 2019, Windows Server 2016, or Windows 10, the virtual machine"s configuration isn’t automatically updated. This means that you can move the virtual machine back to a Hyper-V host that runs a previous version of Windows or Windows Server. But, this also means that you can’t use some of the new virtual machine features until you manually update the configuration version. You can’t downgrade the virtual machine configuration version after you’ve upgraded it.

The virtual machine configuration version represents the compatibility of the virtual machine’s configuration, saved state, and snapshot files with the version of Hyper-V. When you update the configuration version, you change the file structure that is used to store the virtual machines configuration and the checkpoint files. You also update the configuration version to the latest version supported by that Hyper-V host. Upgraded virtual machines use a new configuration file format, which is designed to increase the efficiency of reading and writing virtual machine configuration data. The upgrade also reduces the potential for data corruption in the event of a storage failure.


With PowerShell we check what versions I have running

Get-VM * | Format-Table Name, Version


As you can see I have version 5.0 – 9.0 running time for some upgrading.

This VM has version 5 and I’m upgrading this to version 9.0 , Windows server 2019 default.

Microsoft Windows 10 October 2018 Update/Server 2019 9.0     True

Update-VMVersion HYD-DC1 



Confirming and done.


If you want to upgrade all vm’s   then use a *

Update-VMVersion *

Get-VMHostSupportedVersion –Default



Microsoft Windows 10 October 2018 Update/Server 2019 9.0     True

In the table below you can see the versions between the OS versions and LTSC and SAC.

Supported VM configuration versions for long-term servicing hosts

The following table lists the VM configuration versions that are supported on hosts running a long-term servicing version of Windows.

Hyper-V host Windows version 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0
Windows Server 2019
Windows 10 Enterprise LTSC 2019
Windows Server 2016
Windows 10 Enterprise 2016 LTSB
Windows 10 Enterprise 2015 LTSB
Windows Server 2012 R2
Windows 8.1

Supported VM configuration versions for semi-annual channel hosts

The following table lists the VM configuration versions for hosts running a currently supported semi-annual channel version of Windows.

Hyper-V host Windows version 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0
Windows 10 May 2019 Update (version 1903)
Windows Server, version 1903
Windows Server, version 1809
Windows 10 October 2018 Update (version 1809)
Windows Server, version 1803
Windows 10 April 2018 Update (version 1803)
Windows 10 Fall Creators Update (version 1709)
Windows 10 Creators Update (version 1703)
Windows 10 Anniversary Update (version 1607)




Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

How to install Azure Portal app on Windows server 2019 #ws2019 #Azure #portal #winserv #Cloud #Hybrid

As Windows Server 2019 Still holds Internet Explorer and no Edge Chromium or other browser. therefore all initial internet contact is done by the Internet Explorer. This can be annoying when you want to do something on the server and connect to Azure and first you need to install another browser.

This is just a quick blog on the Azure portal app, as this could be handy on any machine without using the browser.

Or you can download the Azure portal app.

When opening the IE browser and go to

You will see this, the option to download the Application to manage the portal.


Agreeing on the Terms and download


The Azueportalinstaller can also be deployed by SCCM or intune if you want. its not only an application that can be used on older machines.


The setup is easy and you only need to logon.


Use your Azure credentials and you good to go.






Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile