Archive for the ‘Azure’ Tag

Step By Step Troubleshooting Azure Arc-enabled servers with agent connection issues #Windows #WindowsServer #WinServ #Azure #AzureArc #Cloud   Leave a comment

Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.

When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.

This is all test So it may look different in your site.just to say so.

Here I have my two servers managed by Arc

Azure Arc-enabled server

As you can see “Something went wrong while getting your resources. Please try again later.”

Azure Arc-enabled server

yes let me get more info about this as currently I know nothing about the error.

image

Azure Arc-enabled server

So It is all OK according to the Azure troubleshooter and still it doesn’t work

Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also. 

image

Will that be the issue ?  checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022

Let me check the agent version,  well the latest version for now..

image

How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,

let me check the configuration of this and see if I can find something there.

C:\ProgramData\GuestConfig

imageimage

Perfect lots of log files and a config let me check this all

image

time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"

Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–

As I did not update the agent the certificate got expired make sense.

But the device has already the new agent So reconnect ? but how ?

Looking at the Config I see all the details how the agent is been registered and the resource group etc

C:\ProgramData\AzureConnectedMachineAgent\Config

agentconfig.json

{"subscriptionId":"f34","resourceGroup":"AzureBackupRG_westeurope_1","resourceName":"Hyperv1201","tenantId":"0b1","location":"westus2","vmId":"9659193c-f4d8-4a77-b8f9baad507ce9a9","certificateThumbprint":"c2fa453dd43c16e584868c1c762dc91ebec63232","clientId":"0-f012-45ae-8a92-1045e"}

Let me open powershell and maybe I got more details. and reactivate the Agent

With the azcmagent command you can get more details.

image

let me get all the logs

azcmagent logs

image

now we have all the logs in a zip file this could be handy for a next time.

Azure Arc-enabled server

As I reconfigure the agent with the following command

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "AzureBackupRG_westeurope_1" –tenant-id "your tenant id" –location "westus2" –subscription-id "errryh934" –verbose

With the reconnect we need to log in again and all goes well

imageimage

But in the logging there is suddenly another error

image

When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.

Thought this was about an Agent that has an expired Certificate.

Azure Arc-enabled server

Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.

image

image

image

After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "MVPRSG-Azure-Arc" –tenant-id "3078684f-d143-440a-ae40-d391a79950b1" –location "West US 2" –subscription-id "df1e2f32-7adf-48f6-b969-f02376152934" –verbose

image

Starting client connection on: \\\\.\\pipe\\himds"
time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…"
time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"

image

As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)

Azure Arc-enabled server

Perfect reconnecting and waiting for the Agent.

Azure Arc-enabled server

Now I can look at the Azure Arc Insights again.

Flickr Tags: Windows Server 2022,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Posted September 2, 2021 by Robert Smit [MVP] in Azure

Tagged with ,

First hands-on Upgrading to Windows Server 2022 Domain Controller #Windows2022 #Windows2016 #winserv #CloudOS #WIMVP   1 comment

Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.

https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011

As some of my Domain controllers are running on Server 2016 this is a great moment to upgrade them,Upgrading a domain controller is always tricky when you loos you AD, well I got a copy in Azure Winking smile

How ever Windows Server 2016 is supporting Rolling Upgrades Upgrading to Windows Server 2022 but this is only for a Cluster.

For other Servers you can upgrade your server or better reinstall. Bet you all choose for the Clean install. Well For a domain controller, it’s a quick process to redeploy but often there is ton’s of software on the DC that should not be there and makes it hard to loos the DC right ?

So my DC server 2016

image

Finding the FSMO roles

netdom query fsmo

image

You can’t upgrade the server when there is a FSMO role running on the server. Tested this and if failed So move the FSMO roles from your DC.

Yes I hear you you have only one DC well create a virtual second one and move the fsmo roles to that server upgrade and move the roles back and demote the Extra DC and you are back to a single DC.

my other DC is mvpdc22

image

I move the roles to my second DC

image

Quick and Smooth migration

Move-ADDirectoryServerOperationMasterRole -Identity “Your-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

I mounted the ISO to the DC (virtual CD disk)

image

YEs I want to make the product better.

image

Use your Product key or if you are on hyber-v you can use the AVMA key https://docs.microsoft.com/en-us/windows-server/get-started-19/vm-activation-19?WT.mc_id=AZ-MVP-4025011

The following AVMA keys can be used for Windows Server 2022:

Datacenter
W3GNR-8DDXR-2TFRP-H8P33-DV9BG

Standard
YDFWN-MJ9JR-3DYRK-FXXRW-78VHK

image

I still love my gui So I install the desktop experience

image

Read the entire EULA and I agree.

image

My domain Controller desktop (remember this is my lab) Don’t use your DC for any other things than using it for a DC.

I want to keep My files

image

Yes Install

image

Let the Setup running

imageimage

So in just 20 min my DC was upgraded to 2022 lot’s of new stuff is there but that’s all for a next blog post. Hope it was usefull and remember make sure you have a backup things my fail in your environment

https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011

Flickr Tags: Windows Server 2016,CloudOS

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

 

Posted August 24, 2021 by Robert Smit [MVP] in Windows Server 2022

Tagged with ,

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog   Leave a comment

Azure public IP addresses now support the ability to be upgraded from Basic to Standard SKU.  Additionally, any Basic Public Load Balancer can now be upgraded to a Standard Public Load Balancer, while retaining the same public IP address.  So what could be the reason to change the SKU.

First the Difference and the price between Standard and basic

Standard

Standard SKU public IP addresses:

  • Always use static allocation method.
  • Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
  • Secure by default and closed to inbound traffic. Allow list inbound traffic with a network security group.
  • Assigned to network interfaces, standard public load balancers, or Application Gateways. For more information about Standard load balancer, see Azure Standard Load Balancer.
  • Can be zone-redundant (advertized from all 3 zones) or zonal (can be created zonal and guaranteed in a specific availability zone). To learn more about availability zones, see Availability zones overview and Standard Load Balancer and Availability Zones. Zone redundant IPs can only be created in regions where 3 availability zones are live. IPs created before zones are live will not be zone redundant.
  • Can be used as anycast frontend IPs for cross-region load balancers (preview functionality).

Cost of single IP Sample

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

Basic

All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses.

With the introduction of SKUs, specify which SKU you would like the public IP address to be.

Basic SKU addresses:

  • Assigned with the static or dynamic allocation method.
  • Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
  • Are open by default. Network security groups are recommended but optional for restricting inbound or outbound traffic.
  • Assigned to any Azure resource that can be assigned a public IP address, such as:
    • Network interfaces
    • VPN Gateways
    • Application Gateways
    • Public load balancers
  • Don’t support Availability Zone scenarios. Use Standard SKU public IP for Availability Zone scenarios. To learn more about availability zones, see Availability zones overview and Standard Load Balancer and Availability Zones.

Cost of single IP Sample

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

With this Standard seems to have more and better options but is 1 euro more expensive So you could think Always use standard But A public IP address is assigned to the VPN Gateway to enable communication with the remote network. You can only assign a dynamic basic public IP address to a VPN gateway.

So it really depends on what you want to use, suppose you start with basic and need standard you can change this now with PowerShell or cli but not in the GUI

Limitations

  • In order to upgrade a Basic Public IP, it cannot be associated with any Azure resource. Please review this page for more information on how to disassociate public IPs. Similarly, in order to migrate a Reserved IP, it cannot be associated with any Cloud Service. Please review this page for more information on how to disassociate reserved IPs.
  • Public IPs upgraded from Basic to Standard SKU will continue to have no availability zones and therefore cannot be associated with an Azure resource that is either zone-redundant or zonal. Note this only applies to regions that offer availability zones.
  • You cannot downgrade from Standard to Basic.

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

In my fresh created IP called demo We change this to a standard IP address

Using the portal to run some powershell commands.

## Variables for the command ##
$rg =”rg-demo-weu-01”
$name = “demo”
$newsku = ‘Standard’
$pubIP = Get-AzPublicIpAddress -name $name -ResourceGroupName $rg

basic resource group and IP address name

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

 

## This section is only needed if the Basic IP is not already set to Static ##
$pubIP.PublicIpAllocationMethod = ‘Static’
Set-AzPublicIpAddress -PublicIpAddress $pubIP

image

 

## This section is for conversion to Standard ##
$pubIP.Sku.Name = $newsku
Set-AzPublicIpAddress -PublicIpAddress $pubIP

 

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

Fixed IP address SKU changed from Basic to Standard.  Remember there is no option to undo this.

 

Now testing with an used IP and connected to an VM. ( this VM is currently deallocated) as these changes can only be done offline.

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

With this the resource changed from basic to Standard.

How to change Azure Public IP SKU upgrade Basic to Standard #Azure #IP #SKU #Blog

 

Try to undo this then the following message is there

Set-AzPublicIpAddress -PublicIpAddress $pubIP

Set-AzPublicIpAddress: Sku property is set at creation time and cannot be changed from Standard to Basic on resource update for resource

 

Changing the SKU is a nice option, that way you can keep the IP and lift the needed options with zero downtime.

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 15, 2021 by Robert Smit [MVP] in Azure

Tagged with

Azure Migration Services – Easy Cloud Migration Services #Azure #Cloud #ASR #Migrate #azops #VMware #Database   3 comments

This blog post is a bit long sorry for this tons of screen shots to give you more detail. This is all based on Hyper-v but the same steps are there for Vmware! I could have create two blog post one based on the Assessment and one on the Replication. but now you have all the details together.

Azure Migrate is there for sometime this tool makes your life easier when you want to migrate to Azure. This can migrate Vmware or Hyper-v to Azure. The process is similar as the Azure Site Recovery Process but this is only for Disaster. In the old days it is used also for migration but the Azure Migrate is much more flexible. placing VM’s on the existing network or on a different one.  New functions are released every month . https://docs.microsoft.com/en-us/azure/migrate/whats-new

For this Blog I used a Hyper-v Server and some VM’s that are migrated to an existing network in Azure. I also used 2 methods one with the Azure Migrate: Server Assessment and Azure Migrate: Server Migration  the big difference is with the Azure Migrate: Server Migration there is just a cut over no upfront assessment it creates a replica and place this in Azure.

In most of the initial migrations Customers want lift and shift. This is a method if you want to move quickly to Azure. better is to do a Server Assessment before the migration or rebuild the server on a new OS if needed.

Step 1 is in the Azure portal type Azure Migrate and check the assess and migrate.

image

I create a new Project for this and create a new resource group. and I choose also the geo location.

image

Based on hyper-V we download the Exported VM from the Azure portal and import this VM into the Hyper-v server.

image

select the right platform. The migration process for VMware is similar than the Hyper-V VM once the VM is connected to the portal.

imageimage

We select the Hyper-v VM   in the preparation we choose to download the 9GB Migration Appliance.

image

image

When doing this on a Migration Server directly you get a warning that IE is not supported anymore.  I used Edge chromium instead. As the connections with IE failed, So a better Browser is needed.  Get Edge https://www.microsoft.com/en-us/edge?form=MA13DE&OCID=MA13DE

Importing the VM with the Hyper-v Wizard is an easy and quick step use the Hyper-v manager to import the VM

image

Then start the VM and the EULA is displaying and it is also the start of the migration Wizard.

image

Remember to use a different browser than IE. Currently IE is in the Migration server.  Get Edge https://www.microsoft.com/en-us/edge?form=MA13DE&OCID=MA13DE

image

We start the Migration Configuration Wizard – Remember not use IE

image

image

With the basic configuration steps we start connecting the Migration server to the Hyper-v server.

image

In this connection wizard we select the just created Migration project in the Azure portal. ( if you have multiple the select the right one as this is been connected to this hyper-v server)

image

If you have trouble to register the server Check your DNS / user account / Browser / WMI ( in a standalone site could this be an issue)

image

These credentials will connect to my Server. not the VM’s

image

You can use FQDN or the IP to connect to the Hyper-V server.

image

I changed the DNS to get some common errors.

image

Setting the DNS correctly These are common errors and often seen in standalone configurations.

image

This can take some time as mentioned below.

image

After the registration we can follow the steps in the Azure Portal.

image

We let this run for some time and come back later… and we move to the Database migration.

We do a different step. As the migrate tool is not showing you all the pieces

Setting up the Database Migrate. is in the same steps. but in the Azure migration blade some screens are only found in the resource groups.

Setup the Database migration project.

image

In this I choose the Preview option things may change when it is GA. But lets see how it works.

image

When this is done, I noticed that the download is not always starting https://www.microsoft.com/en-us/download/details.aspx?id=53595

image

image

When the project is created you can see the Database overview but see the real config you need to go to the resource group.

image

The fun part here is I created first the screenshots and add later the text but doing this I had a hard time on finding the configured items as not all components are in the migration blade. So back to the resource group there I find the hints.

image

The Azure Database Migration Service can be opened from the resource group as shown above.

The Discovery

When the discovery is done, then we can start with the fun part.

image

Here my 33 VM’s are scanned and all without an Agent.

image

Now that the Hyper-v Host is completely scanned we can start with the assessment of the VM’s

image

First we create some profiles on region and size that the VM’s will get.

image

This can be changed if needed

image

We create some Scan profiles and target location, I used the Dv4 machine types with no temp disks.

image

These machines are indexed and now I pick 2 for an assessment. and place them into a group

image

When this is ready we can see the scan results. estimated price details and the VM SKU choice

image

For best result you can install an agent to get more in-depth information

image

When the machine is not connected to an OMS workspace (Azure log analytics ) not all the info can be displayed as the service dependency’s

image

Add the VM to a new Workspace or to an Excising one Configure the right steps. I add a new Workspace for the Migration as this data can be removed after the migration SO I don’t want it in my current workspace.

image

Once the Agent is reporting to the workspace and you run a new assessment a Service map can be displayed.

imageimage

Nice dashboard on the Cost and migration status, after this it is easy to migrate to Azure or you may need to do some extra work to migrate this server to Azure.

Azure Replication Migration

When Looking in the portal We can also create a Different Migration direct replication the lift and shift method. This uses the ASR tooling but with a difference here you can choose on what network the VM must land.

image

Installing the ASR agent on the Hyper-v Server.

image

image

Don’t forget to Finalize your registration ! this can be done after the Agent installation

image

Installing the ASR agent

imageimageimageimage

Now that the Agent is installed we need to register this to Azure. Make sure You have downloaded the Credential file

image

Load the Cred file into the Agent and finishes the installation

imageimage

Now we can start the Replication of the VM’s

image

important here to finish de registration I was forgotten this so the replication did not work.

image

imageimage

I choose a demo VM that Can be migrated to Azure.

The Migration

imageimage

Pick hyper-v or Vmware depending what you using.

imageimage

I pick a VM

image

Selecting the resource group and Network where the VM lands. This is great now you can place the VM direct in the right spot.

imageimage

My VM name is “windows” we these names are not allowed in Azure and are protected names. therefor I need to rename the VM

imageimage

The replication is started and we do a Test migration.

imageimageimageimage

image

There are no issues SO we start the test migration from the Azure blade.

image

image

imageimage

Now that the failover is successful we do the cutover and run the VM in Azure. Similar as in ASR but there is no replication back.

image

In the Azure portal we can see the machine is running, login into the machine and check everything runs smoothly.

image

The VM is migrated Lift and shift. and placed on a selected network.

image

The replication is set to normalimage

image

Now that the VM is migrated and running we can remove this from the Hyper-v server. as the machine is not deleted on-premises.

Download this e-book to learn about Azure Migrate, Microsoft’s central hub of tools for cloud migration. In this e-book, we’ll cover:

  • What is Azure Migrate
  • How Azure Migrate can help your migration journey
  • Running a datacenter discovery and assessment
  • Migrating your infrastructure, applications, and data
  • Additional learning resources

Download

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted September 21, 2020 by Robert Smit [MVP] in Azure

Tagged with ,

Starting with FIDO2 security keys With Azure Active Directory #Trustkey #pointblank #fido #Azure #Security #AAD   3 comments

Received a great FIDO2 Test kit from the vendor PointBlank Security / TrustKey Solutions https://www.trustkeysolutions.com/  https://www.pointblank.de/en/

As FIDO2 is the new hot item in the security world, let see if it is that easy to implement and to use. I’m not going into the depth specs of the keys but more as a user view. easy to use and setup is this key to use by anyone.

for all the Azure AD login this is usable when the Microsoft authentication challenge is the say for Windows virtual desktop (WVD) you can use this.

https://www.pointblank.de/en/ https://www.trustkeysolutions.com

I have a USB key and a USB-C type key.

FIDO2image

I use my Computer with the normal USB for this so the Trustkey G310 model

FIDO2

Setting the Key en use it is simple I configured the Azure Active directory did some easy settings add the Key to my profile and ready.

First we Enable FIDO2 security key in the Azure AD this is been configured from the Azure Portal.

Azure Active directory <> Security

FIDO2 

Next we go to authentication methods.

image

Here we can change the authentication type for all users of for a select of users.

image

When this is done you can set the fido option in your profile. If this is your own account then in the top of the azure portal you can go directly to your user account . or go to https://myaccount.microsoft.com/

 image

Go to Security info

image

Here you can do add a method

image

Adding the Security key or if you want to used the phone the method is similar.

imageimage

Now that we have chosen the FIDO2 Security Key we can configure this with a PIN.

imageimageimage

Choose a proper Pin and use the Key. Now everything is set and ready to use.

Whenever you are challenged to login with the Microsoft Azure AD account you can make the choice on using the USB key. You can also make this dedicated

So for samples we go to  Browse to https://myprofile.microsoft.com use an in private session or different browser to make sure you test this right.

image

image

select sign in with a security key

FIDO2image

When entering the PIN and touching the USB you will be granted to login when it was successful you will see the page else it will prompt you again.

image 

All this is perfect usable to login into your WVD portal

https://rdweb.wvd.microsoft.com/webclient/index.html

image FIDO2

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted August 18, 2020 by Robert Smit [MVP] in Azure

Tagged with ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: