Archive for the ‘Windows’ Tag

Step By Step Azure Files share SMB with native AD support and more #Microsoft #AzureFiles #SMB #SnapshotManagement #Azure #Cloud #MVPBuzz #WiMVP   1 comment

For some time I see all kinds of options to use Azure files, have some great ideas and thoughts. Connecting this over the vpn of use the azure files with a dfs. Useful maybe ? fun absolutely building things just a way that is maybe a bit different is fun and you may see other opportunities on how to use the resources. 

Using Azure Files is not new, But using Azure files with Active directory Authentication is a long waited feature and now that it is GA we can use this.

Azure Files is a shared storage service that lets you access files via the Server Message Block (SMB) protocol, and mount file shares on Windows, Linux or Mac machines in the Azure cloud.
Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: Azure Active Directory Domain Services (Azure AD DS) (GA) and Active Directory (AD).
Azure file shares only support authentication against one domain service, either Azure Active Directory Domain Service (Azure AD DS) or Active Directory (AD).

image

AD identities used for Azure file share authentication must be synced to Azure AD. Password hash synchronization is optional.
AD authentication does not support authentication against Computer accounts created in AD.

So what would be the option to use this, As a Cloud file share, in WVD or RDS, you can connect this directly to your clients if needed.

image

image

AD authentication can only be supported against one AD forest where the storage account is registered to. You can only access Azure file shares with the AD credentials from a single AD forest by default. If you need to access your Azure file share from a different forest
Azure Files supports Kerberos authentication with AD with RC4-HMAC encryption. AES Kerberos encryption is not yet supported.

 

So how to start with Azure Files. In this blog post I created a Powershell script that does the most of the Config to get you started with Azure Files.

First we need to address some parameters

#ResourceGroup name and location
$RG="rsg-blog-fileshare20"
$Location="eastus2"  
$storageaccount="storfileserver20"
$shareName = "blogshare01"

These basis are needed to create the Azure resources but there is also a Special PowerShell module needed AzFilesHybrid Download and unzip the AzFilesHybrid PowerShell module

This module can be download from github and extracted on your machine

image

You may need to set the executionPolicy

#Azure file modules
#Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
cd c:\AzFilesHybrid
Unblock-File .\CopyToPSPath.ps1
.\CopyToPSPath.ps1

The CopyToPSPath.ps1 will load the modules that are needed for this.

Our next step is importing the module AzFilesHybrid

Import-Module -name AzFilesHybrid -Force

image

Our next step is connect to our Azure subscription

#Connect to Azure
Connect-AzAccount

#Select the target subscription for the current session use your subscription ID
Get-AzSubscription
Select-AzSubscription –SubscriptionId  11111111-1111111111-111111111-11111-1

image

Now that the Azure subscription is connected we make a resource group and the storage account with the share.
#create Rsource group
New-AzResourceGroup -Name $RG -Location $Location

image

#create storage account
New-AzStorageAccount -ResourceGroupName $RG -Location $Location -Name $storageaccount -SkuName Standard_LRS -AccessTier Hot

image

#create storage Fileshare
New-AzRmStorageShare -ResourceGroupName $RG -StorageAccountName $storageaccount -Name $shareName -QuotaGiB 1024  #| Out-Null

image

Now that the storage account is created and the share we make a computer account for the AD rights, optional is the OU location where the computer account is stored.

Important action het is that this should run on a domain joined computer, as it needs to have access to the domain to create the computer account. Needless to say but you need a proper AD account to create the Computer account.

#join azure files to AD
Join-AzStorageAccount -ResourceGroupName $RG -Name $storageaccount -DomainAccountType "ComputerAccount" -OrganizationalUnitName "File Servers"

image

Now that the computer account is created we can move to the next steps, As I want to add a privatepoint and make sure my local DNS can find the fileshare.

image

So how does this look like in the Azure portal.

image

Here is the fileshare and file server with all the configuration options

image

The share is AD ready. The Option is enabled and ready to use

Now that we have the share in place we can configure the share. First we test the Connection from the Server to the Azure file share.

#test SMB connection
Test-NetConnection -ComputerName storfileserver20.file.core.windows.net -CommonTCPPort SMB

image

The file share can be used, but wait there is more, it al depends on your configuration. If you use the share only in Azure then DNS forwarders are not need, but just in case.

This works but we will create an endpoint now to make sure the share is not listening to all requests

image

You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses an IP address from the VNet address space for your storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

Using private endpoints for your storage account enables you to:

  • Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
  • Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
  • Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

 

Creating the Private endpoint is a bit tricky in PowerShell and quicker in the GUI if you do this in several steps as in the blog post.

image

So we give the Connection a name and place it in a region

image

Selecting the Resource that we want to point, in this case it is the Files server and I bind this to the Network

imageimage

All the steps are completed.

image image

Now that the PrivateLink is created We add the DNS zone if not already done. this is needed when local Clients “on-premises” want to connect to the share   

This DNS zone is needed as we want to access from the on-premises Machine to the Azure share. connected over the VPN tunnel. You can also choose to connect over the internet, Or have the option to add the Azure file share to the DFS

First we are making a DNS forwarder rule that is needed for the creating DNS forwarding rule set, which defines which Azure services you want to forward requests.

$ruleset=New-AzDnsForwardingRuleSet -AzureEndpoints StorageAccountEndpoint
$ruleset.DnsForwardingRules

image

image

The Core.windows.net forwarder is needed. the IP 168.63.129.16 is the Microsoft DNS

# Deploy and configure DNS forwarders
New-AzDnsForwarder -DnsForwardingRuleSet $ruleSet -VirtualNetworkResourceGroupName "rsg-vnet-sponsor01" -VirtualNetworkName "Azure-vnet-sponsor01" -VirtualNetworkSubnetName "Management"

image

Confirm DNS forwarders:

Resolve-DnsName -Name storfileserver20.file.core.windows.net

image

Make sure you configure on the on-premises DNS the Forwarder to the Azure DNS, in this case to my Azure AD VM that runs also DNS

image

image

Now that the DNS is in place we can connect to the Azure files share in the cloud but also on premises with the connection routed to the VPN tunnel instead of direct to the internet.

 

Setting Permissions on the Azure Files Shares is not complicated.

With the general availability of AADDS authentication for Azure Files, Microsoft introduced three Azure built-in roles for granting share-level permissions to users:

•Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.

•Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.

•Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

 

Azure Files supports the full set of NTFS basic and advanced permissions. You can view and configure NTFS permissions on directories and files in an Azure file share by mounting the share and then using Windows File Explorer or running the Windows icacls or Set-ACL command.

To configure NTFS with Admin permissions, you must mount the share by using your storage account key from your domain-joined VM.

The following sets of permissions are supported on the root directory of a file share:

  • BUILTIN\Administrators:(OI)(CI)(F)
  • NT AUTHORITY\SYSTEM:(OI)(CI)(F)
  • BUILTIN\Users:(RX)
  • BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
  • NT AUTHORITY\Authenticated Users:(OI)(CI)(M)
  • NT AUTHORITY\SYSTEM:(F)
  • CREATOR OWNER:(OI)(CI)(IO)(F)
Mount a file share from the command prompt

Use the Windows net use command to mount the Azure file share. Remember to replace the placeholder values in the following example with your own values. For more information about mounting file shares, see Use an Azure file share with Windows.

net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> /user:Azure\<storage-account-name> <storage-account-key>

Configure NTFS permissions with icacls

Use the following Windows command to grant full permissions to all directories and files under the file share, including the root directory. Remember to replace the placeholder values in the example with your own values.

icacls <mounted-drive-letter>: /grant <user-email>:(f)

 

An other option with Azure files is Connect your Azure files to the DFS server

First I had to play a bit with the naming convention as the root of the file is not the share.

Below is the azure folder. so the share name would be \\storfileserver20.file.core.windows.net\blogshare03

image

As I use now the internal DNS and with the DFSN link 

image

I can do domain name \ share and the files are being placed on the Azure file share. here you can also see that the naming is one step deeper. in the domain share name then there is the linked folder to the Azure Files.

On the time that I wrote this blog the Azure files snapshots came also GA.

image

there is no scheduled counter behind this. just press and shoot but with an script or automation account you can create  nice solutions to keep your files save.

Hope this blog is helpful, It helped me to play with this and got some other ideas than just pasting the net use command  to a device and then place the files. still there is nothing wrong with that.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 11, 2020 by Robert Smit [MVP] in Azure, Windows 10

Tagged with , ,

Windows server 2019 Upgrade virtual machine version in Hyper-V #hyperv #winserv #hybrid   Leave a comment

Why should I upgrade the virtual machine configuration version?

image

When you move or import a virtual machine to a computer that runs Hyper-V on Windows Server 2019, Windows Server 2016, or Windows 10, the virtual machine"s configuration isn’t automatically updated. This means that you can move the virtual machine back to a Hyper-V host that runs a previous version of Windows or Windows Server. But, this also means that you can’t use some of the new virtual machine features until you manually update the configuration version. You can’t downgrade the virtual machine configuration version after you’ve upgraded it.

The virtual machine configuration version represents the compatibility of the virtual machine’s configuration, saved state, and snapshot files with the version of Hyper-V. When you update the configuration version, you change the file structure that is used to store the virtual machines configuration and the checkpoint files. You also update the configuration version to the latest version supported by that Hyper-V host. Upgraded virtual machines use a new configuration file format, which is designed to increase the efficiency of reading and writing virtual machine configuration data. The upgrade also reduces the potential for data corruption in the event of a storage failure.

 

With PowerShell we check what versions I have running

Get-VM * | Format-Table Name, Version

image

As you can see I have version 5.0 – 9.0 running time for some upgrading.

This VM has version 5 and I’m upgrading this to version 9.0 , Windows server 2019 default.

Microsoft Windows 10 October 2018 Update/Server 2019 9.0     True

Update-VMVersion HYD-DC1 

image

image

Confirming and done.

image

If you want to upgrade all vm’s   then use a *

Update-VMVersion *

Get-VMHostSupportedVersion –Default

image

 

Microsoft Windows 10 October 2018 Update/Server 2019 9.0     True

In the table below you can see the versions between the OS versions and LTSC and SAC.

Supported VM configuration versions for long-term servicing hosts

The following table lists the VM configuration versions that are supported on hosts running a long-term servicing version of Windows.

Hyper-V host Windows version 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0
Windows Server 2019
Windows 10 Enterprise LTSC 2019
Windows Server 2016
Windows 10 Enterprise 2016 LTSB
Windows 10 Enterprise 2015 LTSB
Windows Server 2012 R2
Windows 8.1

Supported VM configuration versions for semi-annual channel hosts

The following table lists the VM configuration versions for hosts running a currently supported semi-annual channel version of Windows.

Hyper-V host Windows version 9.1 9.0 8.3 8.2 8.1 8.0 7.1 7.0 6.2 5.0
Windows 10 May 2019 Update (version 1903)
Windows Server, version 1903
Windows Server, version 1809
Windows 10 October 2018 Update (version 1809)
Windows Server, version 1803
Windows 10 April 2018 Update (version 1803)
Windows 10 Fall Creators Update (version 1709)
Windows 10 Creators Update (version 1703)
Windows 10 Anniversary Update (version 1607)

 

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted June 5, 2019 by Robert Smit [MVP] in Windows Server 2019

Tagged with ,

Configuring cloud witness in Windows Server 2016 Cluster Azure Files #cloud #azure #winserv   7 comments

Cloud Witness is a new type of Failover Cluster quorum witness being introduced in Windows Server 2016. But you will need an Azure Subscription to use this unless you are using your own private cloud to use a file share witness in a third  DataCenter. As this post is an edited post but still actual

Earlier I create a blog post about creating a file share in Azure.

https://robertsmit.wordpress.com/2014/06/16/microsoft-azure-file-server-system-error64-or-new-azurestorageshare-cannot-bind-parameter-context-azure-cloud-mvpbuzz/

image

But now this file share can also be used for your Private Cluster Or Azure Cluster but remember your cluster needs internet access to connect to Microsoft Azure.

 

image

Edited 5-11-2014 <>>>>>>

So if you want to have a file witness then you will need the fileshare option but the cloud witness is using the BLOB storage and will cost you almost noting with Azure Credits

However the File share is still in preview under Windows Azure Files  http://msdn.microsoft.com/en-us/library/azure/dn167006.aspx

Sign up for a preview http://azure.microsoft.com/en-us/solutions/storage-backup-recovery/

Now that we have created a new storage account We can use this for the cluster.

If you select the storage account you will see something like this.

image

We are using the blob storage and skip the above but you can use this for other things

<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

image

At the bottom you can select the Manage Access Keys. This is the information we needed for the cluster.

image

Keep this save ! You will need this in your cluster.

image

When opening my windows Cluster Failover manager under more actions you can configure the quorum settings.

image

As always we do the Advance configuration.

imageimage

Now we check the Cloud Witness option.

image

We use the Account name and the Key from the Azure portal that we created earlier.

The screen may differ as you could have a different version!

imageimage

And we have a Cloud Witness here configured in my Public Cloud.

image

We don’t need a site to site VPN just connect the Cluster nodes to Internet ( atleast a Azure connection )

image

If we check the Azure Configuration and there you can see the creation of MSFT-Cloud-Witness. With the files in the blob storage.

 

 

You can also configure this in azure.

With the Get-ClusterQuorum we find quickly what witness we have.

image

and Configuring this is also quickly done put your account name and key in the set-clusterquorum and it will create a Cloud Witness.

Set-ClusterQuorum -AccessKey V7CR1/DijezGyA== -AccountName clusterw10 –CloudWitness

image

Happy clustering

Flickr Tags: ,,,,,

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

Spam on live dot com   2 comments

 
I did not post that much items the last month but now I want to post something. So my fiberman.spaces.live.com is full
In the mean time my backup sit is still open
www.aca-computers.nl
 
 
Spaces Quota
 
mmm I was working around my blog try to update this but I saw that some idiot posting comments multiple times WHY nobody wants your stuff,
of course you know this else you won’t do this as a desperate action.
 
Please stop this
 
 
I saw this post on microsoft research on project ASIRRA great project
 

ASIRRA

 
http://research.microsoft.com/en-us/projects/asirra/default.aspx
 

Asirra — Installation Instructions

Protecting your web site with Asirra is easy. It just takes a few lines of code in whatever language your web service is written in. See these complete working examples:

There are four basic steps, described below. First, add a call to our JavaScript from your web form. Second, wire your "submit" button to our Asirra validation function. Third, write your own JavaScript function that submits the form once you get a callback saying the Asirra challenge has been successfully solved. Finally, add a call to our web service from your server form processor, to ensure that you are not getting a request from a cheating client.

 

Posted January 22, 2010 by Robert Smit [MVP] in Windows

Tagged with

Why Windows Storage Server 2008?   1 comment

Home

The amount of data supported within the organization continues to grow every year. Regulatory requirements, archival demands and data availability push storage requirements to their limits. As the datacenter grows, so does power consumption, physical space requirements and the need for improved hardware to handle the massive volume of data. Administrators need more than just raw storage capacity, but to implement the storage techniques and strategies that help them prioritize data and provide a standard of service. Storage demands will continue to grow and a storage solution is needed that can grow with the demand. Windows Storage Server 2008 can enable your organization to optimize your datacenter storage requirements.

It is finally here – the Windows Storage Server 2008 release based on Windows Server 2008 is ready for OEM embedded partners to develop dedicated NAS and block appliances. Learn about the new improvements in the OS, including OEM extensibility, Single Instance Storage (SIS), Java-based remote desktop features and the new iSCSI Software Target package

Get more info here

Or See the webcast :  TechNet Webcast: Introducing Windows Storage Server 2008 (Level 300)

Posted May 6, 2009 by Robert Smit [MVP] in Windows, Windows 2008

Tagged with ,

Mount SkyDrive As A Virtual Drive In Windows Cloud Dektop   Leave a comment

The microsoft Skydrive is very handy 25 gb lots of space, easy to put 25000 pictures in the drive.

But how do you get them off , one by one ;-( pictures are easy with the live photo manager but what about files ??

Well I found the tool for this. my cloud desktop  http://www.gladinet.com/ 

You can mount you skydrive as a windows drive.

 

*Gladinet Beta testers may receive a free license with one year free upgrade
*Some features may be disabled during Beta testing
*Please check the product for the exact list of integrated cloud storages/applications

There are 3 versions Check it out !

http://www.gladinet.com/p/download_professional.htm

Posted May 5, 2009 by Robert Smit [MVP] in Skydrive, Windows, Windows Live

Tagged with

Network Monitor 3.3 is now available   Leave a comment

 

Please download Network Monitor 3.3 from Microsoft.com. Visit the Network Monitor 3.3 Release Blog to get more information about this release.

To provide feedback, go to our scenario voting page, and let your opinion be heard.

What’s New in Network Monitor 3.3?

· Ability to capture on WWAN and Tunnel interfaces on Win7.

· Critical fixes to NM3.3 to operate correctly with Hyper-V.

· Right-click-add-to-alias. Right-click a frame in the Frame Summary window with an IPv4, IPv6, or MAC address to add that address as a new alias.

· Right-click-go-to-definition: Right-click a field in the Frame Details windows and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.

· Auto-scroll. See the most recent traffic as it comes in. In a live capture, click the Autoscroll button on the main toolbar to have the Frame Summary window automatically scroll down to display the most recent frames as they come in. Click Auto-scroll again to freeze the view in its present location.

· Experts available online: Experts are stand-alone applications that analyze Network Monitor capture data. Various experts are available online at http://go.microsoft.com/fwlink/?LinkID=133950.

· Frame Comments: Attach comments to frames in a saved capture file. Select the Frame Comments tab in the lower-right window to add, view, edit, or delete comments.

· API Extensions: API methods have been added to enable access to conversation information, properties, field display strings, and comments.

· Ability to open ETL files and correlate information by Network Tracing scenario.

· Set of core parsers to improve parsing performance. These can be accessed by changing the Common and Windows set of parsers to stubs:

From the Tools menu, select Options

· Go to the Parsers Tab

· Select the folder you want to stub out (Common or Windows)

· Click on the Stubs button on toolbar

· See our Release Notes for a complete list of new features and known issues.

· Experts: Experts are stand-alone applications that analyze Network Monitor capture data. Network Monitor 3.3 provides a simple interface for registering experts with the product and invoking them on a saved capture file. We have made some initial experts available online. Do you have a network troubleshooting need that is not currently met by Network Monitor or our available experts? Why not suggest your own expert? Please use the feedback link on the left to submit a description of the analysis task you want to solve (you must first join our connection) and we will work with you to create an expert for the community to enjoy.

Posted April 22, 2009 by Robert Smit [MVP] in Network Monitor, Windows

Tagged with

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: