Archive for the ‘WVD’ Tag

Step by Step Azure NAT Gateway – Static Outbound Public IP address #ANG #NAT #WVD #Azure #Security #Cloud #MVPBuzz #AzOps #ITPRO #VirtualNetworks #PowerShell   Leave a comment

There a several ways on using an external IP in Azure, What method to use is up to you. Remember there is no good or wrong but only different opinions or insights on how to use it.

Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses also enable Azure resources to communicate outbound to Internet and public-facing Azure services with an IP address assigned to the resource. The address is dedicated to the resource, until it is unassigned by you. If a public IP address is not assigned to a resource, the resource can still communicate outbound to the Internet, but Azure dynamically assigns an available IP address that is not dedicated to the resource.

Some of the resources you can associate a public IP address resource with are:

  • Virtual machine network interfaces
  • Internet-facing load balancers
  • VPN gateways
  • Application gateways
  • Azure Firewall
  • NAT Gateway

Matching SKUs must be used for load balancer and public IP resources. You can’t have a mixture of basic SKU resources and standard SKU resources. You can’t attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously.

Virtual Network NAT (network address translation) simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines. NAT is fully managed and highly resilient.

image

So this is only for the Outbound connection. why not use the Resource group IP this is also “static” ? using this IP means that al VM’s must be in the same resource group and when the resource group changed the IP is also changing.

image

NAT is compatible with standard SKU public IP address resources or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will groom all traffic to the range of IP addresses of the prefix. Any IP whitelisting of your deployments is now easy.

So How to implement this. a step by step guide. GUI and powershell Looking at my demo setup, There are 2 vm’s both in a different Resource group.

Setting up the NAT gateway is done by 3 tabs to fill in the name and what vnet to use

https://robertsmit.wordpress.com/

We add a new NAT gateway.

image

We create a new resource group and choose NAT gateway name.

The Timeout we leave this on 4 min for now.

image

We configure an external IP and with a standard SKU. Basic is not supported.

image

the next step is choose the External outbound IP pool minimal is 2 and max is 256. this is not needed but only if you want to have a pool of External IP’s else it just go the one external ip

image

you can select max 2 prefixes

image

Configure which subnets of a virtual network should use this NAT gateway. Subnets with Basic load balancers or virtual machines that are using a Basic public IP are not compatible and cannot be used.
Note: While you do not have to complete this step to create a NAT gateway, the NAT gateway will not be functional until you have added at least one subnet. You can also add and reconfigure which subnets are included after creating the NAT gateway.

image

in the last step we tag the NAT gateway to a subnet. When checking the VM’s on this subnet for the outbound IP ( remember the VM does not need a public IP on the network card)

image

Here I have 2 VM’s getting both an IP from the prefix

imageimage

If there is only a small prefix then both machines will get the same external outbound IP

imageimage

With this time flow it recycles the External IP, depending on the scope and usage.

image

So in just a few steps you can use a useful gateway for all your outbound traffic.

Building this in Powershell is also easy. I use a semi automatic script as I want to choose my network. but you can change this to a fixed network if you want.

remember this will need the az.network latest module. in the old modules there is no get-AzNatGateway command. without this the posh is not working.

First we have some parameters

# Set the variables for the NAT Gateway.
$rg = ‘rg-rsm-natgw001’
$Location = ‘Westeurope’
$sku = ‘Standard’
$PublicIpname = ‘pup-rsm-natgw001’
$Publicprefixname = ‘pxp-rsm-natgw001’
$NatGatewayname=’gwn-rsm-natgateway001′

#create Rsource group
New-AzResourceGroup -Name $rg -Location $Location 

image

First we make some external IP and or a range.

#create Standard SKUP public IP
$publicIP = New-AzPublicIpAddress -Name $PublicIpname -ResourceGroupName $rg -AllocationMethod Static -Location $Location -Sku $sku
$publicIP | Select-Object Name, ResourceGroupName, IpAddress, IdleTimeoutInMinutes, ProvisioningState

https://robertsmit.wordpress.com

With the Zone attribute you can create zone redundancy, but this is not needed for this resource.

#create  IP prefix ( how many IP’s are needed)
$publicIPPrefix = New-AzPublicIpPrefix -Name $Publicprefixname -ResourceGroupName $rg -Location $Location -PrefixLength 29

$publicIPPrefix | Select-Object Name, IPPrefix, PrefixLength, ProvisioningState

image

You can skip this if you want only one external IP.

Next is creating the gateway.


#Create NAT gateway
$natGateway = New-AzNatGateway -Name $NatGatewayname -ResourceGroupName $rg -PublicIpAddress $publicIP -PublicIpPrefix $publicIPPrefix -Location $Location -Sku $sku -IdleTimeoutInMinutes 4
$natGateway  | Select-Object Name, ResourceGroupName, IdleTimeoutInMinutes , SKuText | Format-table -autosize –wrap

image

Now that the Gateway is created we can add a subnet to this. I used a point an click so that I can choose the network and subnet. but you can also use a variable to do this.

$virtualNetwork = Get-AzVirtualNetwork | Out-GridView -PassThru -Title "Pick the vnet that will be used for the NAT gateway"

https://robertsmit.wordpress.com

$NATSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $virtualNetwork | Out-GridView -PassThru -Title "Pick the Subnet that will be used for the NAT gateway"

image

$NATSubnet.NatGateway = $natGateway
$virtualNetwork | Set-AzVirtualNetwork

The network is chosen and the subnet is selected.

In the Azure portal you can see the result.

https://robertsmit.wordpress.com

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

Posted June 2, 2020 by Robert Smit [MVP] in Azure

Tagged with , ,

How to join Windows Server 2019 to the Azure AD #AAD #Winserv #WIMVP #AD #Hybrid #Azure   Leave a comment

For Some time it is possible to join devices to the Azure AD. Personally I know this was working for Windows 10 but Windows Server 2019, in this blog post I’ll show some ideas and thoughts. It would be nice  if native Azure MFA would work to log on. Also for some options your Azure AD needs to be at least P1.

Organizations can now utilize Azure Active Directory (AD) authentication for their Azure virtual machines (VMs) running Windows Server 2019 Datacenter edition or Windows 10 1809 and later. Using Azure AD to authenticate to VMs provides you with a way to centrally control and enforce policies. Tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM. This Blog shows you how to create and configure a Windows Server 2019 VM to use Azure AD authentication and how to remove the Azure AD join and switch back to Active directory Domain join.

The following Windows distributions are currently supported during the preview of this feature:

  • Windows Server 2019 Datacenter
  • Windows 10 1809 and later

So the machine below is in a workgroup but Azure AD joined. on a server is it not visible that the machine is Azure AD joined in the UI.

image

In the Configuration properties in an Azure VM we can set the following properties. Login with AAD credentials. This is during creation of the new VM that way the VM is directly Azure AD joined.

image

Just deployed a new VM. and this VM is Azure AD joined, but what if you want to domain join this machine can we do a hybrid domain join for short NO.

image

Remember Some options only work if you have a P1 or a P2 Azure AD license here you can find the differences https://azure.microsoft.com/en-us/pricing/details/active-directory/

image

Looking at the devices in the Azure AD devices we can see the Server is Azure AD Joined.

image

Giving Access to the VM can be based on RBAC

Two RBAC roles are used to authorize VM login:

  • Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
  • Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.

To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.

Select the VM and choose IAM press Add and add role assignment. just as you do with other workloads.

image

image

Or use the Azure CLI

$username=(az account show –query user.name –output tsv)

$vm=(az vm show –resource-group rsg-adjoin001 –name 2019vmadjoin –query id -o tsv)

az role assignment create  –role "Virtual Machine Administrator Login" –assignee $username –scope $vm

image

But what If we want to do a Domain join ?

There is no hybrid domain join and no console unjoin. Redeploy would not be the best option right.

image

With the DSRegCmd /Leave we can unregister the VM from the Azure AD.

image

now back to the Domain join without a reboot we can join the VM direct to the Classic Active directory.

image

Remember a reboot is needed for this.

image

Now the VM is normal AD joined.

This option is still in preview and after removing the Azure AD still shows that the VM is Azure Ad joined, it seems there is no trigger to remove the AADLoginForWindows extention in the VM.

The hybrid join could me a great addition to make VM’s connectable with Azure MFA. But for now we can assign policy’s and rules.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted April 6, 2020 by Robert Smit [MVP] in Windows Server 2019

Tagged with , , ,

Step by Step Windows Virtual Desktop Troubleshooting Manual Add VM to HostPool #WVD #RDS #Azure #MSIgnite #MVPBuzz #Cloud   2 comments

Windows virtual desktop is GA and already there are tons of blog post on how to install windows virtual desktop, first steps on windows virtual desktop.

I see a huge demand on WVD, Customers wants to try this and see the difference between the traditional RDS setup.  And yes its all Azure but thanks can be build and tested. and there comes all the different builds and setups. Different places to go, and management is a pain no GUI available from Microsoft there is only PowerShell. Not a bad thing but testing the windows virtual desktop leaves me multiple tenants and host pools dead.

Well I thought lets do a Step By Step windows virtual desktop, Well not exactly I’ll believe you can follow the wizard in Azure and Do all the prereq’s by your self. In this blog post it could be that not all host pools and tenant names are the same as I had a lot of test WVD configs.

As we all know the Infrastructure that is needed for windows virtual desktop, we also know that a lot can go wrong and then where to look ?

image

So to start with windows virtual desktop I created a little Powershell script that does step 1

Install-Module -Name Microsoft.RDInfra.RDPowerShell
Import-Module -Name Microsoft.RDInfra.RDPowerShell

#Setup Settings, TenantName of WVD tenant, Hostpool name
$Hostpool       = “WVDpool01”
$HPFriendlyName  = “Win10 + O356”
$TenantName     = “ClusterMVP”
$TenantGroupName = “Default Tenant Group”
$AppGroupName    = “Desktop Application Group”
$AadTenantId    = “111111-2222222-33333”
$subscriptionId = “111111-2222222-33333″
$UPN=”adminclu@clustermvp.local”

#Sign in to Windows Virtual Desktop
Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com”

#New Tenant Keep in mind that Access rights need to be set before doing the next step.
New-RdsTenant -Name $tenantName -AadTenantId $AadTenantId -AzureSubscriptionId $subscriptionId
#
#Hostpool
#Create new Hostpool
New-RdsHostPool -TenantName $tenantName -FriendlyName $HPFriendlyName -name $hostpool -ValidationEnv $true
Get-RdsHostPool -TenantName $tenantName

 

When Doing these steps I already got errors not on the script but on the basic steps

image

Get-RdsTenant : User is not authorized to query the management service.

The user is global admin uber god in Azure and in the domain. Well you need to give the account that you are using for the installation access. in the Virtual Desktop APP.

image

I like to see what happened so often I use an extra Get- to see the values .

But these errors I hate them, Why can it be so hare to deploy some machines and use RDS, Well it’s a 3 fase installer.

  • Granting the Domain + subscription
  • Powershell stuff to prep things
  • Install Azure VM’s

And then the setup needs to embed in your infrastructure. Think I saw a lot of issues, during the first RDMI rollouts I thought this is complicated a created a full rollout script, but things changed during the program and at some points I could not get windows virtual desktop Installed several tries etc not good,

Tons of failure on all kind of errors samples are below.

—————————————————————————————–

VM has reported a failure when processing extension ‘joindomain’

the error is Deployment error: “VMExtensionProvisioningError”.
Details error message are:
{“code”:”DeploymentFailed”,”message”:

Operation ‘Update VM’ is not allowed on VM ‘FIBWVD-0’ since the VM is marked for deletion.

“The resource operation completed with terminal provisioning state ‘Failed’.”

statusCode”: “Conflict”,

“VM has reported a failure when processing extension ‘joindomain’. Error message:
\”Exception(s) occured while joining Domain

Error message: \\\”DSC Configuration

——————————————————————————————–

Well I have multiple Domain names added to my Azure AD and Running a VM as DC with multiple domain names.  Azure Connect syncs them to Azure AD but standard well it depends, That’s why I thought lets create a backwards blog about windows virtual desktop #WVD.

More about errors can be found here 

https://docs.microsoft.com/en-us/azure/virtual-desktop/diagnostics-role-service#common-error-scenarios

 

During all my test I noticed my Tenant Names where in use and different all meshed up. Removing them is easy but also in steps.

First my sample here

Get-RdsHostPool -TenantName ACACOMPUTERS

image

This shows you the host pools for the login user

get-RdsAppGroup -TenantName ACAComputers -HostPoolName ACA-HostPool

image

So removing the hostpool is not

Remove-RdsHostPool -TenantName ACAComputers -HostPoolName ACA-HostPool

image

That seems logical, then lets see the application groups

get-RdsAppGroup -TenantName ACAComputers -HostPoolName ACA-HostPool

image

There are Two application Groups : the default one and an extra created.

AppGroupName    : Desktop Application Group

AppGroupName    : MVP-WVD

Remove-RdsAppGroup -TenantName ACAComputers -HostPoolName ACA-HostPool -Name “MVP-WVD” –Verbose

image

even with the verbose nothing no warning no error.

Remove-RdsHostPool -TenantName ACAComputers -HostPoolName ACA-HostPool -Verbose

image

Now the Hostpool can be removed and no warning

 

image

Setting up a fresh new installation of WVD is easy, but the first setup is a bit painful but if you follow the steps you can’t go wrong.

GO to the  https://rdweb.wvd.microsoft.com Add the Azure AD ID keep in mind if you are running a CSP subscription or you are not the owner it may that your account is blocked to create enterprise apps then this will fail and you can’t setup WVD.

image

Do this for Client and Server

image

Then give the users access to the Windows Virtual Desktop App, these are the installation accounts.

image

Open the app and add users or groups.

image

 

image

Now you can sign in and start the deployment

#Sign in to Windows Virtual Desktop
Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

image

 

image

 

WVD service principal name Powershell

 

You can also use a service principal name

#############

Set users or Create service principal name

# create the service principal:
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName “Windows Virtual Desktop Svc Principal”
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

#Here are the three credentials you should write down and the cmdlets you need to run to get them
$svcPrincipalCreds.Value
$aadContext.TenantId.Guid
$svcPrincipal.AppId

#Set Rolassignment
New-RdsRoleAssignment -RoleDefinitionName “RDS Owner” -ApplicationId $svcPrincipal.AppId -TenantName $tenantName

#Sign in with the service principal
$creds = New-Object System.Management.Automation.PSCredential($svcPrincipal.AppId, (ConvertTo-SecureString $svcPrincipalCreds.Value -AsPlainText -Force))
Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com” -Credential $creds -ServicePrincipal -AadTenantId $aadContext.TenantId.Guid

image

This is All perfect But often I noticed that the WVD host where added to the domain but failed in something, the VM was fine and there was a folder with the deployment agent. and this got me thinking what If you install this on what ever OS, You could even use the WVD portal to connect to your own laptop.

 

Manual ADDING New WVD (Windows virtual desktop) Host to the Pool or a failed on.

The manual add Server to the host pool is also a process when you start with 1 server and add later extra servers to the pool.

but we will need a token to add the WVD host to the pool, like in RDS add the Role not the Role is an agent that is running on the VM

image

There are several ways to export the key I like them to capture this in screen and to the clipboard.

$WVDToken = New-RdsRegistrationInfo -TenantName $tenantName -HostPoolName $hostpool -ExpirationHours 2
$WVDToken.Token | Set-Clipboard
##
$WVDToken.Token

#When using the Clipboard then use this.
Export-RdsRegistrationInfo -TenantName $tenantName -HostPoolName $hostpool | Select-Object -ExpandProperty Token | Set-Clipboard

Now we have the key but it is only valid for 2 hours.

image

Now I go to my failed Windows 10 host and start the installation of the Agent.

image

If you don’t have the Agent installer you can download it. In this case I use a failed WVD host during deployment.

Download and install the Windows Virtual Desktop Agent.

imageimage

Use the Token in the installer

imageimage

The next installer is the bootloader 

Download and install the Windows Virtual Desktop Agent Bootloader.

image

 

imageimageimageimage

Now that the Agent and the Bootloader is installed. We need two more steps.

Download the Windows Virtual Desktop side-by-side stack and run the installer.

As a final step – Download this script to activate the side-by-side stack. Save this as powershell script “ps1” or run this directly.

image

image

After running the SxS components you and use the portal  https://rdweb.wvd.microsoft.com/webclient/index.html

image

In this setup I used the Full desktop – This is also default –

image

Running this in a Window or use the Remote app in your Windows

image

  • Download the Remote Desktop client here.
  • Install the client. You don’t need administrator privileges if you are only installing it for your own user account.
  • Open the newly installed Remote Desktop app.
  • On the Let’s get started screen, click Subscribe to subscribe to a feed.

imageimage

Installation source on a failed WVD host

image

 

[!IMPORTANT] To help secure your Windows Virtual Desktop environment in Azure, we recommend you don’t open inbound port 3389 on your VMs. Windows Virtual Desktop doesn’t require an open inbound port 3389 for users to access the host pool’s VMs. If you must open port 3389 for troubleshooting purposes, we recommend you use just-in-time VM access.

 

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted November 20, 2019 by Robert Smit [MVP] in Azure

Tagged with , ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: