Azure AD allows collaboration seamless for any user with any account (towards the dream)

Posted on by susanthasilva

In a world where collaboration rocks we always question the security boundary. By now I do hope all agree answer relies on identity. Our application access and controls should follow identity to allow people to truly provide the required flexibility to work from anywhere whilst maintaining the required security.

In Microsoft Azure Active Directory now they are towards to that dream. Today goes the public preview of allowing to share resources (Applications and data) with people from any organization, whether or not they have Azure AD or an IT department. Earlier Microsoft work closely with Google social IDs for this task.

Under this preview mode end user can use any of their e-mail ID type to access resources on another organization for true B2B collaboration. This is happening via email one-time passcodes (OTP).By using this new capability, you allow guest users to use their work email account for authentication while making sure your corporate resources are protected by the same security standards that are mandated by your partner organization. Once end user get the code and verified that session is valid for 24 hours. OTP codes are valid for 30 minutes. These settings carefully applied with security in mind.

In addition, we can apply additional security through conditional access and Multi-Factor Authentication (MFA) which available under AAP (Azure Active Directory Premium)

Guest user will get one-time passcode if below scenarios are true,

  • They do not have an Azure AD account
  • They do not have a Microsoft account
  • The inviting tenant did not set up Google federation for @gmail.com and @googlemail.com users

OTP 1
(Picture credits goes to Microsoft Techcommunity)

Ok letā€™s get into action to enable this feature now.

Log into Azure portal and go to Azure Active Directory ā€“> Organizational relationships ā€“> Users from other organizations ā€“> Settings

select ā€œEnable Email One-Time Passcode for Guests (Preview) after that save the changes.

image

Well thatā€™s all you have to do. Head back to ā€œUsers from other organizationsā€ and add the users. Once above task completed it might take little time to apply.

After that when you share the resources with the outside party.

image

When the first time user get the email he/she has to go through the redemption procedure and accept the company policies. Once completed when they try to access the company resources they will be request to sign in prompt and request for a code. Below is such example situation,

OTP 2OTP 3
(Picture credits goes to Microsoft Techcommunity)

What is exciting is the new doors this is opening for companies to allow securely access to their resources to external parties knowing the control they have.

Goodbye MVA and welcome “LEARN”

Posted on by susanthasilva

If youā€™re a technical person who loves Microsoft technology then you must have spend time on MVA. Microsoft Virtual Academy is one of my favorite place which I spend to learn about Microsoft technology. Starting from basic all the way to level 300 content is there plus do your own knowledge validation and exams. That bean said Microsoft has decided to close the learning site and come with new learning platform. Before I jump into that if youā€™re a MVA fan then you still have time to complete your pending learning and exams until end of January 2019. Best is visit the MVA site and complete your pending tasks Smile 

image

To view your progress visit Dashboard and complete any pending training courses,

image

So now youā€™re aware the future awaits for the MVA what that means to you with Microsoft Learn? What is Microsoft Learn?

Microsoft Learn is interactive learning environment that includes short step-by-step tutorials (I can see more in Azure Smile), interactive coding/scripting environments, and task-based achievements that help you advance your technical cloud skills. I like new idea but again change is not welcome by everyone at first glance. Best is you give a try and see how it matters to you.

image

I like the idea of role based training. Along with rapid changes in cloud technology it would be pretty difficult task to keep up with all the technology updates. Ideal would be to have small chunks and learn them. Even Microsoft Azure classroom training has to go through in that path in order to teach for students Smile

In case if youā€™re missing advance concepts training then Microsoft has provided external training partners web links for you to refer. Such learning partners are LinkedIn & Pluralsight.

image

I do hope Microsoft will not forget IT users who are interested in Windows Server, System Center technology. Fingers crossed for that.

Until that time arrives best is to start with ā€œAzure Fundamentalsā€ training Smile

https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/

Resetting the VMWare vCenter appliance (VCSA) root password

Posted on by susanthasilva

Ok this is strange problem I came across during my VMWare lab setup. For some reason the password Iā€™ve setup during my vcenter appliance setup is not detecting. Yes I waited enough time for appliance to bootup Smile 

So here Iā€™m wondering how to move to next step without wiping and starting my test lab from the scratch. Based on my research around found out we can reset the root password on Linux appliance. This going to be a post which I will be helpful for me as well as for yo all when struggling through root password issues in VCSA

To provide some background Iā€™m testing VMWare Esxi and vCenter (VCSA) 6.7 setup running on VMWare workstation 14. For this lab setup I did import the VCSA OVA file directedly into the VMWare workstation instead of setting up inside the ESXi server (yes you can do that Smile)

Please note VMware using their own OS called ā€œPhoton OSā€ for their VCSA appliance. 

Ok for the steps guide now.

1. Take a snapshot or backup or your VCSA appliance. Restart the VM and hit letter ā€œeā€ in your keyboard when you see the “Photon OS splash screen. This will take you to the GRUB boot menu. In the end of first sentence append the parameter rw init=/bin/bash

image

2. After that press F10 to continue the boot. After few seconds youā€™ll be prompted with  root login. Type passwd. Youā€™ll be prompted to enter the new password. Type the new password and repeat the again for verification. If youā€™re successful youā€™ll be prompted.

image 

image

3. Once the steps are completed you can type reboot ā€“f and let the system restart. After that once the system reboot try connecting to vcsa login screen with the new password.

Hope this small steps will save you lot of time. From what I heard if there is new updates to the Photon OS there is a possibility password we setup might not work. Remember these steps to overcome that.

Kindly note Iā€™ve only test this on VMware 6.7 version only. I do believe same will work on 6.5 version as well.

How to migrate Public IP between Azure VM’s

Posted on by susanthasilva

This article created based on a challenge I faced on migrating Public IP [Static] to a different VM. There are many scenarios why you might want to keep static public IP to a Azure VM (Iaas). Despite being said to leverage DNS names we know in practical world static IP still wins

Smile

In this scenario I had a challenge of my customerā€™s VM has been attacked by ransomware. Lucky we had taken full backup of the VM. First tried restoring the disks to the same VM but problem still exists. Next solution is restoring the backup to a new VM (entire VM restore) How to do that you can find here.

Below video will share you how I manage to resolve the problem.

https://www.youtube.com/watch?v=-R63rlspMJU

Handle Windows servers with Windows Admin Center aka “Project Honolulu”

Posted on by susanthasilva

Tis project has been initially announced on year 2017 on Ignite event. At that time it just gave excitement for server admins who saw this as Swiss army knife to managed the different version of Windows servers. Along with time Microsoft project team has been working very closely with MVPā€™s and general public getting the feedback how they should be improving this project.

In Year 2018 this has been announced on GA level. So what is Windows Admin Center and itā€™s advantages? To address that Iā€™ll share the exact information shared by Windows Server Team,

  • Simple and modern management experience: Windows Admin Center is a lightweight, browser-based GUI platform and toolset for IT admins to remotely manage Windows Server and Windows 10 machines.
  • Hybrid capabilities: Windows Admin Center can manage Windows Server and Windows 10 instances anywhere including physical systems, virtual machines on any hypervisor, or running in any cloud. Connect to the cloud with optional value-added features like integration with Azure Site Recovery for protecting your virtual machines, and support for Azure Active Directory to control access with multi-factor authentication.
  • Integrated toolset: Rather than switching between several different tools and contexts, with Windows Admin Center you get a holistic overview of your resources and the ability to dig into granular details. In addition to server and client machines, it allows you to manage failover clusters and hyper-converged infrastructure (HCI) deployments.
  • Designed for extensibility: Weā€™ve been working with early-adopter partners to refine the extension development experience in a private preview of our SDK. That means soon youā€™ll be able to extend Windows Admin Centerā€™s capabilities to 3rd-party solutions. For example, youā€™ll start to see 3rd party hardware vendors use Windows Admin Center to provide management of their own hardware.

For me itā€™s really interesting when Jeff Woolsey mention in the Azure Cloud Summit Singapore you can manage your Azure resources as well as on-premise resources from single console.

Iā€™ve already went ahead and tested this on my test lab cross checking server 2012 R2 to all the way to Server vNext (aka Server 2019) version. Iā€™m pretty amazed how simply product can be setup and used. Kindly note there are couple of modes you can setup Windows Admin Center to manage your servers.

PS: Server 2012 R2 had problems due to WMF 5.1 not availbility. This has been documented on Microsoft docs and easily can be fixed.

image

image

In my case I went ahead with setting everything on a Windows 10 Enterprise VM. I think most of the production environments in Sri Lanka would be fine with Singe Gateway mode. If youā€™re a service provider managing lot of customer resources then itā€™s fine to move ahead with Windows Admin Center on failover cluster to provide additional resiliency.

In my test lab Iā€™ve both Server 2016 and Server 2019 in command level. Whatever said and done itā€™s not that easy when you miss the GUI Smile. Windows Admin Center resolves that problem like a charm. Iā€™ve managed to connect to both servers seamless level and manage them remotely. Only problem I came across is when I tried to enable remote access to both servers from Windows Admin Center. Finally I end up using sconfig and enable remote desktop access. Soon after that Iā€™ve managed to get RDP to both servers for console access.

Few screenshots of my small lab environment,

image

Managing Server 2019 (Yes Microsoft didnā€™t make Server 2016 the final version Smile with tongue out )

image

I like the simplicity UI plus plethora of tools given for managing the servers.

image

This reminds me storage explorer tool. Itā€™s very cool to manage server core systems just like youā€™re having full GUI on it Smile

In todays blog article Iā€™ve only briefly touch the product capability. There are few more things to be discovered. Iā€™m yet to explore the feature of Azure management from single console. Apart from that Microsoft promise we can manage our HYPER-V failover clusters and hyper-converged clusters as well. Apart from that if youā€™re using ASR to protect your hyper-v VMā€™s to Azure you can manage that fro Admin Center. As I said earlier I didnā€™t had all the lab scenarios in my hand right now but look forward to share my experience whenever I get my hands to such environments. In the meantime youā€™ll can share your exact experience when using this product.

PS: At this stage donā€™t take Windows Adin Center as you final destination to manage your Windows Server environment. At this stage Microsoft is very clear Admin Center will not replace your MMC consoles, Monitoring tools like SCOM, OMS and rest management tools. But Microsoft has given very clear picture where they heading on server management path. It would be really amazing when this product improved to manage services on server less environments as well.

Azure Site Recovery–Story revamped using new portal

Posted on by susanthasilva

In this blog post Iā€™ll guide how to setup Azure Site Recovery (ASR) on the new portal using ARM model. If youā€™re not familiar with the ASR concept you can refer here. Compared to setting up ASR on old Azure portal, Microsoft ASR team carried out significant enhancement on the new portal and make it very much UI friendly.

In this blog post Iā€™ll explain how to protect HYPER-V VMā€™s. You can protect VMā€™s hosted on single HYPER-V (Stand alone) or HYPER-V cluster (without VMM) using these steps. Few things I wonā€™t cover in this blog post are how to create resource group, Virtual networkā€¦.etc. Iā€™ll provide relevant links for that for you to get in depth idea.

1. Wow to create a resource group in Azure – https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

2. How to setup networking for ASR – https://azure.microsoft.com/en-us/blog/networking-infrastructure-setup-for-microsoft-azure-as-a-disaster-recovery-site/

So with the assumption you have HYPER-V server with bunch of VMā€™s (on-premise) and have a Azure tenant and in that youā€™ve created,

  • Resource Group
  • Created Virtual network
  • Created storage account to hold replicated VMā€™s data

Now letā€™s go ahead and create a Recovery Vault in the Resource Group you have created. In my case Iā€™ve pre created a RG name as ASR-DR. Inside that Iā€™m going to create the Recovery Vault name ā€œASR-RVā€

image

image

Once the RV created we can follow the step-by step guide or based on your experience jump straight into the relevant steps. In below screenshot Iā€™ve demonstrated the step by step method.

Iā€™m selecting the option to protect the hyper-v vmā€™s which is not managed by VMM environment.

image

Now you need to create a ā€œHYPER-V siteā€ and then click on the ā€œ+ Hype-v serverā€ and register the nodes. Once you complete that task of setting up agents into the on-premise server youā€™ll be registering your HYPER-V servers with the RV. In below picture you can see Iā€™ve added two HYPER-V hosts.

image

in the next step youā€™ll need to define the Azure subscription. RV will read the resources in that vault and will highlight what is usable for ASR purpose.

PS: But I warn you to create the resources earlier for ASR purpose and not to borrow Smile

image

Now you need to define replication policy and associate. If you have done this step previously you only have to associate that, if not create a one. You can go ahead and create a new one keeping the defaults value and change them later.

image

Step 5 Iā€™ve skipped that since Iā€™ve make sure planning has been carried out previously.

image

Now the basic steps are completed and real game begins Smile

Go to ā€œReplicate Applicationā€ section and start highlighting the VMā€™s you need to replicate to Azure for protection.

image

In the next step you need to map the Azure resources you created previously very carefully. Iā€™ve highlighted the areas which need your special attention. Careful planning becomes a virtue in this scenario.

image

Now if everything goes smoothly youā€™ll be able to see the VMā€™s on the HYPER-V host server name list populated on Azure side. Go ahead and select the VMā€™s you need to protect,

image image

Finally you need to review the summary and approve to proceed for replication process to execute against the VM you select.

image

This will take little time to complete. After that for full sync will occur. For that time depend on your disk size and your internet connection speed Smile. Iā€™m in the process of helping a client to upload over 2 TB data.

image

If you have very slow internet links (Like Iā€™ve Smile) you can use Microsoft import/export method to export the VHD files to nearest Azure data-center via courier. Once Azure team upload your VHD to Azure storage account all you have to do is replicate the difference. Sounds easy? Well it is not! there are few steps you need to follow and it will cost you additional money but it all depend on the situation. You can find more information about it here.

My two cents advise is go ahead and setup the Recovery Vault and check the new options in the RV,

image

Youā€™ll find new GUI and options given are so rich. In my future article Iā€™ll cover more details about them and also the recovery procedure.

Error ID 70094: ASR Protection cannot be enable for HYPER-V VM

Posted on by susanthasilva

I came across above error when tried to setup ASR using new portal. Every step went find until I get below error,

image

clearly this highlight I cannot replicate the VM successfully to the Azure Recovery Vault. Iā€™ve tried re-registering the Azure Site Recovery agent on the HYPER-V host as well. Though HYPER-V host register properly on the Recovery Vault VM protection fails with above error. On the hyper-v console I can see VM replication is on error state.

So finally meddle around the host logs I found out ASR has been setup previously and has not been removed properly. This means each VM replication also not completed and hanging around on error state. Only way to proceed is to clear those unsuccessful replication data on the host side targeting individual VMā€™s which is effected.

You need to run below mention PS command on each host targeting the effected VMs,

“$vmName = “<VM Name>”
  $hostName  = “<Host name>”
  $vm = Get-WmiObject -Namespace “root\virtualization\v2” -Query “Select * From Msvm_ComputerSystem Where ElementName = ‘$vmName'” -computername $hostName
  $replicationService = Get-WmiObject -Namespace “root\virtualization\v2”  -Query “Select * From Msvm_ReplicationService”  -computername $hostName
  $replicationService.RemoveReplicationRelationship($vm.__PATH)“

PS: Replace the <VM Name> with your effected VM name, <Host name> with your HYPER-V server name and run on the HYPER-V host.

Once that completed go ahead and try enabling replication for each VM from Azure console side.

PS: If you need to know about how to setup ASR on the new portal youā€™re in luck. Stay tune for next blog article Smile