Azure Site Recovery–Story revamped using new portal

In this blog post I’ll guide how to setup Azure Site Recovery (ASR) on the new portal using ARM model. If you’re not familiar with the ASR concept you can refer here. Compared to setting up ASR on old Azure portal, Microsoft ASR team carried out significant enhancement on the new portal and make it very much UI friendly.

In this blog post I’ll explain how to protect HYPER-V VM’s. You can protect VM’s hosted on single HYPER-V (Stand alone) or HYPER-V cluster (without VMM) using these steps. Few things I won’t cover in this blog post are how to create resource group, Virtual network….etc. I’ll provide relevant links for that for you to get in depth idea.

1. Wow to create a resource group in Azure – https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

2. How to setup networking for ASR – https://azure.microsoft.com/en-us/blog/networking-infrastructure-setup-for-microsoft-azure-as-a-disaster-recovery-site/

So with the assumption you have HYPER-V server with bunch of VM’s (on-premise) and have a Azure tenant and in that you’ve created,

  • Resource Group
  • Created Virtual network
  • Created storage account to hold replicated VM’s data

Now let’s go ahead and create a Recovery Vault in the Resource Group you have created. In my case I’ve pre created a RG name as ASR-DR. Inside that I’m going to create the Recovery Vault name “ASR-RV”

image

image

Once the RV created we can follow the step-by step guide or based on your experience jump straight into the relevant steps. In below screenshot I’ve demonstrated the step by step method.

I’m selecting the option to protect the hyper-v vm’s which is not managed by VMM environment.

image

Now you need to create a “HYPER-V site” and then click on the “+ Hype-v server” and register the nodes. Once you complete that task of setting up agents into the on-premise server you’ll be registering your HYPER-V servers with the RV. In below picture you can see I’ve added two HYPER-V hosts.

image

in the next step you’ll need to define the Azure subscription. RV will read the resources in that vault and will highlight what is usable for ASR purpose.

PS: But I warn you to create the resources earlier for ASR purpose and not to borrow Smile

image

Now you need to define replication policy and associate. If you have done this step previously you only have to associate that, if not create a one. You can go ahead and create a new one keeping the defaults value and change them later.

image

Step 5 I’ve skipped that since I’ve make sure planning has been carried out previously.

image

Now the basic steps are completed and real game begins Smile

Go to “Replicate Application” section and start highlighting the VM’s you need to replicate to Azure for protection.

image

In the next step you need to map the Azure resources you created previously very carefully. I’ve highlighted the areas which need your special attention. Careful planning becomes a virtue in this scenario.

image

Now if everything goes smoothly you’ll be able to see the VM’s on the HYPER-V host server name list populated on Azure side. Go ahead and select the VM’s you need to protect,

image image

Finally you need to review the summary and approve to proceed for replication process to execute against the VM you select.

image

This will take little time to complete. After that for full sync will occur. For that time depend on your disk size and your internet connection speed Smile. I’m in the process of helping a client to upload over 2 TB data.

image

If you have very slow internet links (Like I’ve Smile) you can use Microsoft import/export method to export the VHD files to nearest Azure data-center via courier. Once Azure team upload your VHD to Azure storage account all you have to do is replicate the difference. Sounds easy? Well it is not! there are few steps you need to follow and it will cost you additional money but it all depend on the situation. You can find more information about it here.

My two cents advise is go ahead and setup the Recovery Vault and check the new options in the RV,

image

You’ll find new GUI and options given are so rich. In my future article I’ll cover more details about them and also the recovery procedure.

Advertisements

Affordable Disaster Recovery Solution for every organization

January 2015

Last month I had the opportunity to present above topic during local ITPro community event. With the recent announcement if Azure Site Recovery enhancement it is very clear Disaster Recovery is no longer only Enterprise level only solution. Now this is available even for SMB customers with very low price tag.

Some of the key questions are raised on multi hypervisor support. It is no surprise Microsoft has not left those customers alone. With the acquisition of Image Scout solution we now can offer DR solution for VMware, Citrix & Physical servers as well. Very soon Microsoft will focus on providing VMware to Azure site recovery solutions as well.

Extending on premise Active Directory to Azure

Microsoft Azure is one of the biggest buzz word in the technical world (at least in my world Smile ) Whenever I have conversation about this with my customers some of the questions and concerns they have as follows,

1. Why should I care about another directory service when I already have Active Directory to manage my users and computers

2. How can I extend my Active Directory

3. Can I dump my on-prem Active Directory and use 100% Azure active directory?

Most of the time I end up explaining Azure Active Directory using couple of pictures,

image

Above picture gives an idea about similarity between Azure AD and On-prem AD. This is an easy way to give someone an idea what is AD normally do (I’m talking about business owners)

Next picture about how Azure ID can be used in hybrid method and open whole new world on Cloud based Apps to an organization.

image

Now that is all about some nice icing layer before we start the work Smile

My first attempt is to help you guide through how we can setup Azure AD and then integrate that with you local Active Directory.

First you need to have an Azure subscription. If you already have Azure subscription then login to the main portal,

image

On the right hand side scroll down until you find the section called “Active Directory”

image

You can see couple of Active Directories created by my in the right hand side. Please note Default directory is pre-created by Microsoft Azure. You can start using that or create your own Azure Directory. to create you own AAD (Azure Active Directory) click new,

image

Select directory and click “Custom”

image

Put your own values for this, (Note: make sure the Domain name you provide is a unique one)

image

Once you complete the wizard you’ve completed with creating your AAD Smile

image

In the above picture you’ll spend time creating users and groups for the new AD. For more information about this area please visit here. In the next article we’ll talk about how to integrate Azure AD with on-prem AD.

Active Directory monitoring and health checkup

As system administrators most of us spend time on end user problem troubleshooting and forget to oversee the Active Directory services. We only concern about the AD server when we’re getting problems and then we see all sort of problems related to DNS, replications…etc. This guide is focus on providing proactive monitoring of the Active Directory so as system administrators you will have better understanding of your infrastructure.

Is it best recommended to do the following test once a month and keep the log files for trend analysis as well. To make thing easier I’ve provided the necessary urls of individual commands pointing to the TechNet so you can get more compressive details,

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt

This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:\temp\pre_Netdiag.txt

This will let us know if there are issues with the networking components on the DC. This along with the post test also is a quick easy way to ensure the patches installed is really installed (just check the top of the log)

Repadmin /showreps >> c:\temp\pre_rep_partners.txt

This shows all the replication and if it was successful or not. Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txt

This is the one that always takes forever but will let you know who you are having issues replicating with.

Apart from that Microsoft offers another tool called MPSRPT_DirSvc.exe. You can run this tool in the dc’s and it’ll run most of the above mention commands and provide you the output into log files. Very handy I would say. You can download it from here.

Hopefully this helps you when you troubleshoot your domain controllers but by no way is this all encompassing list of things to do. These are the standard steps normally I take but I would love to hear what you all do as well.

sysvol and netlogon shared folders missing after a non-authoritative restore

This is an issue I face with a client side and had to spend hours time to sort it out. Thought of sharing my experience with other fellow minded techies.

First let’s have a look into the issue, Client has a non functional Domain controller due to a power failure. Basically Domain controller has lost it’s database and other critical data (Eg: DNS records, wins records..etc)

Even though additional domain controller has been existed FMSO roles has been assigned to the failed domain controller. Moving forward when we reach the site as a solution they have already restored the domain controller with a system state backup, and then move forward restoring the system state backup to the second domain controller as well. This has caused issues to bring both DC’s to a halt.

Looking into the event viewer found out both DC’s couldn’t find a proper DC’s to sync the sysvol contents though both are trying to find a health DC. To make things shorter I’ve tried to set one DC to set as authoritative and not look for another DC to get the sysvol contents by following the kb290762. After that brought the second DC online and set the “BurFlags” value to D2 in the registry path.

(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup)

Found out after some time both DC’s got the sysvol folder shared without any contents in it. Netlogon folder also not appearing! Another frustration on the way!!

Next step restore the sysvol to alternative location and reterive the contents in the sysvol folder and then copy to one DC’s “C:\Windows\SYSVOL\sysvol\<Domain Name”\” One that complete following instruction been followed,

Stop File Replication Service in that particular DC, change the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Key: BurFlags

Value: D4(hexadecimal)

Start File Replication Service, after we see the event ID 13516 in FRS event log.

Restart Netlogon service, then the NETLOGON is shared out.

Stop File Replication Service in the other DC, change the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Key: BurFlags

Value: D2(hexadecimal)

Start File Replication Service, after we see the event ID 13516 in FRS event log.

Once that complete both DC’s has same contents in the sysvol folder and the netlogon has been restarted as well. Confirmed users can authenticate and rest of the applications are working fine Smile

Almost everything is running perfectly but as a precaution requested to take full backup of the DC’s. Time for a beer but again it’s midnight so no way to make that as well Smile

Summary: Above mention effected domain controllers are Windows 2003 R2. But as a thumb rule one thing to keep in mind is AD replication is multi-threaded, multi-master replication engine and it can take time and patient is a virtue.

Following links has been referred during the troubleshooting process,

http://support.microsoft.com/kb/315457

http://support.microsoft.com/kb/257338

http://support.microsoft.com/kb/229896

Virtualizing Active Directory service

Most of the time we recommend for customers and partners not to virtualizes the AD server. the explanation we give for this is due to the time sync issue there might be problem. So what is this time sync issue and why we should give more consideration about this too much? In this article I’m going to talk about it little bit and explain a solution for that. As a thumb rule I’ve to update you’ll this is according to my 2 cents knowledge 🙂

Normally Active Directory heavily depend on the accurate time for various services (Eg: Authentication, replication, records updates..etc) When the AD is in a physical machine it will use the interrupt times set by the CPU clock cycles. Since it have the direct access to this time can be accurate.

When you try to virtualized the main problem you face is the virtualized environment behavior. Virtual PC’s are created to save the CPU clock cycles and when one OS is idling then CPU cycles send to that VM will be reduced. Since AD heavily depend on this CPU cycle missing them randomly means the time won’t be accurate. This problematic behavior is same either you’re using VMware, HYPER-V or any other third party virtualization technology. Once the clients and server having mismatch of time sync more than 5 minutes authentication and network resource access will be difficult. (Windows AD environment uses Kerberos authentication and by default time difference allowed is 5 minutes)

So one method is allowing the PDC emulator service holder AD server to sync time with an external time source instead of depending of the CPU clock cycles. To do that you have to edit the registry on the PDC emulator holding server. (As usual I assume you guys will take the necessary precautions like backing up server, registry…etc)

1. Modify Registry settings on the PDC Emulator for the forest root domain:
In this key:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type
• Change the Type REG_SZ value from NT5DS to NTP.
This determines from which peers W32Time will accept synchronization. When the REG_SZ value is changed from NT5DS to NTP, the PDC Emulator synchronizes from the list of
reliable time servers specified in the NtpServer registry key.
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
• Change the NtpServer value from time.windows.com,0x1 to an external stratum 1 time source—for example, tock.usno.navy.mil,0x1. More time servers information can be found over here.

This entry specifies a space-delimited list of stratum 1 timeservers from which the local computer can obtain reliable time stamps. The list can use either fully-qualified domain
names or IP addresses. (If DNS names are used, you must append ,0x1 to the end of each DNS name.) In this key:
HKLM\System\CurrentControlSet\Services\W32Time\Config
• Change AnnounceFlags REG_DWORD from 10 to 5. This entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change the REG_DWORD value from 10 to 5 here.
2. Stop and restart the time service:
net stop w32time
net start w32time
3. Manually force an update:
w32tm /resync /rediscover
(Microsoft KB article # 816042 provides detailed instructions for this process.) Apart from that you can refer to this link as well.

As a thumb rule test this before applying for the production network. This is recommend if your organization preparing to move to 100% virtualization environment. If not at all cost try to have one DC in a physical server 🙂

Update: I found out Microsoft has already released an article about running Domain controller in HYPER-V. You can download the document from here.

AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)

With Windows 2008 Microsoft introduce a new tool called Active Directory database mounting tool (Dsamain.exe) This was referred as Snapshot viewer and Active Directory data mining tool during the early release of the Windows 2008. The cool thing about this tool is you can take snapshots of your AD database and view it offline.

As for Microsoft explanation this is really helpful in Forest recovery and AD auditing purpose. In the case of AD objects deletion you can load a snapshot and compare your current AD alone with it.

Before the Windows Server 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This pain behind this is:

  • Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore.
  • An administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible).

but one thing to notice is this is not a method to recover deleted objects but merely a method to show to you what has happened by doing a comparison. Apart from that you’ll need to be a member of the Enterprise admins or domain admins group, or else given particular rights for a user account.

Now getting back to the actions, to get snapshot, mount them and view them you need to know about 3 tools,

1. NTDSUTIL – Create, delete, mount, list the snapshot.

2. Dsamain.exe – This will allow us to expose snapshot to LDAP servers.

3. LDP or Active Directory Users and Computers MMC to view the mounted snapshot.

So the steps going to be as follows,

1.    Manually or automatically create a snapshot of your AD DS or AD LDS database.
2.    Mount the snapshot.
3.    Expose the snapshot as an LDAP server.
4.    Connect to the snapshot.
5.    View data in the snapshot.

Manually creating the snapshot of the AD DS

1. Logon to a Windows Server 2008 domain controller.
2. Click Start, and then click Command Prompt.
3. In the Command Prompt window, type ntdsutil, and then hit Enter.
4. At the ntdsutil prompt, type snapshot, and then hit Enter.
5. At the snapshot prompt, type activate instance NTDS, and then hit Enter.
6. At the snapshot prompt, type create, and then hit Enter.
7. Note down the GUID return by the command.

1-28-2010 11-05-13 AM 1-28-2010 11-07-43 AM

1-28-2010 11-08-27 AM

Mount the snapshot

1. If you didn’t close the previous window just go for it again and type list all and press enter.
2. Once you get the list of the snapshots you can select a snapshot to mount. In this scenario type mount 2 and press enter.
3. If the mounting was successful, you will see Snapshot {GUID} mounted as PATH, where {GUID} is the GUID that corresponds to the snapshot, and PATH is the path where the snapshot was mounted.
4. Note down the path

1-28-2010 11-11-35 AM 1-28-2010 11-13-14 AM

1-28-2010 11-13-23 AM

Expose the snapshot as an LDAP server

Ok so far we manage to create a snapshot and mount it. Now we need to expose the snapshot so we can view it from LDP utility or by using ADUC mmc. In this scenario we’re going to use the second utility (Active Directory Users and Computers)

1. Open a new command prompt

2. In the Command Prompt window, type dsamain /dbpath C:\$SNAP_201001281107_VOLUMEC$\WINDOWS\NTDS\ntds.dit /ldapport 51389 (instead of using the default 389 port we’re using a alternative port the snapshot to minimize any conflicts with the live AD DS)
note: “C:\$SNAP_201001281107_VOLUMEC$” is the path we got few steps before and represent the snapshot mounted path in our system.

3. "Microsoft Active Directory Domain Services startup complete" will appear in the Command Prompt window after running the above command. This means the snapshot is exposed as an LDAP server, and you can proceed to access data on it. NOTE: Do not close the Command Prompt window or the snapshot will no longer be exposed as an LDAP server. 

1-28-2010 11-31-58 AM 1-28-2010 11-32-11 AM

Connect to the snapshot

We can use any utility which can read the LDAP data. In this demonstration as I mention earlier I’ll go ahead and use the Active directory Users and Computers snappin.

1. Open the ADUC.
2. Right click the ADCU and select “Change domain controller” option.
3. Type the domain name with the custom port number eg “CONTOSO-DC:51389”
4. Now you’re looking at the data in the snapshot. Go ahead and open a another ADCU window and that will open the current AD DS.
5. Go ahead and do a change on the live AD DS and then check the 2 MMC’s again. You’ll see the snapshot data is not getting changed.

1-28-2010 11-32-42 AM 1-28-2010 11-33-03 AM

1-28-2010 11-34-11 AM

So as I mention this is really cool feature and saves lot of time. If you don’t like creating snapshots manually you can create a schedule task and automate this to create snapshot automatically. Once concern is these snapshot are not encrypted so if this gets to wrong hand it is bad for you guys. So try to keep them in a safe location and try to encrypt them for added security.