Category: Azure

Creating & Verifying Your DNS Domain in Azure AD

This post explains how to configure the DNS requirements to configure single sign-on (ADFS) or shared sign-on (synchronisation) in Azure AD (AAD) – you need to create a domain name in Azure AD and prove ownership of the domain to Microsoft.

Why Do You Need Matching Domain Names?

Imagine you have a “legacy” AD (LAD) running on one or more domain controllers called joeelway.com. If you have a user called Mary then her user name might be joeelway\Mary. On the Internet, we’re more likely to use a UPN (user principal name), and in Mary’s case that would be Mary@joeelway.com.

Let’s say that we create an Azure subscription called joeelwayazure. Any user that we create in there will be given a UPN with a suffix of joeelwayazure.onmicrosoft.com. For example, Mary would have Mary@joeelwayazure.onmicrosoft.com. This would be both confusing for Mary and for Azure because it doesn’t know that the two UPNs are actually for the same user.

If we want to configure single sign-on using Azure AD, use RemoteApp, or whatever, then we need to make sure that the UPN of the on-premise user account will match that of the in-cloud user account. And we can only accomplish this by creating a domain in AAD that matches the domain name of the LAD. So if my LAD domain name is joeelway.com then I need to make a domain in AAD called joeelway.com.

Create The Domain

Do the following:

1) Sign into the Azure management portal

2) Browse to Active Directory > Default Directory > Domains

3) Click Add A Custom Domain

4) Enter the name of the domain name. Check the “I plan to configure this domain …” box if you plan to use ADFS for single sign-on.

5) Click Add and then proceed to the next screen.

image

5) Note the verification details.

image

Verify (Prove Ownership Of) Your Domain

You can only use a domain in AAD if you own it. This prevents any Joe from using joeelway.com for the UPNs. You will need to sign into your domain registrar where you manage the DNS domain name (e.g. joeelway.com). In my case, that’s a company called Blacknight.

I logged in, browsed to the joeelway.com domain, and created a new TXT record using the details from the still-open verification screen in the management portal.

image

Now I can return to the Azure management portal, and click Verify. It can take a little time for the record (thanks to the fun of DNS) to be available so you can close the dialog in the management portal. The domain remains in an “Unverified” and unusable state. You can return to the domain, select it, and click Verify at a later time.

Tip: if you are in a lab scenario, you might have old TXT verification records that could prevent verification – make sure you delete these first.

image

With this done, you now have a verified domain ready for single or shared sign-on. Users can be created in your AAD default directory with a UPN suffix that matches your LAD domain name.

Question: what if your on-permises domain name is something like joeelway.local or joeelway.internal? You can’t host those domains on the Internet so you cannot verify them. I’ll deal with this in a later post.

Technorati Tags: ,,

Azure’s Biggest “Secret” – Azure Active Directory

Do you know how powerful Azure Active Directory (AAD) is? Do you know it’s not just an Azure or an Office 365 thing? I find that when I talk to people about Azure or when someone else is talking about it, topics like Azure Site Recovery (ASR), VMs in the cloud, or Azure Backup are in the conversation. But very few people talk about AAD, what I think is Microsoft’s killer hybrid service.

 

image

Connecting Azure AD

I heard a phrase around Ignite 2015 that I hadn’t before: Legacy AD (LAD); apparently that’s what Microsoft now call the AD that you have been running on servers since Windows Server 2000 (W2000). This is because Microsoft is investing in Azure AD, and expecting you to connect your LAD to AAD. This will make, at the lowest level, your users and their passwords available in the cloud:

  • Federation: Using ADFS, you can connect AAD with LAD. AAD doesn’t store user accounts in this design. Instead details are continued to be stored in LAD, and AAD reaches out to LAD to authenticate or authorise users whenever there is a request – no connection = no sign-in. This is a single sign-on solution.
  • Synchronisation: This is a solution that Microsoft has had many tools for, but now Azure AD Connect (AADConnect) does. Usernames and passwords are synchronised beween LAD and AAD, stored in both locations. The solution is more tolerant of failure than federation but not as scalable. This is known as shared sign-on.

Note that I’ve talked about users so far. We can now register devices in AAD (e.g. Windows 10) and via write-back, send these details back to LAD.

You Might Have Already Connected

You might not know this, but AAD is what provides user services for Office 365 (and other MSFT SaaS products). If you’ve deployed Office 365 with DirSync (or another sync tool) or ADFS then you have already accomplished the above. With a few mouse clicks in the O365 admin portal, you can make your domain appear an the Azure management portal.

AAD – Single Security Database for Microsoft SaaS

Microsoft uses AAD for all of their business cloud services:

  • Office 365
  • Azure
  • Intune
  • CRM
  • Azure Rights Management Services
  • And more

This makes it really easy for a business to enable a user to avail of new services once you have configured AAD: you configure the domain, and then you can bring O365 or any of the other Microsoft online business services to those users in seconds.

Single Sign-On With Third-Party SaaS

Microsoft isn’t stupid; they know that you use third-party cloud services, such as SalesForce. And you know what? Microsoft wants to make that easier for you by enabling single sign-on. So not only can users use their single username/password combination to sign into their PC and access their servers, but now the same credentials can work with Microsoft cloud services and third-party services. This brings “shadow IT” under the control of IT. You can use the free Cloud App Discovery to scan a network, find what online services are being used by the business, and reign these services under control using AAD.

There is an upsell here. Microsoft sells AAD Premium (included in the EMS Suite) to enable SSO with more than 10 cloud services. This upgrade also brings in things like self-service password reset.

The Future is Now

Because AAS is a cloud service, it can be developed and improved at cloud pace which is weeks, not years. Feedback and innovation are driving rapid change. You can register devices, including Windows 10 PCs, with AAD. That’s pretty cool:

  • Mobile workers can register with AAD
  • It makes BYOD and remote working easier
  • Cloud-centric SME’s might not need an on-premises DC anymore

Replacing GPO

If LAD is how we control policy on user devices, and we’re replacing LAD with AAD, how do we configure machines? The answer is Microsoft Intune. Intune can configure policy on managed devices. We’re told (I haven’t verified this for myself yet) that:

  • A customer have configured AAD
  • The customer has licensed for Intune with that domain
  • A user registers their device in the AAD domain
  • That device is automatically enrolled for management by Intune – and getting policy from Intune

How I’ve Done It

At work, we deployed the following solution to get AAD configured:

  • We have 2 on-premises DCs, required for our Hyper-V cluster
  • There is an Azure subscription and an O365 E3 subscription
  • We deployed 2 Basic A-series VMs in an availability set in Azure on a VNET
  • There is a site-to-site VPN connection between the on-prem network and the VNET
  • The Azure VMs are joined to the domain and promoted to be DCs
  • AADConnect is installed on one of the in-Azure VMs to connect with AAD (O365)
  • Configure the domain in Azure AD via the O365 Admin Portal

And from there, we’ve opened up all of the power of Azure AD … albeit requiring additional licensing for the Premium edition Smile

Technorati Tags: ,

Understanding Azure Storage Accounts

This post will walk you through figuring out Azure Storage accounts, pricing, and redundancy. One of the first things you will want to do when deploying virtual machines, websites (they can use them), or anything else in Azure is a storage account. But I find that most people, if they bother to search for the Azure storage pricing page, find the official page and get blizzard blindness.

The Official Guides

I find these pages to be useful:

The Storage Account Concept

I imagine that you are the regular IT guy that asks for X GBs of a LUN at a certain RAID level. Things are different in Azure. A Storage Account is an access point to Azure storage. The account has a URL with permission-based access:

  • URL that is unique to the storage account accessed via TLS 1.0 (successor to SSL) or later
  • A primary and a secondary access key

You create the storage account with a selected resiliency level. You do not configure a size – a single storage account can storage up to 500 TB of data and you pay for the amount of each service type that is contained within the storage account. You can create containers within a storage account that are similar to folders, allowing you to logically place your data/files. And there are remote access tools for managing storage.

So all this means that your storage “request” becomes … I want a storage account with name X (which is used as the basis for the URL) of resiliency Y in region Z.

Resiliency

There are 4 models of resiliency:

  • Locally Redundant Storage (LRS): 3 synchronous copies in a single data centre in the region of choice. There is no facility fault tolerance – if that single data centre has a catastrophic failure then you lose everything.
  • Geo-Redundant Storage (GRS): 3 synchronous copies in a single data centre in the region of choice, PLUS 3 asynchronous copies in the neighbouring region. GRS gets your data replicated to another region and this is how one gets facility fault tolerance.
  • Read-Access Geo-Redundant Storage (RA-GRS): 3 synchronous copies in a single data centre in the region of choice, PLUS 3 asynchronous read-only copies in the neighbouring region
  • Zone Redundant Storage (ZRS): There are three copies of your data, “replicated three times across two to three facilities, either within a single region or across two regions”. ZRS can only be used with Block Blobs (no use for IaaS).

Service Types

I know from experience that when you consider deploying a storage account for the first time you will be be wondering “how do I know where to put my files to be sure that I’m charged at the right rate?”. Don’t worry … all this is handled for you. Store your files and they are treated appropriately. Here are the 4 service types:

  • Block blobs: Streaming and storing documents, videos, pictures, and other unstructured text or binary data. This is the service used by Azure Backup.
  • Files (still in preview at the time of writing): Used to create in-Azure SMB 2.x file shares for sharing content between applications in Azure – nothing else.
  • Page blobs & disks: Used to store Azure VM files (virtual hard disks in the VHD format – VHDX is not supported).
  • Tables & Queues:  NoSQL storage for unstructured and semi-structured data, and very much a PaaS thing.

What Kind of Azure Storage for IaaS?

For the most part, we in the IaaS world are concerned with:

  • Block blobs for Azure Backup, LRS or GRS
  • Page blobs & disks for Azure virtual machine (VM) files, LRS or GRS
  • Page blobs & disks for Azure Site Recovery, GRS only

However, you might see other services being used for monitoring data, configuration files, metadata, etc. Don’t worry, that stuff is tiny, Azure storage is CHEAP, and Azure manages all that stuff.

Premium Storage Accounts

Everything above is related to Standard Storage accounts. However, Azure offers the ability to deploy Premium Storage  where virtual machine files are stored on SSDs instead of HDDs. This increases IOPS and reduces latency, and comes at a much greater cost. Don’t be foolish and deploy Premium Storage based on gut feeling – this cost is big enough that a proof-of-concept with realistic load simulation has determined that Standard Storage was insufficient.

Choosing Azure Management Tools

In this post, I will share with you some details on the different options for managing Azure. It’s not all-encompassing; I’m leaving programing REST API and Visual Studio to the nut jobs.

Account Portal

This is where you start off creating your subscription (under Open or direct-billing), and where you go to get a breakdown on your billing. You get a simple UI to break down your costs in this period, and the ability to download a deeper dive.

image

Management Portal

The Management Portal is historically where techies have gone to get stuff going. You get a pretty easy to use UI, with each major element of Azure having it’s own section. When you deploy something in here, there’s usually a Quick Start, some of which can be really simple to use.

image

You might have noticed that there is a second UI portal – yes; it can be confusing. Here’s how I think of things:

  • The management portal is where I go to work with new things like Azure Site Recovery or Remote App
  • The preview portal is where I go to have the best marketplace experience
  • The preview portal is where new sub features often get surfaced, e.g. assigning a reserved IP to a virtual machine

Preview Portal (Codename Ibiza)

Microsoft launched the “Preview Portal” around 14 months ago. It’s gone through many redesigns. Rather than being quick to navigate, it’s got a very “Windows 8” crossed with PhotoShopped-insane UI. But the reality is, if you want to work with new sub-features via a UI, then this site is where you go. If you want as much stuff presented to you as possible, this is where you go. And it does seem that more effort goes into this site as time goes by.

image

PowerShell

There are at least 2 types of PowerShell that you’ll use with Azure:

  • The MSOL module for Azure Active Directory
  • The Azure PowerShell module

With PowerShell you really can do things much more quickly. Creating, changing (if you can), and removing things in Azure is painfully slow via the UI tools. PowerShell isn’t much quicker, but it allows you to script a number of things you want done while you get coffee or work on something else.

image

There are other options, but as an IaaS person, I’m focused on the above tools.

Azure AD Connect is Generally Available

Thenews that AADConnect is now GA is great for anyone battling with synchronizing to Azure Active Directory (Azure AD or AAD). This tool really is going to be the start of connecting your business to Microsoft’s cloud solutions:

  • Azure
  • Office 365
  • Intune
  • RMS
  • CRM
  • And many more, including third-party solutions via AAD single sign-on

Why? Because you need to get users into the common AAD before these services become meaningful. I’ve used AAD in two different preview releases and found it really simple to get going. Any work that I’ve done with Azure RemoteApp has be done with this tool. Why didn’t I use DirSync? Because I found it to be unreliable. AADConnect solves a big problem too – which AD sync tool should I use – now you use just one tool.

According to Microsoft:

With a rich set of sync and write-back capabilities, you can:

  • Enable your users to perform self-service password reset in the cloud with write-back to on premises AD
  • Enable provisioning from the cloud with user write back to on premises AD
  • Enable write back of “Groups in Office 365” to on premises distribution groups in a forest with Exchange
  • Enable device write back so that your on-premises access control policies enforced by ADFS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
  • Sync custom directory attributes to your Azure Active Directory tenant and consume it from your cloud applications

You can also use AADConnect to connect different AD forests.

In related news Azure AD Connect Health was also released to help customers troubleshoot what’s going on with ADFS. This new feature is included in Azure AD Premium.

This release for ADFS has 3 key capabilities:

  • Alerts based on events, configuration information, synthetic transactions and perf data. So, when something goes wrong, or is about to go wrong, we let you know.
  • Graphs of login activity that you can pivot multiple ways for easy viewing. These “usage insights,” are accessible when you enable auditing on your ADFS servers. They are based on audits generated when user’s login and tokens are generated for applications.
  • Access to key performance indicators across multiple servers, including token request counters, processor, memory, latency, and so forth

Living with & Paying for Azure VM Backup

This site is running on an Azure Basic A2 VM with 127 GB of storage. I back it up in two ways:

  • There is an Azure Backup (AB) agent installed in the guest OS, and that backs up an export of MySQL and the IIS content.
  • I use the (preview) feature that allows you to grab a daily backup of a VM. This is what I want to focus on.

I have deployed a GRS backup vault. The usage summary is:

image

The storage cost of the backup this month will be around €2.5776 (72 * €0.0358 per GB) and the instance cost will be €7.447 (The VM size falls into 50-500 GB).

There is a daily backup with 4 weeks of retention. Right now, there are 29 days of history:

image

Backup can be slow (ranges from 47 minutes to 4 hours and 13 minutes), but I haven’t had any issues.

image

I haven’t had to do a restore, but so far, so good.

Technorati Tags: ,,

Azure Now Supports Backup Of Running Azure VMs

I recently blogged on Petri.com how you can configure backup of Azure virtual machines. This is a superb addition to Azure, making it ready, in my opinion, for production VM hosting.

The Way it Was

Previous to the addition to this feature, there was no way to backup a running Azure virtual machine in Azure as a complete VM. There were some bad hacks:

  • Storage snapshots: You could shut down a VM and snapshot the the storage account. This sucked. I’m pretty sure it wasn’t supported.
  • In-VM backup: You could deploy an agent into a VM and backup files and folders. This sucked too. Microsoft tried to push DPM sales with this, requiring one Datacenter SML for every 8 VMs.

What we needed was what we could do on-premises with Hyper-V or vSphere; we needed a per-VM mechanism for backing up an entire VM, with the ability to quickly restore that VM compete with OS, applications, and data.

And that’s what Azure Backup for VMs gives us.

The Way it is Now

Now we can:

  • Discover VMs
  • Register VMs
  • Protect VMs with policy, with up to 1 backup per day and up to 4 weeks retention.

The backup of Azure VMs is managed from the Azure portal. You get logs as well. There is no need to install or manage anything in the guest OS. A backup extension is automatically added to the VM when you protect it.

The entire VM is backed up and can be restored. Note that in terms of pricing:

  • Each VM is an instance
  • The size of the instance is the size of the virtual disk, not the size of the contents. So a 127 GB VM with 50 GB of contents is 127 GB, falling into the 50-500 GB instance bracket. This is different to Hyper-V, where it is the physical size that is counted (including checkpoints).

If you want granular backup then you can also deploy the Azure Backup agent into the guest OS. Note that this requires another instance and you will only be able to backup files and folders with this additional backup, which is managed from the MARS agent in the guest OS.

Note: I have talked to one of the Azure Backup PMs and he told me that there is no support for VM Generation ID. That means that you should not, ever, in any scenario, restore a virtual domain controller if there is more than one DC (the one you want to restore) in that forest.

My VM

I decided, after experimenting with Azure websites, that I wanted to retain 100% control over my website hosting. My site (WordPress) is hosted in an A2 VM and I run MySQL in the VM. This gives me the flexibility to add more sites to the VM and re-use MySQL. I don’t have any of the limitations that the ClearDB MySQL hosting has in Azure.

I configured a daily backup to run and to retain 4 weeks of data. The first backup ran last night with no issues:

I also have installed the Azure Backup agent into the guest OS. There I run a script to export MySQL to a file, and I backup this file and the IIS website folder. So in the event of a screw-up, I have the ability to restore:

  • Individual website files
  • The MySQL databases
  • The entire VM
Technorati Tags: ,

Moving An Azure VM To Different Virtual Network

It’s a simple enough operation (PowerShell) to move a virtual machine to a different subnet within a virtual network. But what if you want to move the virtual machine to a different virtual network? That’s a bit more complex to do because you cannot just lift the VM to another network.

Instead you will have to:

1: Delete the virtual machine, choosing to keep the attached disks. Doesn’t Azure Backup of Azure Virtual Machines sound like a good idea right now? Go do that first Smile

image

2: Create a new virtual machine from the existing disks. The above deletion process keeps the original disks, and deletes the meta data of the VM. You are now going to create new meta data using the remaining disks. This is like moving the hard drives from one broken server to a replacement server. Go into the wizard and instead of selecting a template, choose your old disk. Make sure you know which one it is first – the name of the old VM (FS1 in this case) is usually in the file name.

image

3: Complete the wizard and select the new virtual network. If this is a new network/application then you probably will have to create a new cloud service too.

4: Attach any data disks. If the old VM had any data disks then they’ll need to be reattached. Shutdown the VM and attach the disks.

image

Technorati Tags:

Your Azure Credentials Have Not Been Set Up Or Have Expired

I use the Azure “Ibiza” and management portals for most of my Azure admin, but there are times when PowerShell makes more sense:

  • The feature is only available via PowerShell
  • I need to do a lot and don’t want to be doing progress bar admin

Today, I had an issue where no matter what cmdlet I ran, I got this error:

Your Azure credentials have not been set up or have expired

Very annoying. Some googling lead me to a solution:

  1. Remove-AzureAccount –Name <my UPN>
  2. Add-AzureAccount

I logged back into Azure via that last cmdlet and everything was fixed.

Technorati Tags: ,

Microsoft Blogs About New Azure Backup Pricing

It’s April Fool’s Day, and the new pricing system for Azure Backup comes into force today. Make of that what you want 😀

I am not a fan of the new pricing system. I am all for costs coming down, but I can say from 8 months of selling Azure, complex pricing BLOCKS sales efforts by Microsoft partners. The new system isn’t just “price per GB” but it also includes the abstract notion of an “instance”.  A new blog post by Microsoft attempts to explain clearly what an instance is.

I’ve read it. I think I understand it. I know that no MSFT partner sales person will read it, our customers will call me, and when I explain it to them, I know that a sale will not happen. I’ve seen that trend with Azure too often (all but a handful of occasions) to know it’s not a once-off.

Anyway … enjoy the post by Microsoft.