Azure Backup MARS Agent System State Support is GA

Microsoft announced last week that they made support for backing up system state using the MARS agent generally available.

System State backup was one of those “I must have this” features that I’ve been hearing about for 3+ years. Today it’s there – update your version of the MARS agent and you’ll have it.

With this added backup, you can protect metadata:

  • Active Directory: Backup your AD so you can do DC recoveries.
  • File Servers: It’s nice being bale to restore files & folders, but what about the shares?
  • IIS Web Servers: Protect that IIS Metabase.

Adding System State to your backup policy is easy; either start a new schedule (new MARS installations) or edit the existing schedule. System State will appear in the Add Items box. Select System State and complete the wizard. It’s easy … the way backup should be!

Was This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in Amsterdam on April 19-20, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Azure AD Domain Services


Options when Moving to The Cloud

  • Switch to using SaaS versions of the s/w
  • Rewrite the app
  • Lift and shift: the focus today.

How Organizations Handle AD Requirements Today

  • They set up site-site VPN and deploy additional domain controllers in the cloud.
  • They deploy another domain/forest in the cloud and provision a trust, e.g. ADFS.

Imagine a Simpler Alternative

  • Simpler
  • Compatible
  • Available
  • Cost-effective

Introducing Azure AD Domain Services

  1. You provision a VNet.
  2. Then you activate Azure AD Domain Services in Azure AD on that VNet
  3. You can manage the domain using RSAT.
  4. You can optionally sync your Windows Server AD with Azure AD to share accounts/groups.

Managed Domains

  • Domain controllers are patched automatically.
  • Secure locked down domain, complaint with AD deployment best practices
  • You get 2 DCs, so fault tolerant
  • Automatic health detection and remediation. If a DC fails, a new one is provisioned.
  • Automatic backups for disaster recovery.
  • No need to monitor replication – done as part of the managed service.


If you deploy sync, e.g. Azure AD Connect, then it flows as follows: Windows Server AD <-> Azure AD <-> Azure AD Domain Services


  • SIDs are reused. This means things like file servers can be lifted and shifted to Azure without re-ACLing your workloads.
  • OUs
  • DNS


Based on the number of objects in the directory. Micro-pricing.


27-09-2017 16-13 Office Lens

New Features

  • Azure Portal AD Experience is GA
  • ARM virtual network join is GA


He creates an AADS domain. THere are two OUs by default:

  • AADC Users
  • AADC Computers

Back to the PowerPoint


  • You cannot deploy AADDS in the classic Azure portal any more.
  • The classic deployment model will be retired – the ARM deployment is better and more secure.
  • The classic VNet support is ending (for new domains) soon.
  • Existing deployments will continue to be supported


  • Is there GPO sync? No. This is a different domain, so there is no replication of GPO from on prem to AADDS
  • Can you add another DC to this domain? No. There will be (in the future) the ability to add more AADDS “DCs” in other VNets.
  • What happens if a region goes down? The entire domain goes down now – but when they have additional DC support this will solve the problem
  • Is there support in CSP? No, but it’s being worked on.

Manage Azure IaaS VMs

You can join these machines to AADDS. You can push GPO from AADDS. You’ll sign into the VMs using AADDS user accounts/passwords.


Members of AADDC Administrators can create OUs. You can target GPO to OUs.

Move Servers to the Cloud

Sync users/passwords/SIDs to the cloud, and then lift/shift applications/VMs to the cloud. THe SIDs are in sync so you don’t need to change permissions, and there’s a domain already for the VMs to join without creating DC VMs.


I missed most of this. I think you can access applications using LDAP over SSL via the Internet.

Move Server Applications To Azure

User AADDS to provision and manage service accounts.

Kerberos Constrained Delegation

Cannot work with AADDS using old methods –  You don’t have the privileges. The solution is to use PowerShell to implement resource-based KCD.

Modernize Legacy Apps with Application Proxy

You can get users to sign in via AAD and MFA into legacy apps. A token is given to the app to authorize the user.

SharePoint Lift and Shift

A new group called AAD DC Service Accounts. Add the SharePoint Profile sync user account to this group.

Domain Joined HDIsnight Cluster

You can “Kerber-ize” a HD cluster to increase security. This is in preview at the moment.

Remote Desktop Deployments

Domain-join the farm to AADDS. The licensing server is a problem at the moment – this will be fixed soon. Until then, it works, but you’ll get licensing warnings.


  • Schema extensions? Not supported but on the roadmap.
  • Logging? Everything is logged but you have to go through support to get at them at the moment. They want to work on self-service logging.
  • There is no trust option today. They are working on the concept of a resource domain – maybe before end of the year.
  • Data at rest, in ARM, is encrypted. The keys (1 set per domain) are managed by MS. MS has no admin credentials – there’s an audited process for them to obtain access for support. The NTLM hashes are encrypted.

Deciding When to DIY Your Own AD Deployment

27-09-2017 16-39 Office Lens


Features Being Considered

  • Cloud solution provider support – maybe early 2018.
  • Support for a single managed domain to space multiple virtual networks
  • Manage resource forests
  • Schema extensions – they’ll start with the common ones, and then add support for custom extensions.
  • Support for LDAP writes – some apps require this

Any questions/feedback to

Webinar Recording: Defending Today’s Threats With Tomorrow’s Security By Microsoft

MicroWarehouse has posted the recording of our last webinar, which explained why the security solutions of the 1990s that some companies are still relying on, are being easily defeated by attackers today.

The post explains what is happening now, based on 2015 survey information from multiple sources. And I explain how a number of cloud-based security services from Microsoft can protect both your on-premises and cloud infrastructures from these modern attack methods, that your firewall and anti-malware scanning will let pass right through or never see.

In fact, I just saw a support request on a security issue that 2 of the solutions in this webinar would have prevented.


We have also shared the slides and a hand-out with some follow-up reading/watching.

Webinar: Introduction to EMS

A recording of this webinar can be viewed here, along with the slides and follow up reading/learning.

I am presenting a webinar on Microsoft’s Enterprise Mobility Suite (EMS) on Friday at 2pm UK/Irish time, 3PM Central European, and 9am EST.

My job has many threads. Sometimes I am down-deep in the weeds on techie stuff. Sometimes I’m delivering training. Part of what I do is raise awareness. This webinar falls into that category; the target audience is sales and technical staff that know little-to-nothing about EMS and what Microsoft can do for device/application management, identity and security from the cloud.


So if you want to find out what EMS can add, then tune in for this 1 hour webinar.

How To Manage Azure AD in CSP

In this post I’ll describe two ways that you can use to manage Azure AD in a CSP subscription using a GUI.

CSP, CSP, CSP – that’s all you can hear these days in the Microsoft channel. In short, CSP is a new channel by which customers can buy Azure or partners can resell Azure, with a post-utilization monthly invoice.

That all sounds good – but the downside with CSP is that it only includes Azure v2 (Azure Resource Manager or ARM), unlike all of the other channels which also support Azure v1 (Service Manager). So we lose lots of features and we also lose the classic portal – no storage imports, no RemoteApp, no Azure AD, etc. We also lose the class Azure management site for managing the Azure in CSP subscription – and there’s the issue for Azure AD.

The lack of a UI for managing Azure AD does cause issues:

  • The cries of “use PowerShell” or “use this opensource stuff” suit the 1%-ers but not the rest of us.
  • We lose the ability to start doing clever RBAC using resource groups in Azure.
  • We lose all the Azure AD features, such as single sign-on.
  • We lose the Azure Ad Premium features, sold via CSP too (standalone or in EMS).

Is there a solution? Hmm, there is a workaround which isn’t pretty but it works. There are ways to manage the Azure directory:

  • You have also deployed Office 365 via CSP with the same domain. You can create users and Office 365 groups in the Office Admin portal.
  • You can also share the directory of the CSP account into another Azure subscription that does support Azure v1; from there, we can manage the directory.

In my lab, I have the following CSP services with a common domain (deployed by the reseller – my employers, in this case, because we are a Tier 2 distributor of CSP):

  • Office 365
  • EMS
  • Azure


I also have an Azure in Open subscription. I can easily create users in my CSP subscription using Azure AD Connect (from on premises domain) or using the Office 365 admin portal. But what about the other features of Azure AD? I’ll need to share the CSP domain with a subscription that does support the classic management portal.

Here’s what you’ll do:

  1. Use another Azure subscription that is not in CSP. Maybe you already have one; if not, start a trial and make sure you don’t enable spending – you’ll still need to verify credit card details. You won’t be charged for managing Azure AD, and you’ll still have access to the subscription when the trial ends – you just can’t deploy things that will cost money, e.g. storage, VMs, and so on.
  2. Sign into using valid Microsoft Account (Live ID) credentials of the non-CSP subscription and browse to Active Directory.
  3. Click New > Active Directory > Directory > Custom Create
  4. Select the option to Use Existing Directory. Make sure you check the box to sign out.
  5. You’ll be signed out and a new login will appear. Sign in with the admin credentials for your CSP domain.
  6. Verify that you want to share the domain. You’ll be signed out again.
  7. Sign into the classic management portal again using your non-CSP credentials. If all has worked correctly, you should be able to see and manage the CSP domain.

This is how I enabled multi-factor authentication, created users, groups, and other cool things in an CSP Azure domain.

Technorati Tags: ,

Windows 10 Being Pushed Out To Domain-Joined PCs

Brad Sams (my boss at published a story last night about how Microsoft has started to push out Windows 10 upgrades to domain-joined PCs.

Note that the PC doesn’t upgrade via Windows Update; the user will be prompted if they want to update, and then a deliberately confusing screen “encourages” the user to upgrade.

Brad notes that the environment must meet certain requirements:

  • The machine must be running and licensed for Windows 7 Pro or Windows 8.1 Pro (Enterprise doesn’t do this stuff).
  • There is no WSUS, ConfigMgr, etc – the machine gets updates directly from MSFT – this means smaller businesses for the most part.
  • The machine must be a domain member.

As you can see, this affects SMEs with a domain (no WSUS, etc). But I’d be surprised if larger businesses weren’t targeted at a later point in order to help MSFT hit their 1 billion PCs goal.

In my opinion, this decision to push upgrades to business is exactly the sort of action that gives Microsoft such a bad name with customers. Most SMEs won’t know this is coming. A lot of SMEs run systems that need to be tested, upgraded, or won’t support or work on newer operating systems. So Microsoft opting to force change and uncertainty on those businesses that are least ready is down right dumb. Brad reports that Microsoft claims that people asked for this upgrade. Right – fine – let those businesses opt into an upgrade via GPO instead of the other way around. Speaking of which …

There is a blocker process. I work in a small business and I’ve deployed the blocker. Windows Update added new GPO options to our domain controllers, and I enabled the GPO to block Windows upgrades via Windows Update:


As you can see – I’ve deployed this at work. We will upgrade to Windows 10 (it’s already started) but we will continue to do it at our own pace because we cannot afford people to be offline for 2 hours during the work day while Windows upgrades.

Microsoft News – 19 October 2015

It turns out that Microsoft has been doing some things that are not Surface-related. Here’s a summary of what’s been happening in the last while …



Windows Server

Windows Client


Office 356


Microsoft News – 28 September 2015

Wow, the year is flying by fast. There’s a bunch of stuff to read here. Microsoft has stepped up the amount of information being released on WS2016 Hyper-V (and related) features. EMS is growing in terms of features and functionality. And Azure IaaS continues to release lots of new features.


Windows Client


System Center

Office 365




Microsoft News – 7 September 2015

Here’s the recent news from the last few weeks in the Microsoft IT Pro world:


Windows Server


System Center


Office 365



  • Meet AzureCon: A virtual event on Azure on September 29th, starting at 9am Pacific time, 5pm UK/Irish time.

Prevent Windows From Downloading Broken Drivers From Windows Update

Edit: the solution here does not work. The Windows Update Blocker offers a solution that works until Microsoft releases a new broken version of the broken driver. Frustrated much?

The release of Windows 10 has reminded many of us that Windows Update is usually the worst place to get a driver for your device, be it an Intel HD graphics adapter in your tablet or laptop, or a NIC in a Hyper-V host. The best driver always comes from the maker of your computer (HP, Dell, Lenovo, etc) because they distribute drivers for your specific and,  usually, customised chipset.

Recently I upgraded my 2 ultrabooks, a Lenovo Yoga S1 and a Toshiba KIRAbook, from Windows 8.1 to Windows 10. A trip to Device Manager found that the Intel HD graphics cards were broken and I was unable to share my display – projectors are a big part of my job!

I found a fix – but then a day or two later Windows Update decided to reapply Microsoft’s distribution of the driver and I was stuck once again with broken Ultrabooks. I took to Twitter and then I got a response from a Microsoft employee with a solution that should work.

Method 1 – Manual Change

Open up System > Advanced System Settings > Hardware > Device Installation Settings.  Set it to No, Let Me Choose What To Do and set Never Install Driver Software From Windows Update.


Method 2 – The Registry

Open REGEDIT and set both of these REG_DWORD values to 0:

  • HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\DriverSearching\SearchOrderConfig
  • HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Device Metadata\PreventDeviceMetadataFromNetwork

Method 3 – Group Policy

The above are fine if you have one or two machines to modify, but what if you have dozens or hundreds of machines to update? Hopefully these machines are domain members; if so then you can deploy a GPO to them to make the required changes.

Look for a setting called Specify Search Order For Device Driver Locations in Computer Configuration > Administrative Templates > System > Device Installation. Enable the policy and set Select Search Order to Do Not Search Windows Update.


You should also enable Prevent Device Metadata Retrieval From The Internet at the same location in GPO.


Updating Drivers

Yes, you do need to update drivers – drivers and firmware are the cause of many issues on PCs, Hyper-V hosts, etc. On my PCs/laptops I install the OEM’s updating tool and regularly run a check/update. So where can you get drivers from in a larger environment. Well; always form the OEM. How do you distribute them?

  • Manually
  • A shared folder
  • Cluster Aware Updating – see what Dell has done
  • System Center, possibly even with OEM additions