Active Directory | Aidan Finn, IT Pro

Designing A Hub And Spoke Infrastructure

How do you plan a hub & spoke architecture? Based on much of what I have witnessed, I think very few people do any planning at all. In this post, I will explain some essential things to plan and how to plan them.

Rules of Engagement

Microsoft has shared some concepts in the Well-Architected Framework (simplicity) and the documentation for networking & Zero Trust (micro-segmentation, resilience, and isolation).

The hub & spoke will contain networks in a single region, following concepts:

Resilience & independence: Workloads in a spoke in North Europe should not depend on a hub in West Europe.
Micro-segmentation: Workloads in North Europe trying to access workloads in West Europe should go through a secure route via hubs in each region.
Performance: Workload A in North Europe should not go through a hub in West Europe to reach Workload B in North Europe.
Cost Management: Minimise global VNet peering to just what is necessary. Enable costs of hubs to be split into different parts of the organisation.
Delegation of Duty: If there are different network teams, enable each team to manage their hubs.
Minimised Resources: The hub has roles only of transit, connectivity, and security. Do not place compute or other resources into the hub; this is to minimise security/networking complexity and increase predictability.

Management Groups

I agree with many things in the Cloud Adoption Framework “Enterprise Scale” and I disagree with some other things.

I agree that we should use Management Groups to organise subscriptions based on Policy architecture and role-based access control (RBAC – granting access to subscriptions via Entra groups).

I agree that each workload (CAF calls them landing zones) should have a dedicated subscription – this simplifies operations and governance like you wouldn’t believe.

I can see why they organise workloads based on their networking status:

Corporate: Workloads that are internal only and are connected to the hub for on-premises connectivity. No public IP addresses should be allowed where technically feasible.
Online: Workloads that are online only and are not permitted to be connected to the hub.
Hybrid: This category is missing from CAF and many have added it themselves – WAN and Internet connectivity are usually not binary exclusive OR decisions.

I don’t like how Enterprise Scale buckets all of those workloads into a single grouping because it fails to acknowledge that a truly large enterprise will have many ownership footprints in a single tenant.

I also don’t like how Enterprise Scale merges all hubs into a single subscription or management group. Yes, many organisations have central networking teams. Large organisations may have many networking teams. I like to separate hub resources (not feasible with Virtual WAN) into different subscriptions and management groups for true scaling and governance simplicity.

Here is an example of how one might achieve this. I am going to have two hub & spoke deployments in this example:

DUB01: Located in Azure North Europe
AMS01: Located in Azure West Europe

Some of you might notice that I have been inspired by Microsoft’s data centre naming for the naming of these regional footprints. The reasons are:

Naming regions after “North Europe” or “East US” is messy when you think about naming network footprints in East US2, West US2, and so on.
Microsoft has already done the work for us. The Dublin (North Europe) region data centres are called DUB05-DUB15 and Microsoft uses AMS01, etc for Middenmeer (West Europe).
A single virtual network may have up to 500 peers. Once we hit 500 peers then we need to deploy another hub & spoke footprint in the region. The naming allows DUB02, DUB03, etc.

The change from CAF Enterprise Scale is subtle but look how instantly more scalable and isolated everything is. A truly large organisation can delegate duties as necessary.

If an identity responsible for the AMS01 hub & spoke is compromised, the DUB01 hub & spoke is untouched. Resources are in dedicated subscriptions so the blast area of a subscription compromise is limited too.

There is also a logical placement of the resources based on ownership/location.

You don’t need to recreate policy – you can add more associations to your initiatives.

If an enterprise currently has a single networking team, their IDs are simply added to more groups as new hub & spoke deployments are added.

IP Planning

One of the key principles in the design is simplicity: keep it simple stupid (KISS). I’m going to jump ahead a little here and give you a peek into the future. We will implement “Network segmentation: Many ingress/egress cloud micro-perimeters with some micro-segmentation” from the Azure zero-trust guidance.

The only connection that will exist between DUB01 and AMS01 is a global VNet peering connection between the hubs. All traffic between DUB01 and AMS01 mist route via the firewalls in the hubs. This will require some user-defined routing and we want to keep this as simple as possible.

For example, the firewall subnet in DUB01 must have a route(s) to all prefixes in AMS01 via the firewall in the hub of AMS01. The more prefixes there are in AMS01, the more routes we must add to the Route Table associated with the firewall subnet in the hub of DUB01. So we will keep this very simple.

Each hub & spoke will be created from a single IP prefix allocation:

DUB01: All virtual networks in DUB01 will be created from 10.1.0.0/16.
AMS01: All virtual networks in AMS01 will be created from 10.2.0.0/16.

You might have noticed that Azure Virtual Network Manager uses a default of /16 for an IP address block in the IPAM feature – how convenient!

That means I only have to create one route in the DUB01 firewall subnet to reach all virtual networks in AMS01:

Name: AMS01
Prefix: 10.2.0.0/16
Next Hop Type: VirtualAppliance
Next Hop IP Address: The IP address of the AMS01 firewall

A similar route will be created in AMS01 firewall subnet to reach all virtual networks in DUB01:

Name: DUB01
Prefix: 10.1.0.0/16
Next Hop Type: VirtualAppliance
Next Hop IP Address: The IP address of the DUB01 firewall

Honestly, that is all that is required. I’ve been doing it for years. It’s beautifully simple.

The firewall(s) are in total control of the flows. This design means that neither location is dependent on the other. Neither AMS01 nor DUB01 trust each other. If a workload is compromised in AMS01 its reach is limited to whatever firewall/NSG rules permit traffic. With threat detection, flow logs, and other features, you might even discover an attack using a security information & event management (SIEM) system before it even has a chance to spread.

Workloads/Landing Zones

Every workload will have a dedicated subscription with the appropriate configurations, such as enabling budgets and configuring Defender for Cloud. Standards should be as automated as possible (Azure Policy). The exact configuration of the subscription should depend on the zone (corp, online or corporate).

When there is a virtual network requirement, then the virtual network will be as small as is required with some spare capacity. For example, a workload with a web VM and a SQL Server doesn’t need a /24 subnet!

Essential Workloads

Are you going to migrate legacy workloads to Azure? Are you going to run Citrix or Azure Virtual Desktop (AVD)? If so, then you are going to require doamin controllers.

You might say “We have a policy of running a single ADDS site and our domain controllers are on-premises”. Lovely, at least it was when Windows Server 2003 came out. Remember that I want my services in Azure to be resilient and not to depend on other locations. What happens to all of your Azure servces when the network connection to on-premises fails? Or what happens if on-premises goes up in a cloud of smoke? I will put domain controllers in Azure.

Then you might say “We will put domain controllers in DUB01 and AMS01 can use them”. What happens if DUB01 goes offline? That does happen from time to time. What happens if DUB01 is compromised? Not only will I put domain controllers in DUB01, but I will also put them in AMS01. They are low end virtual machines and the cost will be minor. I’ll also do some good ADDS Sites & Services stuff to isolate as much as ADDS lets you:

Create subnets for each /16 IP prefix.
Create an ADDS site for AMS01 and another for DUB01.
Associate each site with the related subnet.
Create and configure replication links as required.

The placement and resilience of other things like DNS servers/Private DNS Resolver should be similar.

And none of those things will go in the hub!

Micro-Segmentation

The hub will be our transit network, providing:

Site-to-site connectivity, if required.
Point-to-site connecticity, if required.
A firewall for security and routing purposes.
A shared Azure Bastion, if required.

The firewall will be the next hop, by default (expect exceptions) for traffic leaving every virtual network. This will be configured for every subnet (expect exceptions) in every workload.

The firewall will be the glue that routes every spoke virtual network to each other and the outside world. The firewall rules will restrict which of those routes is possible and what traffic is possible – in all directions. Don’t be lazy and allow * to Internet; do you want to automatically enable malware to call home for further downloads or discovery/attack/theft instructions?

The firewall will be carefully chosen to ensure that it includes the features that your organisation requires. Too many organisations pick the cheapest firewall option. Few look at the genuine risks that they face and pick something that best defends against those risks. Allow/deny is not enough any more. Consider the features that pay careful attentiont to what must be allowed; these are the firewall ports that attackers are using to compromise their victims.

Every subnet (expect exceptions) will have an NSG. That NSG will have a custom low-priority inbound rule to deny everything; this means that no traffic can enter a NIC (from anywhere, including the same subnet) without being explicityly allowed by a higher priority rule.

“Web” (this covers a lot of HTTPS based services, excluding AVD) applications will not be published on the Internet using the hub firewall. Instead, you will deploy a WAF of some kind (or different kinds depending on architectural/business requirements). If you’re clever, and it is appropriate from a performance perspective, you might route that traffic through your firewall for inspection at layers 4-7 using TLS Inspection and IDPS.

Logging and Alerting

You have placed all the barriers in place. There are two interesting quotes to consider. The first warns us that we must assume a pentration has already taken place or will take place.

Fundamentally, if somebody wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated.

Michael Hayden Former Director of NSA & CIA

The second warns us that attackers don’t think like defenders. We build walls expecting a linear attack. Attackers poke, explore, and prod, looking for any way, including very indeirect routes, to get from A to B.

Biggest problem with network defense is that defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.

John Lambert

Each of our walls offers some kind of monitoring. The firewall has logs, which ideally we can either monitor/alert from or forward to a SIEM.

Virtual Networks offer Flow Logs which track traffic at the VNet level. VNet Flow logs are superior to NSG FLow logs because they catch more traffic (Private Endpoint) and include more interesting data. This is more data that we can send to a SIEM.

Defender for Cloud creates data/alerts. Key Vaults do. Azure databases do. The list goes on and on. All of this data that we can use to:

Detect an attack
Identify exploration
Uncover an expansion
Understand how an attack started and happened

And it amazes me how many organisations choose not to configure these features in any way at all.

Wrapping Up

There are probably lots of finer details to consider but I think that I have covered the essentials. When I get the chance, I’ll start diving into the fun detailed designs and their variations.

Azure Backup MARS Agent System State Support is GA

Microsoft announced last week that they made support for backing up system state using the MARS agent generally available.

System State backup was one of those “I must have this” features that I’ve been hearing about for 3+ years. Today it’s there – update your version of the MARS agent and you’ll have it.

With this added backup, you can protect metadata:

Active Directory: Backup your AD so you can do DC recoveries.
File Servers: It’s nice being bale to restore files & folders, but what about the shares?
IIS Web Servers: Protect that IIS Metabase.

Adding System State to your backup policy is easy; either start a new schedule (new MARS installations) or edit the existing schedule. System State will appear in the Add Items box. Select System State and complete the wizard. It’s easy … the way backup should be!

Was This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in Amsterdam on April 19-20, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Azure AD Domain Services

Options when Moving to The Cloud

Switch to using SaaS versions of the s/w
Rewrite the app
Lift and shift: the focus today.

How Organizations Handle AD Requirements Today

They set up site-site VPN and deploy additional domain controllers in the cloud.
They deploy another domain/forest in the cloud and provision a trust, e.g. ADFS.

Imagine a Simpler Alternative

Simpler
Compatible
Available
Cost-effective

Introducing Azure AD Domain Services

You provision a VNet.
Then you activate Azure AD Domain Services in Azure AD on that VNet
You can manage the domain using RSAT.
You can optionally sync your Windows Server AD with Azure AD to share accounts/groups.

Managed Domains

Domain controllers are patched automatically.
Secure locked down domain, complaint with AD deployment best practices
You get 2 DCs, so fault tolerant
Automatic health detection and remediation. If a DC fails, a new one is provisioned.
Automatic backups for disaster recovery.
No need to monitor replication – done as part of the managed service.

Sync

If you deploy sync, e.g. Azure AD Connect, then it flows as follows: Windows Server AD <-> Azure AD <-> Azure AD Domain Services

Features

SIDs are reused. This means things like file servers can be lifted and shifted to Azure without re-ACLing your workloads.
OUs
DNS

Pricing

Based on the number of objects in the directory. Micro-pricing.

Decisions

New Features

Azure Portal AD Experience is GA
ARM virtual network join is GA

Demo

He creates an AADS domain. THere are two OUs by default:

AADC Users
AADC Computers

Back to the PowerPoint

Notes

You cannot deploy AADDS in the classic Azure portal any more.
The classic deployment model will be retired – the ARM deployment is better and more secure.
The classic VNet support is ending (for new domains) soon.
Existing deployments will continue to be supported

Questions

Is there GPO sync? No. This is a different domain, so there is no replication of GPO from on prem to AADDS
Can you add another DC to this domain? No. There will be (in the future) the ability to add more AADDS “DCs” in other VNets.
What happens if a region goes down? The entire domain goes down now – but when they have additional DC support this will solve the problem
Is there support in CSP? No, but it’s being worked on.

Manage Azure IaaS VMs

You can join these machines to AADDS. You can push GPO from AADDS. You’ll sign into the VMs using AADDS user accounts/passwords.

GPO

Members of AADDC Administrators can create OUs. You can target GPO to OUs.

Move Servers to the Cloud

Sync users/passwords/SIDs to the cloud, and then lift/shift applications/VMs to the cloud. THe SIDs are in sync so you don’t need to change permissions, and there’s a domain already for the VMs to join without creating DC VMs.

LDAP over SSL

I missed most of this. I think you can access applications using LDAP over SSL via the Internet.

Move Server Applications To Azure

User AADDS to provision and manage service accounts.

Kerberos Constrained Delegation

Cannot work with AADDS using old methods – You don’t have the privileges. The solution is to use PowerShell to implement resource-based KCD.

Modernize Legacy Apps with Application Proxy

You can get users to sign in via AAD and MFA into legacy apps. A token is given to the app to authorize the user.

SharePoint Lift and Shift

A new group called AAD DC Service Accounts. Add the SharePoint Profile sync user account to this group.

Domain Joined HDIsnight Cluster

You can “Kerber-ize” a HD cluster to increase security. This is in preview at the moment.

Remote Desktop Deployments

Domain-join the farm to AADDS. The licensing server is a problem at the moment – this will be fixed soon. Until then, it works, but you’ll get licensing warnings.

Questions

Schema extensions? Not supported but on the roadmap.
Logging? Everything is logged but you have to go through support to get at them at the moment. They want to work on self-service logging.
There is no trust option today. They are working on the concept of a resource domain – maybe before end of the year.
Data at rest, in ARM, is encrypted. The keys (1 set per domain) are managed by MS. MS has no admin credentials – there’s an audited process for them to obtain access for support. The NTLM hashes are encrypted.

Deciding When to DIY Your Own AD Deployment

Features Being Considered

Cloud solution provider support – maybe early 2018.
Support for a single managed domain to space multiple virtual networks
Manage resource forests
Schema extensions – they’ll start with the common ones, and then add support for custom extensions.
Support for LDAP writes – some apps require this

Any questions/feedback to aaddsfb@microsoft.com

Webinar Recording: Defending Today’s Threats With Tomorrow’s Security By Microsoft

MicroWarehouse has posted the recording of our last webinar, which explained why the security solutions of the 1990s that some companies are still relying on, are being easily defeated by attackers today.

The post explains what is happening now, based on 2015 survey information from multiple sources. And I explain how a number of cloud-based security services from Microsoft can protect both your on-premises and cloud infrastructures from these modern attack methods, that your firewall and anti-malware scanning will let pass right through or never see.

In fact, I just saw a support request on a security issue that 2 of the solutions in this webinar would have prevented.

We have also shared the slides and a hand-out with some follow-up reading/watching.

Technorati Tags: Event Notes,Security,EMS,Azure,Active Directory,Azure AD,Office 365

Webinar: Introduction to EMS

A recording of this webinar can be viewed here, along with the slides and follow up reading/learning.

I am presenting a webinar on Microsoft’s Enterprise Mobility Suite (EMS) on Friday at 2pm UK/Irish time, 3PM Central European, and 9am EST.

My job has many threads. Sometimes I am down-deep in the weeds on techie stuff. Sometimes I’m delivering training. Part of what I do is raise awareness. This webinar falls into that category; the target audience is sales and technical staff that know little-to-nothing about EMS and what Microsoft can do for device/application management, identity and security from the cloud.

So if you want to find out what EMS can add, then tune in for this 1 hour webinar.

Technorati Tags: Events,Active Directory,Intune,Security

How To Manage Azure AD in CSP

In this post I’ll describe two ways that you can use to manage Azure AD in a CSP subscription using a GUI.

CSP, CSP, CSP – that’s all you can hear these days in the Microsoft channel. In short, CSP is a new channel by which customers can buy Azure or partners can resell Azure, with a post-utilization monthly invoice.

That all sounds good – but the downside with CSP is that it only includes Azure v2 (Azure Resource Manager or ARM), unlike all of the other channels which also support Azure v1 (Service Manager). So we lose lots of features and we also lose the classic portal – no storage imports, no RemoteApp, no Azure AD, etc. We also lose the class Azure management site for managing the Azure in CSP subscription – and there’s the issue for Azure AD.

The lack of a UI for managing Azure AD does cause issues:

The cries of “use PowerShell” or “use this opensource stuff” suit the 1%-ers but not the rest of us.
We lose the ability to start doing clever RBAC using resource groups in Azure.
We lose all the Azure AD features, such as single sign-on.
We lose the Azure Ad Premium features, sold via CSP too (standalone or in EMS).

Is there a solution? Hmm, there is a workaround which isn’t pretty but it works. There are ways to manage the Azure directory:

You have also deployed Office 365 via CSP with the same .onmicrosoft.com domain. You can create users and Office 365 groups in the Office Admin portal.
You can also share the directory of the CSP account into another Azure subscription that does support Azure v1; from there, we can manage the directory.

In my lab, I have the following CSP services with a common .onmicrosoft.com domain (deployed by the reseller – my employers, in this case, because we are a Tier 2 distributor of CSP):

Office 365
EMS
Azure

I also have an Azure in Open subscription. I can easily create users in my CSP subscription using Azure AD Connect (from on premises domain) or using the Office 365 admin portal. But what about the other features of Azure AD? I’ll need to share the CSP domain with a subscription that does support the classic management portal.

Here’s what you’ll do:

Use another Azure subscription that is not in CSP. Maybe you already have one; if not, start a trial and make sure you don’t enable spending – you’ll still need to verify credit card details. You won’t be charged for managing Azure AD, and you’ll still have access to the subscription when the trial ends – you just can’t deploy things that will cost money, e.g. storage, VMs, and so on.
Sign into https://manage.windowsazure.com using valid Microsoft Account (Live ID) credentials of the non-CSP subscription and browse to Active Directory.
Click New > Active Directory > Directory > Custom Create
Select the option to Use Existing Directory. Make sure you check the box to sign out.
You’ll be signed out and a new login will appear. Sign in with the admin credentials for your CSP domain.
Verify that you want to share the domain. You’ll be signed out again.
Sign into the classic management portal again using your non-CSP credentials. If all has worked correctly, you should be able to see and manage the CSP domain.

This is how I enabled multi-factor authentication, created users, groups, and other cool things in an CSP Azure domain.

Technorati Tags: Azure,Active Directory

Windows 10 Being Pushed Out To Domain-Joined PCs

Brad Sams (my boss at Petri.com) published a story last night about how Microsoft has started to push out Windows 10 upgrades to domain-joined PCs.

Note that the PC doesn’t upgrade via Windows Update; the user will be prompted if they want to update, and then a deliberately confusing screen “encourages” the user to upgrade.

Brad notes that the environment must meet certain requirements:

The machine must be running and licensed for Windows 7 Pro or Windows 8.1 Pro (Enterprise doesn’t do this stuff).
There is no WSUS, ConfigMgr, etc – the machine gets updates directly from MSFT – this means smaller businesses for the most part.
The machine must be a domain member.

As you can see, this affects SMEs with a domain (no WSUS, etc). But I’d be surprised if larger businesses weren’t targeted at a later point in order to help MSFT hit their 1 billion PCs goal.

In my opinion, this decision to push upgrades to business is exactly the sort of action that gives Microsoft such a bad name with customers. Most SMEs won’t know this is coming. A lot of SMEs run systems that need to be tested, upgraded, or won’t support or work on newer operating systems. So Microsoft opting to force change and uncertainty on those businesses that are least ready is down right dumb. Brad reports that Microsoft claims that people asked for this upgrade. Right – fine – let those businesses opt into an upgrade via GPO instead of the other way around. Speaking of which …

There is a blocker process. I work in a small business and I’ve deployed the blocker. Windows Update added new GPO options to our domain controllers, and I enabled the GPO to block Windows upgrades via Windows Update:

As you can see – I’ve deployed this at work. We will upgrade to Windows 10 (it’s already started) but we will continue to do it at our own pace because we cannot afford people to be offline for 2 hours during the work day while Windows upgrades.

Technorati Tags: Windows 10,Deployment,Windows Updates,Active Directory

Microsoft News – 19 October 2015

It turns out that Microsoft has been doing some things that are not Surface-related. Here’s a summary of what’s been happening in the last while …

Hyper-V

Microsoft Loves Linux Deep Dive #2 – Linux and FreeBSD Integration Services Core Features: Talking about the services that are integrated into Linux guest OSs on Hyper-V.
Shared Hyper-V virtual disk is inaccessible when it’s located in Storage Spaces on a Windows Server 2012 R2-based computer: A hotfix is available.
Recover From Expanding VHD or VDHX Files On VMs With Checkpoints: Tut tut!
Find All Virtual Machines With A Duplicate Static MAC Address On A Hyper-V Cluster With PowerShell: A handy tip from Didier to avoid networking hell.
Microsoft Loves Linux Deep Dive #3: Linux Dynamic Memory and Live Backup: Dynamic Memory for Linux guests and backup VMs with file system consistency without shutting them down.
Virtual Network Appliances I Use for Hyper-V Labs: A post by Didier Van Hoye.
Microsoft Loves Linux Deep Dive #4: Linux Network Features and Performance: More about open source on Hyper-V.
KB3095308 – VMs may not get additional memory although they’re set to use Dynamic Memory in Windows Server 2012 R2: You experience a poor performance, and IIS servers may run out of memory at peak times.
KB3093571 Update to replicate multiple VM groups and VMs that use shared VHDs in Windows Server 2012 R2 or Windows Server 2012: This article describes a hotfix that enables multiple virtual machine (VM) groups replication and the ability to replicate VMs that use shared Virtual Hard Disks (VHDs) in Windows Server 2012 R2 or Windows Server 2012. This is BIG – I’ll have more on this topic later.
Windows 10 Build 10565 Adds Nested Hyper-V: A post I wrote for Petri.com.
KB3093899 – VMs that run on CSVs fail if DCM can’t query volumes in Windows Server 2012 R2: This article describes an issue that occurs when Desired Configuration Management (DCM) can’t query volumes in Windows Server 2012 R2.
KB961804 – Virtual machines are missing, or error 0x800704C8, 0x80070037, or 0x800703E3 occurs when you try to start or create a virtual machine: This problem may be caused by antivirus software that is installed in the parent partition if the real-time scanning component is configured to monitor the Hyper-V virtual machine files. Follow Microsoft’s guidance on antimalware for Hyper-V hosts, and stop being a “yes sir, no sir” gombeen kow-towing to the know-nothing security “expert”.
Trunking With Hyper-V Networking: Trunk the virtual switch port to allow a virtual appliance connect to multiple VLANs at once.
Remove Lingering Backup Checkpoints from a Hyper-V Virtual Machine: A recovery snapshot stays and you cannot apply or delete it.
Hyper V Amigos Podcast Episode 1 – Ben Armstrong: Hyper-V MVP Carsten Rachfahl interviews Microsoft PM, the Virtual PC Guy.

Windows Server

Windows Server Containers, what are they and where do they fit? Read the Microsoft explanation, and then read my one.
Memory Compression in Windows 10 Threshold 2: Improving resource utilization with TH2, the next major Windows release, coming in November.
“Not enough server storage is available to process this command” error when you try to access file shares on an SOFS-configured server : You ignored the guidance and used SOFS as an end-user file server. Seriously – try reading!
New Windows Server 2016 Storage Video Series: A set of videos on WS2016 storage.
KB3091057 – Cluster validation fails in the “Validate Simultaneous Failover” test in a Windows Server 2012 R2-based failover cluster: This hotfix changes some timing of the “Validate Simultaneous failover” test to more accurately verify the storage compatibility with the failover cluster.
How to setup Nano Server to send diagnostic messages off-box for remote analysis: Troubleshooting Nano server will be fun if you cannot log into it. So don’t log into it.

Windows Client

Windows 10 Enterprise Feature – Credential Guard: Using VSM to protect LSASS.

Azure

Monitor your Azure RemoteApp environment with OpInsight – Part 4: Monitor the User Profile Disks.
Learn how to back up your IaaS VMs in five minutes: It’s simple: create a backup vault, discover VMs, register VMs, create a policy.
Microsoft Azure Backup Server: Download the MAB (based on DPM) to get on-premises backup of Hyper-V, SQL, Exchange, SharePoint and clients that you can forward to Azure Backup vaults.
September updates to Azure RemoteApp: New features in the RDS service. Note that Office 2016 is not supported yet.
A VM that Azure Site Recovery helps protect goes into a resynchronization state: “Resynchronization is required for the machine X. Resume replication to start resynchronization” and “Resynchronization for virtual machine ‘VMName’ was marked corrupted by the service.”.
Inside Azure File Storage: Learn more about this application data sharing facility.
Azure RBAC is GA: Implement just enough administration (JEA) in your Azure subscription.
Azure RemoteApp Custom Image Licensing Error: When you make your own RemoteApp image from scratch.
Introducing Microsoft Azure Backup Server: A post I wrote for Petri.com on “Project Venus” progress.
Azure AD Domain Services is now in Public Preview – Use Azure AD as a cloud domain controller: We’re getting closer to Server Zero. Note the lack of integration with legacy AD.
The Azure AD App Proxy just keeps getting better and better: Cloud-enable legacy apps.
KB3090067 – Azure Backup performance update: Update MARS to avoid when incremental backups by using the Azure Backup agent may run slowly for servers that have many files.
User Environment Management in Azure RemoteApp – Part 1: Using UE-V with the user profile disks.
IIS and Azure Files: Can I host my IIS web content in the cloud using Azure Files? Yes you can put your websites in Azure Files and use shared configuration for shared web content between a farm of auto-scaling, load balanced VMs in an availability set with auto-scaling enabled. Yum!
Get Fast + Easy Support with OMS: Add Microsoft support users to a workspace so they can see the same thing as you.

Office 356

Cloud security controls series – OneDrive for Business: Compliance and security stuff.
Data Loss Prevention in OneDrive for Business, SharePoint Online and Office 2016 is rolling out: PDB is finally starting to improve.
Share with the click of a button in Office 2016: How to edit cooperatively.
What’s new – September 2015: A bit of a quiet month in Office, right? It was just Office 2016, Exchange 2016, …
I sync therefore I am…: A preview of the new ODB sync client
Azure PowerShell 1.0 Preview: A preview of v1.0 which appears to focus on improving admin of Azure Resource Manager.

Miscellaneous

A message to our customers about EU – US Safe Harbour: A comment by Microsoft’s legal honcho, Brad Smith, following the recent ECJ ruling that Safe Harbour is “invalid”.

Microsoft News – 28 September 2015

Wow, the year is flying by fast. There’s a bunch of stuff to read here. Microsoft has stepped up the amount of information being released on WS2016 Hyper-V (and related) features. EMS is growing in terms of features and functionality. And Azure IaaS continues to release lots of new features.

Hyper-V

The Mysterious Case of Infrequent Network Connectivity Issues on 2 Hyper-V VMs Out of 40 Guests: Some PowerShell troubleshooting.
Storage Migration “Operation not allow for VM because Hyper-V State is yet to be initialized from Virtual Machine Configuration” (0x80070015): A fix or workaround to solve this problem.
Missing Hyper-V VMs on Windows 10 – Build 10547: A bug in this insider build hides non v5.0 VMs.
Hyper-converged with Windows Server 2016: Run your storage (Storage Spaces Direct, not SOFS) and Hyper-V cluster on the same hardware.
Configuring site awareness for your multi-active disaggregated datacenters: Solving one of the biggest issues with using Failover Clustering as a DR solution.
Introduction to Linux and FreeBSD on Hyper-V: The Linux Integration Services (LIS). Note that LIS 4.0 can be installed on some distros that have previous versions of LIS built in.
Running Hyper-V on Nano in Windows Server 2016 TP3: For you large scale customers that can afford to lose a host.
Running Nano from Windows Server 2016 TP3 on Hyper-V: Teeny tiny VMs for running born-in-the-cloud services.
Do you know how fast your disks are? I’ve seen expensive customer deployments with over-specced hosts and sh1te SANs where one ordinary VM could effectively shut down the cluster because the SAN couldn’t keep up.
Virtual Machine Storage Resiliency in Windows Server 2016: A very nice resiliency feature from the Hyper-V storage folks.

Windows Client

Windows 10 servicing and deployment guidance now available: Learn about Windows as a Service.
Introduction to Windows 10 servicing: How enterprises can keep devices current with the latest feature upgrades, make better use of Windows Update, and what the new servicing options mean for support lifecycles.
Windows 10 – Reducing the disk footprint: how to deploy Windows 10 with the new smaller installation footprint – great for machines with smaller storage (tablets and ultrabooks)

Azure

Azure Backup – Announcing general availability of backup for Azure IaaS VMs: This vital service for VMs has gone GA with a number of improvements.
Azure Backup of IaaS VMs Generally Available: A post I wrote for Petri.com.
Remote Desktop Services DR Solution using ASR – Guidance: A best practices guide from Microsoft.
SharePoint DR Solution using ASR – Guidance: A best practices guide from Microsoft.
Microsoft Exchange DR Solution using ASR – Guidance: A best practices guide from Microsoft.
A VM that Azure Site Recovery helps protect goes into a resynchronization state: Each VHD must be 1023 GB or less.
Source Control Integration in Azure Automation: Manage your automations scripts.
Monitor your Azure RemoteApp environment with OpInsight – Part 1: A nice hack.
Monitor your Azure RemoteApp environment with OpInsight – Part 2: Continuing the hack.
Microsoft showcases the Azure Cloud Switch (ACS): Linux? Linux! Linux?! Yes; Linux.
September update – Azure Preview Portal improvements: Ibiza continues to evolve in the very long preview. This is starting to feel like the GMail beta. There are some good improvements here, but the lateral scale of the UI needs to be chopped by 80%, or we should get an 80″ Surface Hub for free with every Azure subscription.
Use Azure as Virtual DR Site for VMware and Physical Servers: A post I wrote for Petri.com.
August updates to Azure RemoteApp: Some updates.
How does Azure RemoteApp save user data and settings? I really do not like this solution – I prefer to use a virtual file server with domain membership on the VNet because I have some measure of control.
ADFS Publishing via Azure Traffic Manager : Ah yeah, geo-redundant ADFS.

System Center

Near Real-time Performance Data Collection in OMS: Could this be the start of the replacement of SCOM with a cloud service?
Deploy Software Defined Networks using Virtual Machine Manager : A document based on TP3 of System Center 2016.
2nd Edition of Microsoft System Center: Building a Virtualized Network Solution now available and free to download: Featuring Irish MVP, Damian Flynn.
How to Deploy Host Guardian Service using Service Templates in VMM Tech Preview 3: The new WS2016 Hyper-V security feature.

Office 365

The New Office is Here: In case you missed it, Office 2016 launched this week. O365 customers will get is based on which servicing branch they are in. You might not see it for months if you are in the Current Branch for Business (Pro Plus plans default to this).
What’s new in Office 2016: Why should you upgrade, and what should you look for if you have upgrade rights?
Admins—get ready for Office 2016, rollout begins September 22: I’d tweeted several months ago that I’d heard September was the month, so I am not surprised at all.
Announcing the Office 365 Service Trust Portal: STP is a service feature in Office 365 designed to provide deeper information on how Microsoft manages security, compliance and privacy.
Office 365 Import Service—migration to SharePoint Online and OneDrive for Business just became easier: An out-of-band transfer using hard disks, similar to the Azure import service.
Introducing Office 365 Planner: A “simple and highly visual way to organize teamwork”.
Step-By-Step – Setting up AD FS and Enabling Single Sign-On to Office 365: Set up single sign-on.
How to use your Office 365 subscription with Azure RemoteApp: There’s a new “with O365” template that you can use now. Use your ProPlus installation rights in Azure’s RDS.

EMS

Coming soon – New features for managing Windows 10 and iOS devices: New features between September 25 and October 5.
Day Zero Support for iOS 9 with Intune: Manage your iPhones and iPads.
Azure Active Directory B2B collaboration: Inter-company federation via Azure AD.
Azure AD Premium Dashboard is in preview: Microsoft has turned on the Azure Active Directory Premium Dashboard – available in North America only at this point.
Azure AD B2C and B2B are now in Public Preview:
Learn all about the Azure AD B2B Collaboration Preview: Learn more about the Biz-2-Biz preview.

Security

Tracking a Bluetooth Skimmer Gang in Mexico: A whole new way of skimming your card at the ATM, thanks to the ATM engineers.
Tracking Bluetooth Skimmers in Mexico, Part II: More on this story.
Who’s Behind Bluetooth Skimming in Mexico? A very professional criminal operation.

Miscellaneous

Microsoft heads back to court on September 9th: A post I wrote about the Irish datacenter and US warrant appeal.

Technorati Tags: Microsoft,Hyper-V,Virtualisation,Failover Clustering,Storage,Storage Spaces,Linux,Windows 10,Azure,Cloud,Cloud Computing,Hybrid Cloud,Backup,Remote Desktop Services,DR,Active Directory,System Center,VMM,Security,Office,Office 365,Licensing,EMS,Intune

Microsoft News – 7 September 2015

Here’s the recent news from the last few weeks in the Microsoft IT Pro world:

Hyper-V

Configuring Default Checkpoint type in Windows 10: How to automatically get the legacy style checkpoint behaviour – might be useful in test/dev/demo labs.
Hyper-V Dynamic Memory Versus Virtual NUMA: The two incompatible memory optimization techniques. A post I wrote for Petri.com.
Workgroup and Multi-domain clusters in Windows Server 2016: Note: Workgroup clusters do not support Live Migration (hence useless to most).
Site-aware Failover Clusters in Windows Server 2016: Making stretch clusters more suitable. An interesting option is “preferred site” of a (entire) cluster.
Linux Integration Services 4.0 Update: An update to the Linux integration components for Hyper-V.

Windows Server

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012: You might disable SMBv1 in totally modern deployments, but I prefer to stay on the well walked path.
Announcing Windows Server 2016 Containers Preview: Post by Scott Guthrie.
Microsoft and Mesosphere partner to bring Mesos container orchestration across Windows and Linux worlds: Container orchestration comes to Windows.
Microsoft and Intel showcase Storage Spaces Direct with NVM Express at IDF ’15: 4.2 million IOPS with S2D.
Data Deduplication in Windows Server Technical Preview 3: BIG improvements for scalability and backup.
Comparing Work Folders and Offline Files: I bet you’ve never heard of Work Folders – what I call “company owned DropBox”.
Work Folders encryption on Windows: Security with replicated files.
Windows Server 2016 Installation Option Changes: Our feedback was listened to.

Windows

Adjusting the Network Protocol Bindings in Windows 10: I guess the same applies to Windows Server 2016.
Windows 10 Pre-Upgrade Validation using SETUP.EXE: Using /Compat ScanOnly.
MDOP 2015 and more tools are now available: Windows 10 support.

System Center

DPM 2012 R2 UR7 re-released: Wow, a System Center update rollup had issues. Whoda thunk it?!?!?!

Azure

Mandatory update for Azure Backup to avoid an authentication error for ongoing backups: You must have a MARS agent that released August 19 2015 or later.
AzCopy – Introducing Append Blob, File Storage Asynchronous Copying, File Storage Share SAS, Table Storage data exporting to CSV and more: AzCopy 3.2.0 and AzCopy 4.2.0-preview are now released.
Azure Backup update – New features in IaaS VM backup support: Support for up to 16 data disks, retention up to 99 years, improved performance, and reporting.
Azure Premium Storage expanding in more regions: Adding Central US, East US, East Asia, and North Europe.
Announcing the GS-Series: Adding Premium Storage Support to the Largest VMs in the Public Cloud: Big and fast.
Boot Diagnostics for Virtual Machines: Needed because there’s not KVM access.
A Look at Microsoft’s New Hybrid Cloud Features: A post I wrote for Petri.com.
How to Link an Azure RemoteApp collection to your existing Azure Virtual Network Without Domain Join: If you have applications that don’t require domains. Beware that this will cause messy session hosts without GPO to control user access/storage from a central point.

Office 365

What’s new – July 2015: Apps galore.
What’s new – August 2015: The education SKUs are getting a “shake up”.
Microsoft is reducing its number of portals, merging Intune with Office 365: Good idea … but I am sceptical of the success/future of this.

Intune

Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered by the cloud: See the new Active Directory in action.
Microsoft Advanced Threat Analytics in now GA: This EMS bundle member is now available for detecting nefarious usage of company identity.

Events

Meet AzureCon: A virtual event on Azure on September 29th, starting at 9am Pacific time, 5pm UK/Irish time.

Technorati Tags: Hyper-V,Virtualisation,Failover Clustering,Linux,Windows Server 2016,Windows Server 2012 R2,Storage,Networking,Windows 10,Deployment,DPM,System Center,Azure,Cloud,Cloud Computing,Hybrid Cloud,Backup,Remote Desktop Services,Office 365,Intune,Active Directory,Events