IIS | Aidan Finn, IT Pro

Azure Backup MARS Agent System State Support is GA

Microsoft announced last week that they made support for backing up system state using the MARS agent generally available.

System State backup was one of those “I must have this” features that I’ve been hearing about for 3+ years. Today it’s there – update your version of the MARS agent and you’ll have it.

With this added backup, you can protect metadata:

Active Directory: Backup your AD so you can do DC recoveries.
File Servers: It’s nice being bale to restore files & folders, but what about the shares?
IIS Web Servers: Protect that IIS Metabase.

Adding System State to your backup policy is easy; either start a new schedule (new MARS installations) or edit the existing schedule. System State will appear in the Add Items box. Select System State and complete the wizard. It’s easy … the way backup should be!

Was This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in Amsterdam on April 19-20, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

“Install-WindowsFeature : An unexpected error has occurred” Error When You Run Install-WindowsFeature In A Windows Server Container

This is one of those issues that makes me question a lot of step-by-step blog posts on Windows Server Containers that are out there – plenty of people were quick to publish guides on containers and didn’t mention encountering this issue which I always encounter; I suspect that there’s a lot of copy/pasting from Microsoft sites with little actual testing in a rush to be first to publish. It’s clear that many bloggers didn’t try to install things in a container that required administrator rights, because UAC was blocking those actions. In my case, it was installing IIS in a Windows Server 2016 (WS2016) Technical Preview 3 (TPv3) container.

In my lab, I created a new container and then logged in using the following (I had already populated $Container by returning the container object into the variable):

Enter-PSSession -ContainerId $Container.ContainerId -RunAsAdministrator

And then I tried to install some role/feature, such as IIS using Install-WindowsFeature:

Install-WindowsFeature -Name Web-Server

I logged in using -RunAsAdministrator so I should have no issues with UAC, right? Wrong! Because the installation fails as follows:

Install-WindowsFeature : An unexpected error has occurred. The system cannot find the file specified. Error: 0x80070002
+ CategoryInfo : InvalidResult: (@{Vhd=; Credent…Name=localhost}:PSObject) [Install-WindowsFeature], Exception
+ FullyQualifiedErrorId : RegistryKey_OpenSubKey_Failed,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand

What’s the solution? When you are remoted into the container you need to raise your administrator privileges to counter UAC. You can do this as follows, after you log into the container:

Start-Process Powershell.exe -Verb runAs

Run Install-WindowsFeature now and it will complete.

Sorted!

Note: I have found in my testing that IIS behaves poorly in TPv3. This might be why Microsoft’s getting started guides on MSDN use nginx web server instead of IIS! I’ve confirmed that nginx works perfectly well.

Technorati Tags: Windows Server 2016,Containers,Hyper-V,Virtualisation,Deployment,PowerShell,IIS

Microsoft News Summary – 8 October 2014

Welcome to today’s cloud-heavy Microsoft news compilation.

Windows Server

What’s New in Remote Desktop Services for the next version of Windows Server? RDS in the next version of Windows Server builds on a strong foundation (WS2012 and WS2012 R2) and adds support for the scenarios included in this post.
Whitepaper – Building High Performance Storage for Hyper-V Cluster on Scale-Out File Servers using Violin Windows Flash Arrays: Got lots and lots of money? I mean LOTS of money. Then this is a whitepaper for you, talking about Violin’s All Flash Array and Microsoft Windows Server 2012 R2 Scale-Out File Server Cluster.
Technical Preview Step-by-Step Guide – Storage Replica: Storage Replica (SR) is a new feature that enables storage-agnostic, block-level, synchronous replication between clusters or servers for disaster recovery, as well as stretching of a failover cluster across sites for high availability. Synchronous replication enables mirroring of data in physical sites with crash-consistent volumes ensuring zero data loss at the file system level. Asynchronous replication allows site extension beyond metropolitan ranges with the possibility of data loss.
Introducing the next version of Web Application Proxy: Read about additional functionality that has been added to Web Application Proxy and AD FS as part of Windows Server next version Technical Preview.

Windows Client

Console Improvements in the Windows 10 Technical Preview: Lots of improvements in CMD command prompt

Azure

Introducing the Azure Automation Runbook Gallery: The time it takes to create functional, polished runbooks is a little faster thanks to the new Azure Automation Runbook Gallery.
More Changes to Azure by Scott Guthrie: Including support for static private IP support in the Azure Preview Portal, Active Directory authentication, PowerShell script converter, runbook gallery, hourly scheduling support.
Microsoft Certification Test Tool Preview for Azure Certified: The Microsoft Certification Test Tool for Azure Certified is designed to provide an assessment of compliance to technical requirements as part of the Azure Certified program. The test tool includes a wizard style automated section and questionnaire section to assess characteristics of a Virtual Machine image running in Microsoft Azure and generate results logs. More information on the Azure Certified program is available.
Announcing Support for Backup of Windows Server 2008 with Azure Backup: Due to feedback. Please note that this is x64 only and that there are system requirements.
Hybrid Connection Manager ClickOnce Application: ClickOnce installer for the Hybrid Connection Manager.
D-Series Performance Expectations: The new D-Series VMs provide great performance for applications needing fast, local (ephemeral) storage or a faster CPU; however, it’s important to understand a little about how the system is configured to ensure you’re getting an optimal experience.
Cloud App Discovery – Now with Excel and PowerBI Support: One of the top customer requests was to be able to perform analytics on the data collected in tools like Excel and PowerBI. Now you can take cloud app discovery data offline and explore and analyze the data with tools you already know–Excel and PowerBI.
A new region will open in India by the end of 2015: It makes sense; there are 1 billion people and some big corporations there.
Microsoft Azure Speed Test: Which Azure region is closest to you (remember that Internet geography is different to the planet’s geography. For example, where I work is a few miles from Europe North (Dublin), but the test shows me that Europe West provides me with lower latency (beaten, obviously, by CDN). My own testing using Azure Traffic Manager with geo-dispersed websites has verified this.

Office 365

One-Time Passcode for Office 365 Message Encryption: With the release of One-Time Passcode. With One-Time Passcode, you don’t need to sign in with a Microsoft account to view an encrypted message.
Accelerate your Office 365 adoption: Microsoft introduces the Office 365 Customer Success Center: A new website designed to help customers drive adoption and business value.
Delivering the first chapter of Groups in Office 365: Take a look at this video to learn how Groups brings people together to enable better communication and collaboration across Office 365.

Miscellaneous

Can Google Cloud Platform Win the Cloud Battle Against AWS and Azure? Petri’s Jeff James interviews Brian Goldfarb, head of product marketing for the Google Cloud Platform.
US says it can hack into foreign-based servers without warrants: Therefore, we can hack US servers without warrants. Right?
Symantec Said to Explore Split Into Security, Storage Cos: Someone please call 2008 and let them know.

Technorati Tags: WIndows Server 2015,RDS,Storage,Hyper-V,Storage Spaces,Virtualisation,Failover Clustering,Windows 10,Azure,Cloud,Cloud Computing,Hybrid Cloud,Scripting,PowerShell,Networking,Backup,IIS,Office 365,Security

Microsoft News Summary – 15 August 2014

Here’s the latest from the last 24 hours:

New – Configurable Idle Timeout for Azure Load Balancer: Microsoft announced that the Azure Load Balancer now supports configurable TCP Idle timeout for your Cloud Services and Virtual Machines. This feature can be configured using the Service Management API, PowerShell or the service model.
Integrate System Center Advisor into Operations Manager Dashboards: Drive System Center Advisor search using Operations Manager dashboards.
Introduction to Azure Backup: What we expect to be the hottest selling Azure feature for SMEs.
Old IPv4 Router Settings May Be Causing Internet Slowdowns This Week: The number of routes across the Internet is beginning to exceed the number that IPv4 routers were set to handle.
Understanding the files collected by the Test-StorageHealth.ps1 PowerShell script: Understand the results of health and capacity tests done to a Storage Cluster based on Windows Server 2012 R2 Scale-Out File Servers.
Bare Metal Post-Deployment – Running the Post-Deployment Automation and Bonus – Part 5: Final part in this VMM series.
Businesses Using Windows Server 2003 Could Face VISA & MASTERCARD Backlash: End of support in July 2015 = 2015 no more security patches = security vulnerabilities = no PCI compliance = bankruptcy.
Edge Show115 – Azure AD Connect Preview (configuring hybrid identity with Azure AD): This video takes an exclusive look at Azure AD Connect to implement hybrid identity. Jen Field (Senior Program Manager Azure AD Fabric) takes us through using the new deployment tool to deploy Active Directory Federation Services (AD FS), Directory Sync (DirSync / AAD Sync), Azure AD and the accompanying SSL certificates. These are components that you’ll commonly deploy for Office 365, Windows Intune and more.
Replacing TMG with IIS ARR for an Exchange Hybrid: Lots of people looking to replace the now-dead Microsoft Forefront Threat Management Gateway.

Technorati Tags: Azure,Cloud,Cloud Computing,Networking,System Center,Operations Manager,Backup,Hybrid Cloud,Storage,Storage Spaces,Windows Server 2012 R2,Deployment,VMM,Windows Server 2003,Active Directory,Security,Exchange,IIS

Microsoft News Summary – 7 August 2014

Very little happening. These quiet times are great for rumours.

Oh – and don’t use Generation 2 virtual machines on WS2012 R2 Hyper-V.

A story of how Generation 2 VMs caused performance issues: This, on top of secure boot up cert update issues lead me to advising: STICK WITH GENERATION 1 VIRTUAL MACHINES
Microsoft’s Windows ‘Threshold’ expected to add virtual desktops, drop charms: Mary Jo Foley has news on the changes coming to Windows vNext. TechEd Europe should be interesting.
New Site Recovers Files Locked by Cryptolocker Ransomware: Two security firms teamed up to launch a free new online service that can help victims unlock and recover files scrambled by the malware.
3 Steps to Securing FTP on IIS 8: Here are three additional things you can do to increase the security of your server’s FTP service and minimize its attack footprint.
Microsoft to block outdated Java versions in Internet Explorer: It’s about time that Java was treated like malware.
Service Management Automation using System Center 2012 R2: A whitepaper on SMA by MVP Michael Rueefli.
License Mobility through Software Assurance on Azure: License Mobility through Software Assurance gives Microsoft Volume Licensing customers the flexibility to deploy eligible server applications with active Software Assurance on Azure. With this Software Assurance benefit, there is no need to purchase new licenses and no associated mobility fees so, you can easily deploy existing licenses on the Azure cloud platform.
Cloud Ecosystem Poster: Microsoft Azure, Windows Server 2012 R2, System Center 2012 R2: This document provides a visual reference for understanding key Microsoft private cloud and on-premises cloud technologies.

Technorati Tags: Microsoft,Hyper-V,Windows Server 2012 R2,Security,IIS,Internet Explorer,System Center,WAP,Azure,Licensing,Hybrid Cloud,Cloud,Cloud Computing

How My New Azure VM Web Server Is Configured

Following yesterday’s “I’ve moved to Azure” post, I decided to write a bit more about what I’ve done. For obvious reasons, I will not get into deep specifics.

The first step was to create a cloud service. Each cloud service in Azure should be seen as an external point of contact … a public IP address if you want to think of it that way.

I then created a single subnet virtual network.

A storage blob was created in Azure to store the VHD files of the new virtual machine.

A small spec VM (single core, 1.7 GB RAM) was created. An endpoint was created for HTTP in the Azure portal to allow incoming web traffic. I don’t need HTTPS and I don’t use the FTP functionality of WordPress.

I then created a WS2012 R2 Datacenter virtual machine. I configured patching using GPEDIT.MSC, and a few other things. I added IIS and ran the Web Platform Installer to install MySQL, PHP and a few other WordPress prerequisites. I also installed MySQL Workbench … I can’t be bothered googling for MySQL commands.

Two websites were created in IIS and two databases/service accounts were created in MySQL. I have this blog and my photography website to host. I downloaded and extracted 2 copies of the WordPress files, and configured each blog.

I’ve only migrated this site so far – the photography site will be next (more complex because of galleries). I decided against exporting the database from the old server; this was an opportunity to go with whole new versions of everything. So I did WordPress export/import. The export file was bigger than the 2 MB max so I split the export file using a free tool called WXR File Splitter. 2 MB files were too large and caused the import to timeout, so I went with 512 KB. Apparently a hack of PHP would have been an alternative, but I want to avoid hacks.

I added all my WordPress plug-ins and configured them, making sure that my advertisers were OK. And then I tested a bit. And then came the next step: switching the A records for my domain to switch to the new server. That’s the REAL test – will this server work for you.

The last steps were to configure backup. I configured a MySQLDump job to export all databases using Task Scheduler and a batch file. That backs up to a folder called Backup. I then configured an Azure Recovery Services backup Vault for Azure Online Backup. I created a 3 year 2048 bit certificate using the CA in the lab, uploaded the public key to Azure Backup, and imported the private key into the My Computer – Personal Store in the guest OS of the VM. I downloaded the Azure backup agent and configured a daily backup job to backup the Inetpub and the Backup folders. That’s the data of the two WordPress sites saved.

And that’s the lot!

There’s a new Basic VM configuration coming this week. I’ll consider migrating again to a higher spec one of those.

The one question I’ve gotten over and over is “how much does this cost?”. The answer: nothing. I’m using the benefits of my personal MSDN subscription (€75/month). The other one (which I answered in the previous post) was “Why not use an Azure web site?”. Simple: it does not offer enough disk capacity.

Technorati Tags: Azure,IIS

Azure Services For Windows Server

Microsoft likes to talk about how they are the only company offering both pubic (Azure) and private (Windows Server and System Center) cloud solutions. What about hosting partners? Can they implement Azure? In the immortal words of Vicky Pollard: no but yeah.

You can’t buy Azure appliances. They were supposed to come via the likes of Fujitsu and Dell but they never emerged. But there is another way. You can build a public cloud based on Azure Service For Windows Server, formerly Codename Katal. A lot of people actually prefer to refer to ASWS as Katal.

Uh oh! Is this yet another incomplete hosting pack from Microsoft that is forgotten almost as soon as it is released? The answer: no. This is something very important to Microsoft, as you can tell by the strategic reuse of the Azure name. As for the incomplete question: this is a pretty (not 100%) complete solution.

What do you get? Well, you get a solution that uses VMM and the Service Provider Foundation (SPF). This allows you to build a multi-tenant cloud. Sticking Katal in front of SPF gives you tenant (customer) and management (cloud admin) portals. You can build service plans for web hosting (IIS 8.0), database (MySQL and SQL Server) hosting, and IaaS (VM hosting). Those plans are then made available to tenants who can register via the externally facing tenant portal (and API – both hopefully load balanced).

The tenant experience is amazingly similar to the real Azure. This is indicative of how important this product is to Microsoft, and how it should be treated differently to past hosting “solutions”. I’ve paid near no attention to those past offerings – and I used Hyper-V and System Center in hosting! But I’m paying attention to this release.

Importantly for hosting companies, you can rebrand Katal to suit the company. The solution is mostly complete. It comes with the modular source code. You can add on extra functionality that hosting companies usually build for themselves such as:

DNS reselling – there’s a built in pack for reselling GoDaddy
Tenant onboarding – maybe you want to capture and validate payment data before completing the new customer registration
Billing – you’ll need to work with a partner or develop your own add-on for automated billing

At first you might question the lack of these features. However, most hosting companies already have these services in place and Katal will have to fit in around them.

Be careful with customization; do it on a documented and modular way so that future upgrades from Microsoft don’t break your cloud (always test before upgrades).

The Katal portals do not integrate with the real Azure.

Katal is aimed at the hosting community but I think the enterprise should pay attention too. Katal is a superb self-service portal, providing a very user-friendly essential element to the cloud recipe.

If you want to learn more then:

Go to TechNet to learn about SPF.
Read the excellent instructions on Hyper-V.nu on setting up Katal.
See the Enabling The Cloud OS site by Microsoft.
See the official documentation for Katal on TechNet.

Technorati Tags: Cloud,System Center,Hyper-V,Windows Server 2012,SQL,IIS

Windows Server 8 IIS 8 Improvements

I once worked in a hosting environment where we had many thousands of websites per physical web server host. I was witness to much of the fun with that sort of scale on IIS.

Windows Server 8 brings a lot of improvements to IIS 8, particularly for spinning up websites and SSL scalability (SSL doesn’t require dedicated IPv4 per site) and manageability (SSL certs on the file system and import via copy).

You can find out more at:

Technorati Tags: Windows Server 8,IIS

More Microsoft Downloads to Consider

Windows Server 2008: Planning for Active Directory Forest Recovery

“This guide contains best-practice recommendations for recovering an Active Directory forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally”.

iSCSI Initiator Users Guide for Windows 7 and Windows Server 2008 R2

“Users Guide for the iSCSI Initiator”.

Holistic Approach to Energy Efficieny in Datacenters

“The Datacenter Efficiency whitepaper discusses Microsoft’s holistic approach”.

RD Virtualization Host Capacity Planning in Windows Server 2008 R2

“This white paper is intended as a guide for capacity planning of RD Virtualization Host in Windows Server 2008 R2”.

Microsoft Application Request Routing Version 2.5 for IIS 7 X86 & X64

“Microsoft Application Request Routing (ARR) for IIS7 is a proxy based routing module that forwards HTTP requests to application servers based on HTTP headers and server variables, and load balance algorithms. ARR Version 2.5 improves the performance and scalability of disk caching features in ARR”.

Technorati Tags: Active Directory,Windows Server 2008 R2,Virtualisation,Hyper-V,Remote Desktop Services,IIS

Dynamic IP Restrictions Extension for IIS Beta

DDOS was the topic of the week with the CAO office in Ireland being repeatedly attacked. Microsoft released a beta of a new IIS module, called Dynamic IP Restrictions Extension for IIS. The idea is that the web server will deny connection requests from detected DDOS and brute force password attackers. I don’t know how automated this is: remember that DDOS attackers tend to be botnets of infected PC’s that will have DHCP addresses on the net. I really like the brute force attack defence. I can tell you that this is a huge problem for web hosting companies; I’ve seen it myself on a pretty large shared web hosting farm. I’d like to see this followed up with similar feature for SQL: those farms present TCP 1433 naked to the net … I can hear the shrieks from enterprise DBA’s now.

This module is a very cool development from the impressive IIS group.

Reduce the chances of a Denial of Service attack by dynamically blocking requests from malicious IP addresses

Dynamic IP Restrictions for IIS allows you to reduce the probabilities of your Web Server being subject to a Denial of Service attack by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP in a temporary deny list and will avoid responding to the requests for a predetermined amount of time.

Minimize the possibilities of Brute-force-cracking of the passwords of your Web Server

Dynamic IP Restrictions for IIS is able to detect requests patterns that indicate the passwords of the Web Server are attempted to be decoded. The module will place the offending IP on a list of servers that are denied access for a predetermined amount of time. In situations where the authentication is done against an Active Directory Services (ADS) the module is able to maintain the availability of the Web Server by avoiding having to issue authentication challenges to ADS.

Features

Seamless integration into IIS 7.0 Manager.
Dynamically blocking of requests from IP address based on either of the following criteria:

The number of concurrent requests.
The number of requests over a period of time.

Support for list of IPs that are allowed to bypass Dynamic IP Restriction filtering.
Blocking of requests can be configurable at the Web Site or Web Server level.
Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module support return status codes 403, 404 or closing the connection.
Support for IPv6 addresses.
Support for web servers behind a proxy or firewall that may modify the client IP address.

Technorati Tags: Internet,IIS,Security