Azure Backup MARS Agent System State Support is GA

Microsoft announced last week that they made support for backing up system state using the MARS agent generally available.

System State backup was one of those “I must have this” features that I’ve been hearing about for 3+ years. Today it’s there – update your version of the MARS agent and you’ll have it.

With this added backup, you can protect metadata:

  • Active Directory: Backup your AD so you can do DC recoveries.
  • File Servers: It’s nice being bale to restore files & folders, but what about the shares?
  • IIS Web Servers: Protect that IIS Metabase.

Adding System State to your backup policy is easy; either start a new schedule (new MARS installations) or edit the existing schedule. System State will appear in the Add Items box. Select System State and complete the wizard. It’s easy … the way backup should be!

Was This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in Amsterdam on April 19-20, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

“Install-WindowsFeature : An unexpected error has occurred” Error When You Run Install-WindowsFeature In A Windows Server Container

This is one of those issues that makes me question a lot of step-by-step blog posts on Windows Server Containers that are out there – plenty of people were quick to publish guides on containers and didn’t mention encountering this issue which I always encounter; I suspect that there’s a lot of copy/pasting from Microsoft sites with little actual testing in a rush to be first to publish. It’s clear that many bloggers didn’t try to install things in a container that required administrator rights, because UAC was blocking those actions. In my case, it was installing IIS in a Windows Server 2016 (WS2016) Technical Preview 3 (TPv3) container.

In my lab, I created a new container and then logged in using the following (I had already populated $Container by  returning the container object into the variable):

Enter-PSSession -ContainerId $Container.ContainerId -RunAsAdministrator

And then I tried to install some role/feature, such as IIS using Install-WindowsFeature:

Install-WindowsFeature -Name Web-Server

I logged in using -RunAsAdministrator so I should have no issues with UAC, right? Wrong! Because the installation fails as follows:

Install-WindowsFeature : An unexpected error has occurred. The system cannot find the file specified.  Error: 0x80070002
+ CategoryInfo          : InvalidResult: (@{Vhd=; Credent…Name=localhost}:PSObject) [Install-WindowsFeature], Exception
+ FullyQualifiedErrorId : RegistryKey_OpenSubKey_Failed,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand


What’s the solution? When you are remoted into the container you need to raise your administrator privileges to counter UAC. You can do this as follows, after you log into the container:

Start-Process Powershell.exe -Verb runAs

Run Install-WindowsFeature now and it will complete.



Note: I have found in my testing that IIS behaves poorly in TPv3. This might be why Microsoft’s getting started guides on MSDN use nginx web server instead of IIS! I’ve confirmed that nginx works perfectly well.

Microsoft News Summary – 8 October 2014

Welcome to today’s cloud-heavy Microsoft news compilation.

Windows Server


Windows Client


  • Introducing the Azure Automation Runbook Gallery: The time it takes to create functional, polished runbooks is a little faster thanks to the new Azure Automation Runbook Gallery.
  • More Changes to Azure by Scott Guthrie: Including support for static private IP support in the Azure Preview Portal, Active Directory authentication, PowerShell script converter, runbook gallery, hourly scheduling support.
  • Microsoft Certification Test Tool Preview for Azure Certified: The Microsoft Certification Test Tool for Azure Certified is designed to provide an assessment of compliance to technical requirements as part of the Azure Certified program. The test tool includes a wizard style automated section and questionnaire section to assess characteristics of a Virtual Machine image running in Microsoft Azure and generate results logs. More information on the Azure Certified program is available.
  • Announcing Support for Backup of Windows Server 2008 with Azure Backup: Due to feedback. Please note that this is x64 only and that there are system requirements.
  • Hybrid Connection Manager ClickOnce Application: ClickOnce installer for the Hybrid Connection Manager.
  • D-Series Performance Expectations: The new D-Series VMs provide great performance for applications needing fast, local (ephemeral) storage or a faster CPU; however, it’s important to understand a little about how the system is configured to ensure you’re getting an optimal experience.
  • Cloud App Discovery – Now with Excel and PowerBI Support: One of the top customer requests was to be able to perform analytics on the data collected in tools like Excel and PowerBI. Now you can take cloud app discovery data offline and explore and analyze the data with tools you already know–Excel and PowerBI.
  • A new region will open in India by the end of 2015: It makes sense; there are 1 billion people and some big corporations there.
  • Microsoft Azure Speed Test: Which Azure region is closest to you (remember that Internet geography is different to the planet’s geography. For example, where I work is a few miles from Europe North (Dublin), but the test shows me that Europe West provides me with lower latency (beaten, obviously, by CDN). My own testing using Azure Traffic Manager with geo-dispersed websites has verified this.


Office 365


Microsoft News Summary – 15 August 2014

Here’s the latest from the last 24 hours:

Microsoft News Summary – 7 August 2014

Very little happening. These quiet times are great for rumours.

Oh – and don’t use Generation 2 virtual machines on WS2012 R2 Hyper-V.

How My New Azure VM Web Server Is Configured

Following yesterday’s “I’ve moved to Azure” post, I decided to write a bit more about what I’ve done. For obvious reasons, I will not get into deep specifics.

The first step was to create a cloud service. Each cloud service in Azure should be seen as an external point of contact … a public IP address if you want to think of it that way.

I then created a single subnet virtual network.

A storage blob was created in Azure to store the VHD files of the new virtual machine.

A small spec VM (single core, 1.7 GB RAM) was created. An endpoint was created for HTTP in the Azure portal to allow incoming web traffic. I don’t need HTTPS and I don’t use the FTP functionality of WordPress.

I then created a WS2012 R2 Datacenter virtual machine. I configured patching using GPEDIT.MSC, and a few other things. I added IIS and ran the Web Platform Installer to install MySQL, PHP and a few other WordPress prerequisites. I also installed MySQL Workbench … I can’t be bothered googling for MySQL commands.

Two websites were created in IIS and two databases/service accounts were created in MySQL. I have this blog and my photography website to host. I downloaded and extracted 2 copies of the WordPress files, and configured each blog.

I’ve only migrated this site so far – the photography site will be next (more complex because of galleries). I decided against exporting the database from the old server; this was an opportunity to go with whole new versions of everything. So I did WordPress export/import. The export file was bigger than the 2 MB max so I split the export file using a free tool called WXR File Splitter. 2 MB files were too large and caused the import to timeout, so I went with 512 KB. Apparently a hack of PHP would have been an alternative, but I want to avoid hacks.

I added all my WordPress plug-ins and configured them, making sure that my advertisers were OK. And then I tested a bit. And then came the next step: switching the A records for my domain to switch to the new server. That’s the REAL test – will this server work for you.

The last steps were to configure backup. I configured a MySQLDump job to export all databases using Task Scheduler and a batch file. That backs up to a folder called Backup. I then configured an Azure Recovery Services backup Vault for Azure Online Backup. I created a 3 year 2048 bit certificate using the CA in the lab, uploaded the public key to Azure Backup, and imported the private key into the My Computer – Personal Store in the guest OS of the VM. I downloaded the Azure backup agent and configured a daily backup job to backup the Inetpub and the Backup folders. That’s the data of the two WordPress sites saved.

And that’s the lot!

There’s a new Basic VM configuration coming this week. I’ll consider migrating again to a higher spec one of those.

The one question I’ve gotten over and over is “how much does this cost?”. The answer: nothing. I’m using the benefits of my personal MSDN subscription (€75/month). The other one (which I answered in the previous post) was “Why not use an Azure web site?”. Simple: it does not offer enough disk capacity.

Technorati Tags: ,

Azure Services For Windows Server

Microsoft likes to talk about how they are the only company offering both pubic (Azure) and private (Windows Server and System Center) cloud solutions.  What about hosting partners?  Can they implement Azure?  In the immortal words of Vicky Pollard: no but yeah.

You can’t buy Azure appliances.  They were supposed to come via the likes of Fujitsu and Dell but they never emerged.  But there is another way.  You can build a public cloud based on Azure Service For Windows Server, formerly Codename Katal.  A lot of people actually prefer to refer to ASWS as Katal.

Uh oh!  Is this yet another incomplete hosting pack from Microsoft that is forgotten almost as soon as it is released?  The answer: no.  This is something very important to Microsoft, as you can tell by the strategic reuse of the Azure name.  As for the incomplete question: this is a pretty (not 100%) complete solution.

What do you get?  Well, you get a solution that uses VMM and the Service Provider Foundation (SPF). This allows you to build a multi-tenant cloud.  Sticking Katal in front of SPF gives you tenant (customer) and management (cloud admin) portals.  You can build service plans for web hosting (IIS 8.0), database (MySQL and SQL Server) hosting, and IaaS (VM hosting).  Those plans are then made available to tenants who can register via the externally facing tenant portal (and API – both hopefully load balanced).

The tenant experience is amazingly similar to the real Azure.  This is indicative of how important this product is to Microsoft, and how it should be treated differently to past hosting “solutions”.  I’ve paid near no attention to those past offerings – and I used Hyper-V and System Center in hosting!  But I’m paying attention to this release.

Importantly for hosting companies, you can rebrand Katal to suit the company.  The solution is mostly complete.  It comes with the modular source code.  You can add on extra functionality that hosting companies usually build for themselves such as:

  • DNS reselling – there’s a built in pack for reselling GoDaddy
  • Tenant onboarding – maybe you want to capture and validate payment data before completing the new customer registration
  • Billing – you’ll need to work with a partner or develop your own add-on for automated billing

At first you might question the lack of these features.  However, most hosting companies already have these services in place and Katal will have to fit in around them.

Be careful with customization; do it on a documented and modular way so that future upgrades from Microsoft don’t break your cloud (always test before upgrades).

The Katal portals do not integrate with the real Azure.

Katal is aimed at the hosting community but I think the enterprise should pay attention too.  Katal is a superb self-service portal, providing a very user-friendly essential element to the cloud recipe.

If you want to learn more then:

Windows Server 8 IIS 8 Improvements

I once worked in a hosting environment where we had many thousands of websites per physical web server host.  I was witness to much of the fun with that sort of scale on IIS.

Windows Server 8 brings a lot of improvements to IIS 8, particularly for spinning up websites and SSL scalability (SSL doesn’t require dedicated IPv4 per site) and manageability (SSL certs on the file system and import via copy).

You can find out more at:

Technorati Tags: ,

More Microsoft Downloads to Consider

Windows Server 2008: Planning for Active Directory Forest Recovery

“This guide contains best-practice recommendations for recovering an Active Directory forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally”.

iSCSI Initiator Users Guide for Windows 7 and Windows Server 2008 R2

“Users Guide for the iSCSI Initiator”.

Holistic Approach to Energy Efficieny in Datacenters

“The Datacenter Efficiency whitepaper discusses Microsoft’s holistic approach”.

RD Virtualization Host Capacity Planning in Windows Server 2008 R2

“This white paper is intended as a guide for capacity planning of RD Virtualization Host in Windows Server 2008 R2”.

Microsoft Application Request Routing Version 2.5 for IIS 7 X86 & X64

“Microsoft Application Request Routing (ARR) for IIS7 is a proxy based routing module that forwards HTTP requests to application servers based on HTTP headers and server variables, and load balance algorithms. ARR Version 2.5 improves the performance and scalability of disk caching features in ARR”.

Dynamic IP Restrictions Extension for IIS Beta

DDOS was the topic of the week with the CAO office in Ireland being repeatedly attacked.  Microsoft released a beta of a new IIS module, called Dynamic IP Restrictions Extension for IIS.  The idea is that the web server will deny connection requests from detected DDOS and brute force password attackers.  I don’t know how automated this is: remember that DDOS attackers tend to be botnets of infected PC’s that will have DHCP addresses on the net.  I really like the brute force attack defence.  I can tell you that this is a huge problem for web hosting companies; I’ve seen it myself on a pretty large shared web hosting farm.  I’d like to see this followed up with similar feature for SQL: those farms present TCP 1433 naked to the net … I can hear the shrieks from enterprise DBA’s now. 

This module is a very cool development from the impressive IIS group.

Reduce the chances of a Denial of Service attack by dynamically blocking requests from malicious IP addresses

Dynamic IP Restrictions for IIS allows you to reduce the probabilities of your Web Server being subject to a Denial of Service attack by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP in a temporary deny list and will avoid responding to the requests for a predetermined amount of time.

Minimize the possibilities of Brute-force-cracking of the passwords of your Web Server

Dynamic IP Restrictions for IIS is able to detect requests patterns that indicate the passwords of the Web Server are attempted to be decoded. The module will place the offending IP on a list of servers that are denied access for a predetermined amount of time. In situations where the authentication is done against an Active Directory Services (ADS) the module is able to maintain the availability of the Web Server by avoiding having to issue authentication challenges to ADS.


  • Seamless integration into IIS 7.0 Manager.
  • Dynamically blocking of requests from IP address based on either of the following criteria:
    • The number of concurrent requests.
    • The number of requests over a period of time.
  • Support for list of IPs that are allowed to bypass Dynamic IP Restriction filtering.
  • Blocking of requests can be configurable at the Web Site or Web Server level.
  • Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module support return status codes 403, 404 or closing the connection.
  • Support for IPv6 addresses.
  • Support for web servers behind a proxy or firewall that may modify the client IP address.
Technorati Tags: ,,