Azure Backup OOTB with VM Creation

OOTB stands for Out-of-the-Box. What does Azure Backup has to do with it? Well this blogpost explains how you can protect your VM with Azure Backup at the time of its creation.

Previously when you wanted to add an Azure VM to be protected by Azure Backup, you had to created a recovery services vault and  select the desired VM or you had to allow backup through the VM Management blade. The catch here is both these options are post creation activities. In my opinion, administrators often forget to protect their Azure VMs  post creation. With this new update, we can protect our Azure VMs during it’s creation.

When you create a VM in the portal under Settings  > Configure Optional Features blade you can find the backup option now.

Here you can create a new recovery services vault or select an existing one and then create or choose an existing backup policy to backup your Azure VM.

 

 

Azure Site Recovery | New Onboarding Experience for VMWare to Azure Workloads

Microsoft has introduced a new onboarding experience with the latest update to Azure Site Recovery service for VMware to Azure  workloads. In this blogpost we are going to explore how this new experience save time when you setup your ASR infrastructure on-premises.

Open Virtualization Format (OVF) template-based configuration server deployment

Previously you had to download and install the ASR configuration server package in to a VMWare VM running a supported OS which you have created earlier. With this update you will be using a OVF template, which you can directly import in a VMWare host as a guest VM that functions as the configuration server for your ASR setup. All the necessary software, except MySQL Server 5.7.20 and VMware PowerCLI 6.0, is pre-installed in this VM template.

Below video from Microsoft ASR product team explains how you can leverage the new OVF template setup.

Web Portal for Configuration Management

With this update, Microsoft has introduced a new web portal in the configuration server. All configuration servers deployed using the OVF template will use this portal modify the following settings.

New Mobility Service Deployment model

If you are familiar with VMWare to Azure scenario in ASR, then you know the difficulties of the mobility service push deployment method for your VMware VMs. Previously this required you to open firewall rules for WMI and File and Printer Sharing services in Windows for the protected VMs. The reason being that WMI and File and Printer Sharing services were used by ASR service to push install the mobility service on the protected VMs. Not every organization allows this firewall exception in production environments.

In the latest ASR release, VMware tools will be install/update mobility services on all protected VMware VMs replacing the need to open above mentioned services in firewall rules. One thing to keep in mind is that VMware tools based mobility service installation is available only if you update your configuration servers to version 9.13. xxxx.x.

Azure Site Recovery Comprehensive Monitoring

One of the challenges I had with Azure Site Recovery is to provide a Business Continuity Dashboard experience for the IT administrators in my customer organizations. Previously I was able to achieve somewhat of this task by creating Azure Dashboards that showcase the components of the ASR environment. However Microsoft has recently introduced an out-of-the-box comprehensive monitoring dashboard experience for Azure Site Recovery. This gives full visibility into whether business continuity objectives are being met for organizations and also a failover readiness model that monitors resource availability and suggests configurations based on best practices.

What’s new in Azure Site Recovery Monitoring

Below is the new dashboard you see when you navigate to the Overview section of your recovery services vault in Azure.

  • Enhanced vault overview page – The new vault overview page features a dashboard that presents everything you need to know to understand if your business continuity objectives are being met. In addition to the information needed to understand the current health of your business continuity plan, the dashboard features recommendations based on best practices, and in-built tooling for troubleshooting issues that you may be facing.
  • Replication health model – Continuous, real time monitoring of replication health of servers based on an assessment of a wide range of replication parameters.
  • Failover readiness model – A failover readiness model based on a comprehensive checklist of configuration and disaster recovery best practices, and resource availability monitoring, to help gauge your level of disaster preparedness.
  • Simplified troubleshooting experience – Start at the vault dashboard and dive deeper using an intuitive navigational experience to get in depth visibility into individual components, and additional troubleshooting tools including a brand new dashboard for replicated machines.
  • In-depth anomaly detection tooling to detect error symptoms, and offer prescriptive guidance for remediation.

Introducing PowerShell Core 6.0

Few Days back Microsoft has announced the general availability of PowerShell Core 6.0. It is a new edition of PowerShell that enables you to work with PowerShell regardless of your operating system, be it Windows, MacOS or Linux. It’s runtime is built on top of .NET Core 2.0 and it also exposes the APIs offered by .NET Core 2.0, so that you can use the same APIs in your PowerShell scripts, cmdlets etc…

PowerShell vs. PowerShell Core

 

Below are the key differences between the two editions of PowerShell.

 

Windows PowerShell

PowerShell Core

It is the edition of PowerShell built on top of .NET Framework

(sometimes referred to as “FullCLR”):

It is the edition of PowerShell built on top of .NET Core

(sometimes simplified to “CoreCLR”).

Because of its dependency on the .NET Framework, Windows PowerShell is only available on Windows (hence the name).

PowerShell Core is launched as pwsh.exe on Windows and pwsh on macOS and Linux

The released versions of Windows PowerShell include 1.0, 2.0, 3.0, 4.0, 5.0, and 5.1.

On PowerShell Core, $PSVersionTable.PSEdition is set to Core.

Windows PowerShell is available as a built-in component in Windows client and Windows Server.

Although PowerShell Core 6.0 is cross-platform, there is also a PowerShell Core 5.0/5.1 released exclusively as part of Microsoft Nano Server.

Windows PowerShell is launched as powershell.exe.

Any usage of .NET-based functionality (e.g. C# cmdlets, Add-Type, and the invocation of static .NET Methods), relies on the .NET Core runtime. This means PowerShell Core is limited to the functionality exposed by .NET Core and .NET Standard.

On Windows PowerShell 5.0/5.1, $PSVersionTable.PSEdition is set to Desktop.

 

Any usage of .NET-based functionality (e.g. C# cmdlets, Add-Type, and the invocation of static .NET Methods), relies on the .NET Framework runtime. This means Windows PowerShell’s .NET usage is limited to the functionality exposed by the .NET Framework and .NET Standard.

 

Continues to be supported via critical bug fixes in the newest releases of Windows and Windows Server

 

 

You can Download PowerShell Core depending on your OS platform using below links.

 

PowerShell Core on Windows https://aka.ms/getps6-windows

PowerShell Core on macOS and Linux https://aka.ms/getps6-linux

Azure Stack Policy Module for Azure

When you want to deploy your services across both Azure & Azure Stack, you need to make sure that both environments has the same resources and services available. Also the resources should be compatible with each other. The Azure Stack Policy module enables the same versioning and services that Azure Stack has in your Azure subscription. This will allow you to create a new Azure Policy that limits the available resources in your Azure environment to that of Azure Stack.

Let’s see how we can achieve this with PowerShell.

Installing the Policy Module

Apply the Policy

If you want to apply the default Azure Stack policy to your Azure subscription itself, you can use the below example.

Login-AzureRmAccount
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID

If you want to apply the policy into a particular resource group, you can execute the below snippet. This is useful when you have other Azure services running in the same Azure subscription which are not compatible with Azure Stack. Targeting a specific resource group to deploy the default Azure Stack policy will allow you to test apps that are developed for Azure Stack.

Login-AzureRmAccount
$rgName = '<resource group name>'
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName

Automatically Closing Old SCOM Alerts using PowerShell

If you a SCOM administrator, then you are familiar with seeing old alerts piling up in your SCOM console. No matter how much you clean up your monitoring environment, some alerts will be left over unless you manually remove them, depending on how you have configured alert resolutions.

Following PowerShell script from Microsoft SCOM blog will allow you to automatically close old SCOM alerts.The logic behind this script is, that it will traverse the active alerts and checks for alert age. If the alert age is greater than the specified number of days in the $alertsTobeClosedBefore variable, those alerts will be closed.

Remember to load the SCOM PowerShell Module before you run this script.

$alertsTobeClosedBefore = 5

$currentDate = Get-Date

Get-SCOMAlert | Where-Object {(($_.ResolutionState -ne 255) -and (($currentDate – $_.TimeRaised).TotalDays -ge $alertsTobeClosedBefore))} |Resolve-SCOMAlert

 

Deploying Dependency Agent for Service Map with Azure VM Extension

OMS Service Map solution automatically discovers application components, processes and services on Windows and Linux systems and maps the communication between them. In order to use this solution, you need to deploy the Service Map Dependency Agent for the respective OS. As you can see in the below diagram, this agent does not transmit any data by itself, but rather transmits data to the OMS agent which will then publish the data to OMS. 

Image Courtesy Microsoft Docs

Microsoft has announced the release of a new Azure VM extension that will allow you to automatically deploy the dependency agent for Service Maps. Since Service Maps supports both Windows & Linux, there are two variants of this extension. One thing you do have to remember is that the dependency agent still depends on (ah the irony) the OMS agent and your Azure VMs need to have the OMS agent installed and configured prior deploying the dependency agent. 

Installing the dependency agent with Azure VM extension (PowerShell)

Following is a PowerShell code snippet (from Microsoft) that will allow you to install the Service Map on all VMs in an Azure resource group. 

$version = "9.1"

$ExtPublisher = "Microsoft.Azure.Monitoring.DependencyAgent"

$OsExtensionMap = @{ "Windows" = "DependencyAgentWindows"; "Linux" = "DependencyAgentLinux" }

$rmgroup = "<Your Resource Group Here>"

Get-AzureRmVM -ResourceGroupName $rmgroup |

ForEach-Object {

""

$name = $_.Name

$os = $_.StorageProfile.OsDisk.OsType

$location = $_.Location

$vmRmGroup = $_.ResourceGroupName

"${name}: ${os} (${location})"

Date -Format o

$ext = $OsExtensionMap.($os.ToString())

$result = Set-AzureRmVMExtension -ResourceGroupName $vmRmGroup -VMName $name -Location $location `

-Publisher $ExtPublisher -ExtensionType $ext -Name "DependencyAgent" -TypeHandlerVersion $version

$result.IsSuccessStatusCode

}
Installing the dependency agent with Azure VM extension (ARM Template)

However Microsoft didn’t publish any official reference on to deploy the Azure VM extension for deploying the dependency agent using ARM templates (as of yet). My colleague MVP Stanislav Zhelyazkov has published a blog post on how to do this with ARM templates. You can find his reference template from GitHub.

Note

This VM extension is currently available in the West US region and Microsoft is rolling it out all Azure regions in the next couple of days.

Closing the doors to SMB v1 in Azure VMs

Remember the nasty ransomware attacks Petya & WannaCry which spread almost like a zombie apocalypse earlier this year? Millions of devices arround the world were affected with these attacks which were designed to exploit the loopholes in the good old Server Message Block version 1 (SMB v1) protocol. A lot of security experts have argued that having SMB v1 enabled in servers/PCs by default will leave the consumers vulnerable for any future attacks of this nature.

Starting this month, Azure Security Team has closed the doors for SMB v1 protocol for Windows OS images available in Azure marketplace. This means that when you deploy a VM with any of the below operating systems using an Azure marketplace image, the SMV v1 protocol is disabled by default.

  • HPC Pack 2012 R2 Compute Node with Excel on Windows Server 2012 R2
  • HPC Pack 2012 R2 on Windows Server 2012 R2
  • Windows Server 2008 R2 SP1
  • Windows Server 2012 Datacenter
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2016 – Nano Server
  • Windows Server 2016 Datacenter
  • Windows Server 2016 Datacenter – with Containers
  • [HUB] Windows Server 2008 R2 SP1
  • [HUB] Windows Server 2012 Datacenter
  • [HUB] Windows Server 2012 R2 Datacenter
  • [HUB] Windows Server 2016 Datacenter
  • [smalldisk] Windows Server 2008 R2 SP1
  • [smalldisk] Windows Server 2012 Datacenter
  • [smalldisk] Windows Server 2012 R2 Datacenter
  • [smalldisk] Windows Server 2016 Datacenter

This doesn’t mean that you can turn a blind eye to your existing Windows VMs in Azure. If you haven’t already disabled SMB v1 in those, you can refer this TechNet article to learn how to do so. Regardless of where your servers and PCs are deployed (cloud or on-premises) Microsoft strongly recommend you to disable SMB v1 protocol. 

OK what about Linux ?

The Samba service which enables the SMB protocol in Linux VMs is not installed by default in any Azure Linux gallery image. If you install this service later on once you have provisioned a VM vulnerability report CVE-2017-7494 need to be taken into consideration to there are any threats that you should be alarmed of. This explains the vulnerabilities in Samba 3.5 and onward where as the current version is  4.6.7. However it is always recommend to update to the latest version as soon as possible. 

Do I need to use SMB v1 ever ?

SMB v1 has been superseded by SMB v2 & V3 a long back. These versions are inherently more secure than the v1 of SMB protocol. However there are dozens of products out there which still leverages the SMB v1 protocol. This TechNet article lists out most of the products that still leverage SMB v1 at some point of their current life cycle.

 

 

Integrating OMS Service Map with SCOM

OMS Service Map solution is capable of automatically discovering dependencies of application components in Windows & Linux servers to map the communication flow between your business services. It maps connections between servers, processes, and ports across any TCP-connected server in your datacentre. With this solution you won’t have to configure anything besides installing an agent. Microsoft has recently released a public preview version of Service Map management pack which allows you to automatically create distributed application dashboards in SCOM based on the dynamic dependency maps generated in Service Map solution. In my opinion this is a very valuable integration as organizations that use SCOM as their main monitoring tool can leverage the dynamic application dependency monitoring capabilities of OMS, where as is past they had to rely on third party tools to visualize such. 

What is inside the Service Map MP ?

Like every other management pack you need to first import the Service Map MP into SCOM. When you import the Service Map MP (Microsoft.SystemCenter.ServiceMap.mpb) following dependent MPs will be installed in your SCOM management server/s. 

  • Microsoft Service Map Application Views
  • Microsoft System Center Service Map Internal
  • Microsoft System Center Service Map Overrides
  • Microsoft System Center Service Map

This management pack is compatible with both SCOM 2016 & 2012 R2 versions.

Known Limitations of the Public Preview

In the beginning of this post I have mentioned that this MP is still in preview and hence there are few issues and limitations with it as of now. I’m not sure whether Microsoft is going to address or change the behaviour some of these when the MP releases GA, specifically the limitations around updating the diagram views in SCOM console.

  • One management group can be integrated with only one OMS workspace.
  • Adding servers to the Service Map Servers Group manually won’t immediately sync those with service maps as they will be synced from Service Map during the next synchronization schedule. 
  • Making changes to the Distributed Application Diagrams created by this MP is not useful. Because these changes will be overwritten by the Service Maps solution in the next synchronization schedule.

If you are interested in trying out this new MP, following resources might come in handy.

File Recovery Error in Azure Backup

While trying to perform an in-place file restore in an Azure VM using Azure Backup, I have encountered an execution error. Azure Backup leverages a PowerShell script to mount the volumes of a Protected VM. In my case the following error was encountered when I executed the recovery script.

Microsoft Azure VM Backup - File Recovery
______________________________________________
Invoke-WebRequest : <HTML><HEAD><TITLE>Error Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<BODY>
<TABLE><TR><TD id=L_dt_1><B>Network Access Message: The page cannot be displayed<B></TR></TABLE>
<TABLE><TR><TD height=15></TD></TR></TABLE>
<TABLE>
<TR><TD id=L_dt_2>Technical Information (for Support personnel)
<UL>
<LI id=L_dt_3>Error Code: 407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the
request. Access to the Web Proxy filter is denied. (12209)
<LI id=L_dt_4>IP Address: 10.31.8.16
<LI id=L_dt_5>Date: 8/8/2017 11:53:42 PM [GMT]
<LI id=L_dt_6>Server: XXXX.ab.abc.net
<LI id=L_dt_7>Source: proxy
</UL></TD></TR></TABLE></BODY></HTML>
At C:\Users\whewes_adm\Desktop\ILRPowershellScript.ps1:101 char:12
+ $output=Invoke-WebRequest -Uri "https://download.microsoft.com/download/E/1/4 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
 eption
 + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Invoke-WebRequest : <HTML><HEAD><TITLE>Error Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<BODY>
<TABLE><TR><TD id=L_dt_1><B>Network Access Message: The page cannot be displayed<B></TR></TABLE>
<TABLE><TR><TD height=15></TD></TR></TABLE>
<TABLE>
<TR><TD id=L_dt_2>Technical Information (for Support personnel)
<UL>
<LI id=L_dt_3>Error Code: 407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the
request. Access to the Web Proxy filter is denied. (12209)
<LI id=L_dt_4>IP Address: 10.31.8.16
<LI id=L_dt_5>Date: 8/8/2017 11:53:42 PM [GMT]
<LI id=L_dt_6>Server: XXXX.ab.abc.net
<LI id=L_dt_7>Source: proxy
</UL></TD></TR></TABLE></BODY></HTML>
At C:\Users\whewes_adm\Desktop\ILRPowershellScript.ps1:102 char:12
+ $output=Invoke-WebRequest -Uri "https://download.microsoft.com/download/E/1/4 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
 eption
 + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Unable to access the recovery point. Please make sure that you have enabled access to Azure public IP addresses on the
outbound port 3260 and 'https://download.microsoft.com/'

One thing I noticed was it was complaining about outbound access to Azure public IP addresses on port 3260. The VMs were connected to on-premises environment via a dedicated ExpressRoute circuit so there were no issues with white listing Azure public IP addresses according to my knowledge. Also there were no NSGs controlling the traffic in the subnet where this VM was deployed.

I had a look on another server that is running in a VMware cluster on-premises and noticed that there is a HTTP proxy present in the environment. Once I have added the proxy settings in the VM , I could execute the recovery script without any hassle. 

The article “Prepare your environment to back up Azure virtual machines” published in the Microsoft documentation, explains the required network configuration for Azure Backup in case your environment has policies governing outbound Internet connectivity. Therefore I recommend you to have a look on that first before planning your Azure Backup deployment to protect Azure VMs.