IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Azure

Azure: Clone VSTS Git repository to Visual Studio failed with error 400

I recently started to play with Azure Deployments via Visual Studio Team Services. The idea is having a source control for my ARM templates and keep my projects nice and tidy in one place.

I saw James Bannan presented on IT/DEV 2017 conference and liked this approach. Unfortunately, it is not clearly documented, or maybe I just cannot find a proper information since I am not a developer.

Anyway,  I integrated my Visual Studio 2017 with VSTS; that created a Git instance for me. From the VSTS portal I creted a new Project and tried to clone it to my VS2017. It miserably failed with Error 400.

Resolution: It turned out the clone process does not like spaces in project name :0 . fortunately there is a workaround I found here it describes a similar issue with cloning from tfs, but since the issue is actually on VS side it works for VSTS too. You basically need to cancel cloning in VS window and select “Clone Repository” from Project section. This will replace spaces in URL with %20 and in this case it finishes successfuly.

Advertisements

Classic Azure AD Portal Access for CSP subscriptions

By default CSP users are OOL. But the Classic portal may be necessary. Here is a workaround: https://dirteam.com/sander/2017/07/03/creating-an-mfa-provider-when-you-have-csp-or-dreamspark/

Azure: Azure AD Application Proxy. Kerberos issue

One of my Customers asked about MFA for his on-prem Outlook. I offered several solutions, one of them – publish OWA site via Azure AD Application Proxy and pre-authenticate with Azure AD and MFA.

To be sure the configuration will work I built a Lab and tried to configure SSO for Internal Windows Authentication (IWA).

This configuration requires I configure Kerberos Constrained Delegation (KCD) in Active Directory and configure Delegation in Properties of a machine where I have my Azure AD Proxy Connector installed.

Everything looked easy on paper byt when I tried it in Active Directory Users and Computer MMC I received nice error: “The server is unwilling to proceed the request”

SNAGHTML76853a10

After unsuccessful googling I opened a case with Microsoft – that was a brand new domain, just couple of servers and I definitely expected everything working out of the box.

After couple of days of troubleshooting the only solution MS suggested was using an Active Directory Administrative Center instead of MMC. Even with that the first attempt failed with “Unknown error”. After the Center was restarted we could finally configure the delegation. No root cause found.

Azure: How to configure MFA when Classic Portal is not available

My company provides CSP Azure subscription for our Customers. To make life more exciting Microsoft remove Classic Portal support from CSP. So we can use new and shiny ARM-based portal only.

When time come to configure Azure AD fun begins. Azure AD node is available in the new portal as ‘preview’ and miss some features from the old portal. Recently I had fun with license assigning, today I needed to assign MFA to accounts. Fun, fun, fun….

Anyway, as in the first case office.portal.com helped. This portal is available for CSP and have some missing features of the classic portal. For example to add MFA to a user:

 

1. start office.portal.com

2. goto Users->Active Users

3. Click ‘More’

image

4. Click “Setup Azure Multi-factor auth’ That will open MFA portal for you

5. Configure MFA for a user or users in bulk

Azure: Use SAS token as a parameter

I recently bumped into an issue trying to pass a Shared Access Signature (SAS) token to my ARM template to be able to connect sub-templates securely. Even though SAS token looked perfectly fine in Powershell New-AzureRMDeployment cmdlet failed with the following error: Error: Code=InvalidTemplate; Message=Deployment template validation failed: ‘The provided value for the template parameter ‘_artifactsLocationSasToken’. I tried both securestring and string- no luck. A colleague of mine Jules Ouellette helped me with a solution – the token is generated as an object and must be converted to a string before passing as a Parameter: _artifactsLocationSastoken = $artifactslocationsastoken.toString()  After that conversion the token was successfully accepted as a parameter. 

Azure: Migrated VM cannot start with 0x000000e

I recently migrated some VMs to Azure for one of my Customers. VMs were in Production and the Customer was not ready to switch IP address to DHCP before migration. Unfortunately neither ASR nor MVMC was an option and I stopped on Disk2VHD tool by Mark Russinovich following PowerShell Add-AzureVHD cmdlet for the VHD upload.

To speed up the process I connected an empty virtual disk to the migrated machine and save VHD on it. After the VHD was captured by the tool I mounted it and edited registry to enable DHCP on its network adapter.

That was a mistake (I found that hard way after several hours of uploading the VHD to Azure). The VM built from the VHD failed to start. Fortunately we can now see Boot Diagnostics, so I found the VM failed with

Status: 0x000000e

Info: The boot selection failed because a required device is inaccessible.

image

Internet brought nothing about VM migration to Azure with such error Sad smile

I finally found an article from Mark himself where he described exactly scenario I had (except migration to Azure). The main point – never open captured VHD on the same machine where the source disk is. That will break disk signature on VHD and it become unbootable.

Fortunately Mark described how to fix the signature.

1. Mount the VHD in Disk Manager (it should give its volumes letters since there is no signature conflict at that point)

2. Load DCD hive (located under hidden \Boot folder in root of one of the volumes) to regedit

3. Search for “Windows Boot Manager”

4. Open key 11000001 under the same elements

5. Double Click Element reg value in this key and look for Offset 0x38. We need first four bytes

6. Write down the bytes in reverse order (last byte first, third one after that, then second one and the first byte) . For example if you have four first bytes in 0x38 offset as 38 d5 5C C0 your disk signature will be c05cd538

7. Unload hive and close regedit

8. Start Diskpart tool and connect to the disk you are fixing

9. Invoke the DISKPART command:   uniqueid disk id=c05cd538   (change signature to yours). At this point you should see VHD going offline in Disk Manager due to signature conflict with the source drive. This is expected, do not bring it online

10. Unmount VHD

At this point the disk signature should be fixed and disk is expected to be bootable again.

Azure: Regional Data Center is not available for resource deployment

Recently Microsoft made Canadian Data Centres available and I tried to put some workload there.

I tried to create a Resource Group and figured out Canada Central is not an available region to place RG into.

After googling/troubleshooting I was found a Microsoft.Compute provider must be re-registered for my Azure subscription. So I made it from PowerShell:

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Compute

After some time Canadian region appeared for Resource Group, Storage Account and VM resources. But, when I tried to add a VNet to the RG Canada Central was not available for that resource again.

After some troubleshooting with help of Microsoft it turned out Microsoft.Network should be re-registered too

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

Lesson learnt: if anything else will not be available for my region I probably need to find a resource provider to restart.

Azure: Amazon-Azure feature comparison

Microsoft published it her: https://azure.microsoft.com/en-us/campaigns/azure-vs-aws/mapping/

remember both platforms are constantly changing.

Azure: How to save drive letters during Azure Site Recovery (ASR)?

Update: Article is working for Classic ASR only. For Enhanced ASR Microsoft added the policy to the recovered machine automatically, so you do not need to tweak the policy in on-prem machine.

 

By setting the SAN policy to “OnlineAll,” you can make sure that the drive letter is maintained when the virtual machine starts to run in Azure (i.e. you will have Drive D: assigned to your drive and Azure scratch disk will be at the end).
To view the current SAN policy from the guest system, follow these steps:

  1. On the VM (not on the host server), open an elevated Command Prompt window.
  2. Type diskpart.
  3. Type SAN.

If the drive letter of the guest operating system is not maintained, this command returns either “Offline All” or “Offline Shared.”
To make sure that all disks are brought online and are both readable and writeable, set the SAN policy to OnlineAll. To do this, run the following command at the DISKPART prompt:

SAN POLICY=ONLINEALL

After you make this change, wait for the Copy Frequency (Recovery Point Objective) value to be configured to make sure that the changes are replicated to Azure. Then, run a test failover to verify whether the drive letters are preserved.

 

This Microsoft Article is gold!

 

Update: Article is working for Classic ASR only. For Enhanced ASR Microsoft added the policy to the recovered machine automatically, so you do not need to tweak the policy in on-prem machine.

Azure: Journey to ARM