IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: Azure

Azure: Azure AD Application Proxy. Kerberos issue

One of my Customers asked about MFA for his on-prem Outlook. I offered several solutions, one of them – publish OWA site via Azure AD Application Proxy and pre-authenticate with Azure AD and MFA.

To be sure the configuration will work I built a Lab and tried to configure SSO for Internal Windows Authentication (IWA).

This configuration requires I configure Kerberos Constrained Delegation (KCD) in Active Directory and configure Delegation in Properties of a machine where I have my Azure AD Proxy Connector installed.

Everything looked easy on paper byt when I tried it in Active Directory Users and Computer MMC I received nice error: “The server is unwilling to proceed the request”

SNAGHTML76853a10

After unsuccessful googling I opened a case with Microsoft – that was a brand new domain, just couple of servers and I definitely expected everything working out of the box.

After couple of days of troubleshooting the only solution MS suggested was using an Active Directory Administrative Center instead of MMC. Even with that the first attempt failed with “Unknown error”. After the Center was restarted we could finally configure the delegation. No root cause found.

Azure: Migrated VM cannot start with 0x000000e

I recently migrated some VMs to Azure for one of my Customers. VMs were in Production and the Customer was not ready to switch IP address to DHCP before migration. Unfortunately neither ASR nor MVMC was an option and I stopped on Disk2VHD tool by Mark Russinovich following PowerShell Add-AzureVHD cmdlet for the VHD upload.

To speed up the process I connected an empty virtual disk to the migrated machine and save VHD on it. After the VHD was captured by the tool I mounted it and edited registry to enable DHCP on its network adapter.

That was a mistake (I found that hard way after several hours of uploading the VHD to Azure). The VM built from the VHD failed to start. Fortunately we can now see Boot Diagnostics, so I found the VM failed with

Status: 0x000000e

Info: The boot selection failed because a required device is inaccessible.

image

Internet brought nothing about VM migration to Azure with such error Sad smile

I finally found an article from Mark himself where he described exactly scenario I had (except migration to Azure). The main point – never open captured VHD on the same machine where the source disk is. That will break disk signature on VHD and it become unbootable.

Fortunately Mark described how to fix the signature.

1. Mount the VHD in Disk Manager (it should give its volumes letters since there is no signature conflict at that point)

2. Load DCD hive (located under hidden \Boot folder in root of one of the volumes) to regedit

3. Search for “Windows Boot Manager”

4. Open key 11000001 under the same elements

5. Double Click Element reg value in this key and look for Offset 0x38. We need first four bytes

6. Write down the bytes in reverse order (last byte first, third one after that, then second one and the first byte) . For example if you have four first bytes in 0x38 offset as 38 d5 5C C0 your disk signature will be c05cd538

7. Unload hive and close regedit

8. Start Diskpart tool and connect to the disk you are fixing

9. Invoke the DISKPART command:   uniqueid disk id=c05cd538   (change signature to yours). At this point you should see VHD going offline in Disk Manager due to signature conflict with the source drive. This is expected, do not bring it online

10. Unmount VHD

At this point the disk signature should be fixed and disk is expected to be bootable again.

Azure: Regional Data Center is not available for resource deployment

Recently Microsoft made Canadian Data Centres available and I tried to put some workload there.

I tried to create a Resource Group and figured out Canada Central is not an available region to place RG into.

After googling/troubleshooting I was found a Microsoft.Compute provider must be re-registered for my Azure subscription. So I made it from PowerShell:

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Compute

After some time Canadian region appeared for Resource Group, Storage Account and VM resources. But, when I tried to add a VNet to the RG Canada Central was not available for that resource again.

After some troubleshooting with help of Microsoft it turned out Microsoft.Network should be re-registered too

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

Lesson learnt: if anything else will not be available for my region I probably need to find a resource provider to restart.

Azure: Amazon-Azure feature comparison

Microsoft published it her: https://azure.microsoft.com/en-us/campaigns/azure-vs-aws/mapping/

remember both platforms are constantly changing.

Azure: How to save drive letters during Azure Site Recovery (ASR)?

Update: Article is working for Classic ASR only. For Enhanced ASR Microsoft added the policy to the recovered machine automatically, so you do not need to tweak the policy in on-prem machine.

 

By setting the SAN policy to “OnlineAll,” you can make sure that the drive letter is maintained when the virtual machine starts to run in Azure (i.e. you will have Drive D: assigned to your drive and Azure scratch disk will be at the end).
To view the current SAN policy from the guest system, follow these steps:

  1. On the VM (not on the host server), open an elevated Command Prompt window.
  2. Type diskpart.
  3. Type SAN.

If the drive letter of the guest operating system is not maintained, this command returns either “Offline All” or “Offline Shared.”
To make sure that all disks are brought online and are both readable and writeable, set the SAN policy to OnlineAll. To do this, run the following command at the DISKPART prompt:

SAN POLICY=ONLINEALL

After you make this change, wait for the Copy Frequency (Recovery Point Objective) value to be configured to make sure that the changes are replicated to Azure. Then, run a test failover to verify whether the drive letters are preserved.

 

This Microsoft Article is gold!

 

Update: Article is working for Classic ASR only. For Enhanced ASR Microsoft added the policy to the recovered machine automatically, so you do not need to tweak the policy in on-prem machine.

Azure: Working with Templates in Azure Resource Manager

Azure: Use Azure Key Vault to save passwords

Azure: Migrate an Azure VM v2 (ARM-based) between two storage accounts

One of my Customers asked me to move some VMs from expensive Premium storage account to a cheaper Standard tier.

The infrastructure was built using Resource Mode and luckily we do not need to convert VHDs to OS disks (as it is required for Classic VMs).

1. I shutdown/deprovision VM (you do not need to delete it)

2. Copy VHD OS disk and data disk to the new storage account

3. Recreate VM at the new place using the following script:

Login-AzureRmAccount
select-azurermsubscription -SubscriptionName “My Subscription”

$rgName=”Resourcegroupname”
$locName=”EastUS”
$vnetName=”vnet_name”

# to check subnet index use:   Get-AzureRmVirtualNetwork -Name msps –ResourceGroupName $rgName | Select Subnets
$subnetIndex=1
$name=”yourvmname”

$vnet=Get-AzureRmvirtualNetwork -Name $vnetName -ResourceGroupName $rgName

$vm=New-AzureRmVMConfig -VMName $name -VMSize Standard_D4
$vm | Set-AzureRmVMOSDisk -VhdUri https://*******.vhd –Name $name -CreateOption attach -Windows -Caching ReadWrite

$vm | Add-AzureRMVMDataDisk -Name “XXXX-data” -VhdUri https://*****-data01.vhd -LUN 0 -Caching ReadWrite -CreateOption Attach -DiskSizeinGB 1023

$nicName= $name + “_nic”
$pipName= $name + “_pip”
$domName= $name
$pip=New-AzureRmPublicIpAddress -Name $pipName –ResourceGroupName $rgName-DomainNameLabel $domName -Location $locName -AllocationMethod Dynamic
$nic=New-AzureRmNetworkInterface -Name $nicName –ResourceGroupName $rgName-Location $locName -SubnetId $vnet.Subnets[$subnetIndex].Id -PublicIpAddressId $pip.Id -PrivateIpAddress $privIP
$vm=Add-AzureRmVMNetworkInterface -VM $vm  -Id $nic.Id

New-AzureRMVM -ResourceGroupName Sharepoint -Location “East US” -VM $vm –Verbose

The machine is recreated and started

here are some useful links I used: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-ps-create-preconfigure-windows-resource-manager-vms/

if you have a lot of numbered disks: http://sc.scomurr.com/arm-recreating-vm-off-existing-vhds/

Microsoft doc: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-create-windows-powershell-resource-manager/

Azure: Subscription is not visible in Azure Portal after move between accounts in EA Portal

 

 

I moved a subscription from one account in my Enterprise Agreement Portal to another. After that subscription disappeared form Azure portal of the admin of the first account and never appeared in the portal of the admin of the second account.

MS case was escalated to Microsoft Engineering team, but resolution was actually pretty easy: It looks like subscription administrator gets corrupted during transfer. TO fix it go to

account.windowsazure.com

logon as the subscription owner

open the subscription and go to Edit Subscription Details

SNAGHTML5ba51bf

remove garbage under Service Administrator and put the proper Administrator Live ID there:

SNAGHTML5bbf349

 

After that the subscription should be visible under portal.azure.com for that Admin.

Azure: StoreSimple videos