Add cloud to your datacenter with an easy-to-deploy integrated system

The Cloud Platform System portfolio of integrated systems provides an Azure-consistent cloud-in-a-box for your virtualized Windows and Linux workloads, accelerating your journey to cloud with a factory-integrated solution. Cloud Platform System combines Microsoft’s proven software stack of Windows Server 2012 R2, System Center 2012 R2, and Windows Azure Pack, with server, storage, and networking hardware from industry leading vendors. Cloud Platform System improves your time-to-value and enables a consistent cloud experience, allowing you to scale from as small as three nodes with Cloud Platform System Standard to up to 128 with Cloud Platform System Premium, depending on your needs.

Benefits

With its software-defined architecture, factory integration and simplified order process, Cloud Platform System accelerates your journey to your hybrid cloud. Cloud Platform System delivers a self-service, multi-tenant cloud environment for Windows and Linux applications that provides optimized deployment packs—both for applications like Microsoft SQL Server, SharePoint and Exchange, as well as remote desktops/desktop virtualization.

Spend smarter

Cloud Platform System lowers costs at all stages of the infrastructure life-cycle. The software-defined architecture is validated and integrated at the factory, decreasing risk and complexity, while accelerating deployment time from months to days. Single-point-of-contact support simplifies issue resolution and reduces the risk of outages.

Azure-consistent cloud experience

Cloud Platform System has been architected for agility and resiliency based on the experience gained from Azure. Cloud Platform System offers consistent public, private, and hybrid cloud experiences for maximum flexibility.

Simplify everything

Cloud Platform System enables faster time-to-value by reducing overhead, accelerating problem resolution, and standardizing the infrastructure to free up IT resources to focus on innovation. Cloud Platform System empowers infrastructure users through self-service, while enabling data governance, geo sovereignty, and regulatory compliance.

Cloud Solutions blog

See all

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Building Clouds</title> <atom:link href="https://blogs.technet.microsoft.com/privatecloud/feed/" rel="self" type="application/rss+xml" /> <link>https://blogs.technet.microsoft.com/privatecloud</link> <description>...building hybrid clouds that can support any device from anywhere</description> <lastBuildDate>Wed, 07 Dec 2016 15:22:01 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <item> <title>Post notifications to Microsoft Teams using PowerShell</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/11/02/post-notifications-to-microsoft-teams-using-powershell/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/11/02/post-notifications-to-microsoft-teams-using-powershell/#respond</comments> <pubDate>Wed, 02 Nov 2016 23:00:02 +0000</pubDate> <dc:creator><![CDATA[Michael Greene]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Automation]]></category> <category><![CDATA[Powershell]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=9775</guid> <description><![CDATA[Microsoft Teams, announced earlier today, is a new platform for chat based communication. I was very happy to see the Connectors available including many popular CI/CD related tools. The Connector configurations allow for an easily pluggable extension for Microsoft Teams to integrate notifications in to discussions. This creates an opportunity to integrate datacenter and cloud... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/11/02/post-notifications-to-microsoft-teams-using-powershell/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Microsoft Teams, <a target="_blank" href="http://news.microsoft.com/november-2016-event/">announced earlier today</a>, is a new platform for chat based communication. I was very happy to see the <a target="_blank" href="https://dev.outlook.com/Connectors">Connectors</a> available including many popular CI/CD related tools. The Connector configurations allow for an easily pluggable extension for Microsoft Teams to integrate notifications in to discussions. This creates an opportunity to integrate datacenter and cloud operations practices with real time discussions. Among the available connectors in the list, you will find Incoming Webhook. This provides an easy solution to post notifications from any scripting language through JSON formatted web service call. To add the Connector: <ol> <li>Open the Channel and click the More Options button (which appears as three dots at the top right of the window).</li> <li>Select Connectors.</li> <li>Scroll down to Incoming Webhook and click the Add button.</li> <li>Give the connector a name and image of your choosing and finally click Create.</li> <li>A new unique URI is automatically generated. Copy this URI string to your clipboard.</li> </ol> If you ever need to retrieve it in the future you can do so from this same configuration area of Teams. Select the Connector and then click the Manage button to reveal the URI string. <h3 id="call-the-webhook-from-powershell">Call the Webhook from PowerShell</h3> Let’s start with a simple test to verify functionality. Replace the value for the URI string in the following script and test it by running it in PowerShell ISE. You should see a “1” returned in the PowerShell window and new post in the Teams channel. If an error occurs, it will appear as an error in PowerShell communicating a malformed web service call. <pre><code class="lang-PowerShell">$uri = <paste your URI here> $body = ConvertTo-JSON @{ text = 'Hello Channel' } Invoke-RestMethod -uri $uri -Method Post -body $body -ContentType 'application/json' </code></pre> <img src="https://msdnshared.blob.core.windows.net/media/2016/11/simple.jpg" alt="simple" width="768" height="102" class="alignnone wp-image-9805 size-full" /> <h3 id="adding-more-details">Adding more details</h3> Now referencing the <a target="_blank" href="https://dev.outlook.com/Connectors/Reference">O365 Connector Cards API</a>, we can add significantly more detail to the notification. This script will probably not be run interactively by a human, it will be called from some automated process. You can include this in an <a target="_blank" href="https://azure.microsoft.com/en-us/services/automation/">Azure Automation</a> runbook to notify a channel every time the runbook has executed and the result. For example, the message text “Successfully shut down all running Hyper-V lab virtual machines using Hybrid Runbook Worker” can be posted to your team channel at the end of every work day to make everyone aware that a change occurred in your test environment. As another example, you can use PowerShell to deliver notifications about changes to your Infrastructure As Code environment, managed by a <a target="_blank" href="http://aka.ms/thereleasepipelinemodel">CI/CD pipeline</a>. In this case, you can leverage <a target="_blank" href="http://github.com/powershell/powershell">PowerShell Core</a> to launch PowerShell if your build service is running on a Linux Server, and send the notification. In the example below, the body includes an activity and multiple facts. This script is compatible across Windows, Linux, or MacOS when running in PowerShell Core. <pre><code class="lang-PowerShell">$uri = <paste your URI here> # these values would be retrieved from or set by an application $status = 'success' $fact1 = 'All tests passed' $fact2 = '1 test failed' $body = ConvertTo-Json -Depth 4 @{ title = 'New Build Notification' text = "A build completed with status $status" sections = @( @{ activityTitle = 'Build' activitySubtitle = 'automated test platform' activityText = 'A change was evaluated and new results are available.' activityImage = 'http://URL' # this value would be a path to a nice image you would like to display in notifications }, @{ title = 'Details' facts = @( @{ name = 'Unit Tests' value = $fact1 }, @{ name = 'Integration Tests' value = $fact2 } ) } ) } Invoke-RestMethod -uri $uri -Method Post -body $body -ContentType 'application/json' </code></pre> <img src="https://msdnshared.blob.core.windows.net/media/2016/11/details.jpg" alt="details" width="769" height="314" class="alignnone wp-image-9795 size-full" /> Finally, add links to the fact values and a button at the end of the notification to link to a web location. Add links by formatting the values with markdown style link references. Then add the button using the “ViewAction” type. <h3 id="there-is-a-catch-to-adding-the-button-">There is a catch to adding the button.</h3> In order for PowerShell to correctly convert the JSON, use the -Depth parameter. The target item within the ‘potentialAction’ object must be created as an array with a single item when it is converted to JSON, else you will have a malformed request. A Depth of “4” correctly creates the array in this example, as the value is 4 sub-sections in to the JSON document. <pre><code class="lang-PowerShell"> $uri = <paste your URI here> # these values would be retrieved from or set by an application $status = 'success' $fact1 = '[All tests passed](http://URLtoReport)' $fact2 = '[1 test failed](http://URLtoReport)' $body = ConvertTo-Json -Depth 4 @{ title = 'New Build Notification' text = "A build completed with status $status" sections = @( @{ activityTitle = 'Build' activitySubtitle = 'automated test platform' activityText = 'A change was evaluated and new results are available.' activityImage = 'http://URL' # this value would be a path to a nice image you would like to display in notifications }, @{ title = 'Details' facts = @( @{ name = 'Unit Tests' value = $fact1 }, @{ name = 'Integration Tests' value = $fact2 } ) } ) potentialAction = @(@{ '@context' = 'http://schema.org' '@type' = 'ViewAction' name = 'Click here to visit PowerShell.org' target = @('http://powershell.org') }) } Invoke-RestMethod -uri $uri -Method Post -body $body -ContentType 'application/json' </code></pre> <img src="https://msdnshared.blob.core.windows.net/media/2016/11/button.jpg" alt="button" width="884" height="318" class="alignnone size-full wp-image-9785" /> <h3 id="troubleshooting">Troubleshooting</h3> In testing this, all of the errors I encountered were a result of not correctly formatting the JSON document. Reference the examples given in the API and compare your results as returned by the ConvertTo-Json cmdlet. To see this text, highlight just the section of the script that generates $body and run it in PowerShell ISE using the “Run Selection” button or by pressing F8. Then type $body in the terminal window and review the output. Remember that when you see square brackets in the JSON document, that indicates an array, and arrays might contain only a single value. Thank you! Michael Greene Principal Program Manager Enterprise Cloud Group CAT Team ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/11/02/post-notifications-to-microsoft-teams-using-powershell/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Monitoring your home IP security cameras with OMS Log Analytics</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/10/23/monitoring-your-home-ip-security-cameras-with-oms-log-analytics/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/10/23/monitoring-your-home-ip-security-cameras-with-oms-log-analytics/#respond</comments> <pubDate>Sun, 23 Oct 2016 13:50:00 +0000</pubDate> <dc:creator><![CDATA[Tiander Turpijn [MSFT]]]></dc:creator> <category><![CDATA[Operations Management Suite]]></category> <category><![CDATA[Log Analytics]]></category> <category><![CDATA[OMS]]></category> <category><![CDATA[Powershell]]></category> <category><![CDATA[Syslog]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=9365</guid> <description><![CDATA[Summary: Monitor devices, like home IP security cameras, with OMS Log Analytics without installing an agent! Hi folks, In this blog post I would like to share with you how you can monitor devices with Log Analytics without the need to install the OMS (MMA) agent. We’ve recently announced the Log Analytics HTTP Data Collector... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/10/23/monitoring-your-home-ip-security-cameras-with-oms-log-analytics/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Summary: Monitor devices, like home IP security cameras, with OMS Log Analytics without installing an agent! Hi folks, In this blog post I would like to share with you how you can monitor devices with Log Analytics without the need to install the OMS (MMA) agent. We’ve recently announced the <a href="https://azure.microsoft.com/en-us/documentation/articles/log-analytics-data-collector-api/">Log Analytics HTTP Data Collector API</a>. This enables a number of scenarios for which you may not have considered OMS Log Analytics previously. Especially in an environment where you cannot install the OMS agent or when the device does not run a supported OS version or distro like Windows or Linux. Well, let me show you the following. A solution typically starts with a problem, so let’s dive into my problem first. I have a home security system and part of that system are a couple of Foscam IP security camera’s and a Foscam NVR (Network Video Recorder) which records the camera feeds. The outdoor camera’s are at my front door and my carport, which leads to my backdoor. The camera’s are connected to the NVR and are configured in such a way that upon motion detection, they start a recording and optionally I can configure alert actions which typically would result in sending an email with a snapshot taken from the camera feed. <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image805.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb633.png" width="562" height="253"></a> All goodness at this point. The problem or challenge if you will, is that I want to know if someone is doing some reconnaissance around my house in such a way that a person is detected by my front door camera AND by my carport camera WITHIN a specific interval of minutes, let’s say 5 minutes. I can visually see this correlation in my NVR when I play recorded streams, like this: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image790.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb618.png" width="538" height="86"></a>   These systems (cameras and NVR) were never designed though to be able to perform any form of correlation and certainly not to do any data analytics. Did I say analytics?  Yes I did. So whenever I hear analytics, OMS Log Analytics obviously comes to mind. But to use Log Analytics in this scenario, I need to have the data available in Log Analytics first. Now with the ingestion API you can! Let’s break this project up for a second. <h3>Step 1 – Does my camera log events and puts it in some kind of log file?</h3> Well it does, but it’s mainly focused at the web UI and there’s no export capability to be found in the UI <img class="wlEmoticon wlEmoticon-sadsmile" style="border-top-style: none;border-left-style: none;border-bottom-style: none;border-right-style: none" alt="Sad smile" src="https://msdnshared.blob.core.windows.net/media/2016/08/wlEmoticon-sadsmile2.png"> , but hey, I have logged events! <img class="wlEmoticon wlEmoticon-smile" style="border-top-style: none;border-left-style: none;border-bottom-style: none;border-right-style: none" alt="Smile" src="https://msdnshared.blob.core.windows.net/media/2016/08/wlEmoticon-smile12.png"> <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image787.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb615.png" width="443" height="295"></a> <h3>Step 2 – Is there any form of automation possible to retrieve the logs?</h3> After thorough research (through Bing that is) I’ve discovered that there’s a limited SDK available which supports CGI requests in the form of POST and GET commands. Well that’s a start. It turned out that I can get the logs, but they are limited in the number of rows returned (10 max) and they come in this format: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image788.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb616.png" width="441" height="252"></a> Fast forward in time and more coffee….it appears that the datetime field and source IP address are notated in UNIX time and in decimal notation. Nothing that PowerShell can’t handle <img class="wlEmoticon wlEmoticon-smile" style="border-top-style: none;border-left-style: none;border-bottom-style: none;border-right-style: none" alt="Smile" src="https://msdnshared.blob.core.windows.net/media/2016/08/wlEmoticon-smile12.png"> , let’s move on to step 3. <h3>Step 3 – Create PowerShell automation scripts – am I hearing Azure Automation here?</h3> So the fun part begins: 1. Creating PowerShell snippets to get the logs through CGI requests, using Invoke-WebRequest,  and put the result in an array – done 2. Utilize existing PowerShell functions to convert Unix time and the IP address – done 3. Update the array so I end up with DateTime, UserName, Source IP address and Camera EventType – done 4. Create a table with custom log field names, based on the array from step 1, and send it to the Log Analytics ingestion API – done 5. Test-drive the ingestion process – done <h3> </h3> <h3>Step 4 – Using Log Search to query my camera data</h3> Now that I have the log data from my outdoor camera’s sent to OMS Log Analytics, we can explore the data through Log Search: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image789.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb617.png" width="469" height="524"></a> Nice! <h3>Step 5 – Correlating the camera log data</h3> Time to take an outside walk to get some sun and wave at my two outdoors cameras. The cameras have done their job, they’ve detected me and have streamed the video feed to my NVR which has recorded my movements.  Let’s see if I can correlate this in Log Search: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image791.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb619.png" width="535" height="343"></a> Great! Let’s turn that into an alert with a schedule: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image792.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb620.png" width="260" height="383"></a> <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image796.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb624.png" width="266" height="193"></a>   And while we’re there, let’s add an Azure Automation (webhook enabled) runbook which will send a text message (leveraging the Twilio text service): <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image794.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb622.png" width="276" height="487"></a> Let’s test the webhook…. Ok, that works: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image797.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;margin: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb625.png" width="266" height="499"></a> And we’re done! Let’s test drive the solution. Again getting some sun, waving at my camera’s, sending the data to Log Analytics and….here we go: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image798.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb626.png" width="643" height="382"></a> <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image799.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb627.png" width="614" height="370"></a> Awesome! Peace of mind accomplished. Now I can add my PowerShell script to Azure Automation, assign variables through assets, add it to a schedule and execute it on a Hybrid Runbook Worker, which has connectivity to my camera’s on my internal network. <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image806.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb634.png" width="594" height="351"></a> <h3> </h3> <h3>So what’s next?</h3> Besides creating visualization with the View Designer… For the next project <img class="wlEmoticon wlEmoticon-smile" style="border-top-style: none;border-left-style: none;border-bottom-style: none;border-right-style: none" alt="Smile" src="https://msdnshared.blob.core.windows.net/media/2016/08/wlEmoticon-smile12.png"> I’ve noticed that in some rare occasion I did not have the complete camera recording, what is going on with that? Exploring the logs of the NVR I saw this: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image800.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb628.png" width="504" height="308"></a> That sounds like a good use case to send the NVR logs to Log Analytics too for analyzing and correlating the data. I can leverage the approach followed previously which allows me to search through the NVR data as well: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image801.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb629.png" width="527" height="333"></a> Since the camera’s, but also the NVR are IP based, I wanted to be able to troubleshoot if there are some kind of connectivity issues going on between my camera’s, NVR and my home router. So I’ve decided to leverage and enable Syslog forwarding on my router. That was easy, since on my Asus Router I luckily have this: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image802.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb630.png" width="490" height="158"></a> The Remote Log Server destination IP address is an Azure VM running Ubuntu, which has an OMS agent running, which forwards the data to Log Analytics: <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image803.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb631.png" width="507" height="138"></a>   With the router data in Log Analytics as well, I can now go ahead and start troubleshooting and correlating my “video lost” errors and hopefully find the root cause by searching for keywords like NVR or drop (for potentially dropped packets, etc.): <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image804.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb632.png" width="521" height="310"></a> <h3> <a href="https://msdnshared.blob.core.windows.net/media/2016/08/image807.png"><img title="image" style="border-left-width: 0px;border-right-width: 0px;border-bottom-width: 0px;padding-top: 0px;padding-left: 0px;padding-right: 0px;border-top-width: 0px" border="0" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/08/image_thumb635.png" width="502" height="328"></a></h3> If you want to explore Syslog forwarding, you can go here: <a href="https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/OMS-Agent-for-Linux.md#configuring-syslog-collection-from-the-oms-portal">Configuring syslog collection from the OMS portal</a> I hope that you’ve enjoyed this blog post and have seen the power and possibilities of the <a href="https://azure.microsoft.com/en-us/documentation/articles/log-analytics-data-collector-api/">Log Analytics HTTP Data Collector API</a>. Thanks, Tiander. ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/10/23/monitoring-your-home-ip-security-cameras-with-oms-log-analytics/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Taking backup of encrypted Azure VMs with ADE (Azure Disk Encryption) using Azure Backup in OMS</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/09/15/taking-backup-of-encrypted-azure-vms-with-ade-azure-disk-encryption-using-azure-backup-in-oms/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/09/15/taking-backup-of-encrypted-azure-vms-with-ade-azure-disk-encryption-using-azure-backup-in-oms/#respond</comments> <pubDate>Fri, 16 Sep 2016 04:09:04 +0000</pubDate> <dc:creator><![CDATA[Kandavel KR]]></dc:creator> <category><![CDATA[Operations Management Suite]]></category> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Azure Backup]]></category> <category><![CDATA[Azure Virtual Machines]]></category> <category><![CDATA[Disk Encryption]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=9295</guid> <description><![CDATA[We see customers migrating or deploying workloads on Azure have started encrypting their virtual machines using ADE (Azure Disk Encryption) and looking for a backup solution that supports protecting those encrypted VMs in a simple and cost effctive manner. We also heard, loud and clear, that Azure Backup (ABU) is the one which customers prefer... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/09/15/taking-backup-of-encrypted-azure-vms-with-ade-azure-disk-encryption-using-azure-backup-in-oms/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[We see customers migrating or deploying workloads on Azure have started encrypting their virtual machines using ADE (Azure Disk Encryption) and looking for a backup solution that supports protecting those encrypted VMs in a simple and cost effctive manner. We also heard, loud and clear, that Azure Backup (ABU) is the one which customers prefer in maintaining the encrypted VMs backup in their Azure deployment. Here, in this blog post, we show you how you can use the latest Azure Recovery Services Backup PowerShell cmdlets to take backup of your ADE (Azure Disk Encryption) encrypted VMs on Azure. In short, here is the list of high-level steps covered in the blog post: <ol> <li>Prepare your Azure AD application’s client ID & client Secret</li> <li>Prepare Azure Key Vault account & set policies for Azure AD application to store & manage encryption keys & secrets</li> <li>Enable Disk Encryption on Azure VM using AAD application & Key Vault</li> <li>Prepare Azure Recovery Services Vault settings and perform backup of encrypted VM</li> <li>Trigger initial backup of encrypted VM</li> <li>Restore encrypted VM into a storage account for recovering VM</li> </ol> Prerequisites: To get you started, here are the steps you need to prepare before proceeding further: 1. Azure subscription: A valid Azure subscription is needed to use Azure services. 2. Azure PowerShell: Please use the latest Azure PowerShell version <a target="_blank" href="https://github.com/Azure/azure-powershell/releases">1.6.0</a> or later 3. Azure Key Vault: Please refer to the <a target="_blank" href="http://blogs.technet.com/b/kv/archive/2015/06/02/azure-key-vault-step-by-step.aspx">Azure Key Vault – Step by Step</a> blog post for more details on how to setup a Key Vault in Azure. Please create and use a Key Vault that is in the same region as the VM to be encrypted. For Azure Backup you need to use the key encryption key feature which you can create in the Key Vault by following instructions on this <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/">page</a>. This key will be used as the key encryption key to wrap the encryption secrets. 4. Azure Active Directory Client ID and Secret: In order to write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the specified Key Vault. Please refer to the <a target="_blank" href="http://blogs.technet.com/b/kv/archive/2015/06/02/azure-key-vault-step-by-step.aspx">Azure Key Vault – Step by Step</a> blog post for more detail on how to get the Azure Active Directory Client ID and Client Secret using the Azure portal. 5. IaaS V2 VM in Azure: Azure Disk Encryption works only on IaaS V2 VMs (virtual machines created using the Azure Resource Management Model) in Azure. Please refer to <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-choices-create-vm/">Different ways to create a Windows virtual machine with Resource Manager</a> for information on how to create IaaS V2 virtual machines in Azure. 6. Azure Recovery Services Vault: Please refer to the <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/backup-azure-vms-first-look-arm/">First look: Protect Azure VMs with a recovery services vault</a> document “Step 1” for more details on how to create an Azure Recovery Services Vault. Note: The key encryption key (KEK) must have been created in the same key vault where the disk encryption secrets are placed. Please refer to the article <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/">Getting Started with Azure Key Vault</a> to learn how to create keys in Key Vault.   ######################################################################################################## # Section1: Log-in to Azure and select appropriate subscription. ######################################################################################################## <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">Login-AzureRmAccount -ErrorAction “Stop” 1> $null; Get-AzureRmSubscription -SubscriptionName <your-subscription-name> | Select-AzureRmSubscription</td> </tr> </tbody> </table>   ######################################################################################################## # Section2: Define the variables required Log-in to Azure and select appropriate subscription. ######################################################################################################## <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$rgName = ‘MySecureRg’; $aadAppName = <your-aad-app-name>; $aadClientSecret = <your-aad-client-secret>; $keyVaultName = ‘MySecureVault’; $keyEncryptionKeyName = ‘MyKeyEncryptionKey’; $backupVMName = ‘ExtraSecureVM’; $recoveryServicesVaultName = <your-recovery-services-vault-name>; $recoveryServicesAADServicePrincipalName = ‘262044b1-e2ce-469f-a196-69ab7ada62d3’;</td> </tr> </tbody> </table>   ######################################################################################################## # Section3: Create your Azure AD application & Key Vault for using in ADE & ABU ######################################################################################################## # Create a new AD application if not created before <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$identifierUri = [string]::Format(“<a href="http://localhost:8080/{0}",[Guid]::NewGuid().ToString("N"));">http://localhost:8080/{0}”,[Guid]::NewGuid().ToString(“N”));</a> $defaultHomePage = ‘<a href="http://contoso.com';">http://contoso.com’;</a> $now = [System.DateTime]::Now; $oneYearFromNow = $now.AddYears(1); $aadClientSecret = [Guid]::NewGuid(); $ADApp = New-AzureRmADApplication -DisplayName $aadAppName -HomePage $defaultHomePage -IdentifierUris $identifierUri -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret; $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $ADApp.ApplicationId; </td> </tr> </tbody> </table>   # Get Resource Group object to crease Key Vault <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$resGroup = Get-AzureRmResourceGroup -Name $rgName $location = $resGroup.Location</td> </tr> </tbody> </table>   # Create a new vault if vault doesn’t exist <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$keyVault = New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName -Sku Standard -Location $location;</td> </tr> </tbody> </table> # Add a new Key to Key Vault for using in Disk Encryption for VMs <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyEncryptionKeyName -Destination ‘Software’</td> </tr> </tbody> </table>   ######################################################################################################## # Section4: Get your Azure AD application’s client ID ######################################################################################################## <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$aadAppSvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName); $aadClientID = $aadAppSvcPrincipals[0].ApplicationId;</td> </tr> </tbody> </table>   ######################################################################################################## # Section5: Get Azure Key Vault account & set policies for Azure AD application to store & manage encryption keys & secrets ######################################################################################################## # Get Key Vault account’s Encryption Key, Resource ID and Key Encryption Key URL which are needed for encrypting Azure VM: <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $rgname; $diskEncryptionKeyVaultUrl = $keyVault.VaultUri; $keyVaultResourceId = $keyVault.ResourceId; $keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyEncryptionKeyName).Key.kid;</td> </tr> </tbody> </table>   # Specify full privileges to the key vault for the AAD application <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all; </td> </tr> </tbody> </table>   # Enable disk encryption policy in key vault for using ADE <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption;</td> </tr> </tbody> </table>   # Specify privileges for Azure Backup Service to access keys and secrets in key vault for VM Backup. Please note the Service Principal name to set which is unique to Azure Backup service <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $rgName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list –ServicePrincipalName $recoveryServicesAADServicePrincipalName</td> </tr> </tbody> </table>   ######################################################################################################## # Section6: Enable Disk Encryption on Azure VM using AAD application & Key Vault ######################################################################################################## # Use VM disk encryption extension to enable encryption (Bit Locker for Windows, for Linux) <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $backupVMName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId;</td> </tr> </tbody> </table> ######################################################################################################## # Section7: Trigger Initial Backup of encrypted VM ######################################################################################################## # Set Azure Recovery Services Vault context for backup operations <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$recoveryServicesVault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $rgName -Name $recoveryServicesVaultName Set-AzureRmRecoveryServicesVaultContext –Vault $recoveryServicesVault</td> </tr> </tbody> </table> # Get protection policy to be used for enabling encrypted VM backup. Here the default protection policy is used which you can replace with your custom created one. <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$backupPolicy = Get-AzureRmRecoveryServicesBackupProtectionPolicy DefaultPolicy</td> </tr> </tbody> </table> # Enable encrypted VM backup using the selected protection policy <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">Enable-AzureRmRecoveryServicesBackupProtection -Policy $backupPolicy -Name $backupVMName -ResourceGroupName $rgName</td> </tr> </tbody> </table> <h6></h6> ######################################################################################################## # Section8: Trigger initial backup on demand to create initial copy of VM ######################################################################################################## # Trigger Initial Backup of VM <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$backupContainer = Get-AzureRmRecoveryServicesBackupContainer -ContainerType AzureVM -Name $backupVMName $backupItem = Get-AzureRmRecoveryServicesBackupItem -Container $backupContainer -WorkloadType AzureVM -Name $backupVMName $backupItem | Backup-AzureRmRecoveryServicesBackupItem</td> </tr> </tbody> </table>   ######################################################################################################## # Section9: Restore encrypted VM from a specific recovery point object to a storage account for new VM creation ######################################################################################################### Get Recovery Points of encrypted VM backup <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$recoveryKeyFileLocation = <path-to-key-file-location> $recoveryPointID=Get-AzureRmRecoveryServicesBackupRecoveryPoint -Item $backupItem $recoveryPoint = Get-AzureRmRecoveryServicesBackupRecoveryPoint -RecoveryPointId $recoveryPointID[0] -Item $backupItem -KeyFileDownloadLocation $recoveryKeyFileLocation</td> </tr> </tbody> </table> # Restore encrypted VM to a storage account for creating new VM <table width="999" border="1" cellspacing="0" cellpadding="2"> <tbody> <tr> <td width="997" valign="top">$recoveryStorageAccount = <your-recovery-storage-account> $recoveryResourceGroup = <your-resource-group-for-recovery> Restore-AzureRMRecoveryServicesBackupItem -RecoveryPoint $recoveryPointID[0] -StorageAccountName $recoveryStorageAccount -StorageAccountResourceGroupName $recoveryResourceGroup</td> </tr> </tbody> </table>   Summary: Now that you have protected your encrypted VM using Azure Backup and recovered it successfully to a storage account, if you want to create a new VM using that recovered image then please follow the steps <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/backup-azure-vms-automation/">here</a> under section “Create a VM from restored disks” in the Azure Backup documentation. References: <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/">Getting Started with Azure Key Vault</a> <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/azure-security-disk-encryption/">Azure Disk Encryption for Windows and Linux IaaS VMs</a> <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/backup-azure-vms-automation/">Deploy and manage backups for Resource Manager-deployed VMs using PowerShell</a> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/09/15/taking-backup-of-encrypted-azure-vms-with-ade-azure-disk-encryption-using-azure-backup-in-oms/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>ARM concepts in Azure Stack for the WAP Administrator – Troubleshooting IaaS in Azure Stack</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/08/09/arm-concepts-in-azure-stack-for-the-wap-administrator-troubleshooting-iaas-in-azure-stack/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/08/09/arm-concepts-in-azure-stack-for-the-wap-administrator-troubleshooting-iaas-in-azure-stack/#respond</comments> <pubDate>Tue, 09 Aug 2016 16:08:15 +0000</pubDate> <dc:creator><![CDATA[Victor Arzate [MSFT]]]></dc:creator> <category><![CDATA[Microsoft Azure Stack]]></category> <category><![CDATA[ARM]]></category> <category><![CDATA[Azure Resource Manager]]></category> <category><![CDATA[Azure Stack]]></category> <category><![CDATA[AzureStack]]></category> <category><![CDATA[Bruno Saille]]></category> <category><![CDATA[Building Clouds]]></category> <category><![CDATA[building clouds blog]]></category> <category><![CDATA[Hybrid Cloud]]></category> <category><![CDATA[Microsoft Azure]]></category> <category><![CDATA[PowerShell DSC]]></category> <category><![CDATA[Private Cloud]]></category> <category><![CDATA[Tiander Turpijn]]></category> <category><![CDATA[Troubleshooting]]></category> <category><![CDATA[Victor Arzate]]></category> <category><![CDATA[WAP]]></category> <category><![CDATA[WAPack]]></category> <category><![CDATA[Windows Azure Pack]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=9255</guid> <description><![CDATA[Hello Readers! This blog is part 8 (and the last) of the series “ARM concepts in Azure Stack for the WAP Administrator.” In this post we’ll discuss and share troubleshooting techniques and resources that we have learned when working with customers and partners that are actively validating Microsoft Azure Stack Technical Preview 1. Note Some information relates to... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/08/09/arm-concepts-in-azure-stack-for-the-wap-administrator-troubleshooting-iaas-in-azure-stack/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Hello Readers! This blog is part 8 (and the last) of the series “ARM concepts in Azure Stack for the WAP Administrator.” In this post we’ll discuss and share troubleshooting techniques and resources that we have learned when working with customers and partners that are actively validating Microsoft Azure Stack Technical Preview 1. Note Some information relates to pre-released product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. I’m including the table of contents for this series of post so that you’ll find it easier to navigate across the series: Table of contents <ol> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/02/08/arm-concepts-in-azure-stack-for-the-wap-administratorintroduction-post/">Introductory post</a>, and some first information on the <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-poc/">Azure Stack POC</a> architecture and ARM’s role</li> <li><a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2016/02/15/arm-concepts-in-azure-stack-for-the-wap-administrator-cloud-service-delivery/">Cloud Service Delivery</a></li> <li><a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2016/02/24/arm-concepts-in-azure-stack-for-the-wap-administrator-offers-plans-and-subscriptions-2/">Plans, offers, and subscriptions</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/03/18/arm-concepts-in-azure-stack-for-the-wap-administrator-resource-deployment/">Resource Deployment</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/04/01/arm-concepts-in-azure-stack-for-the-wap-administrator-packaging-and-publishing-templates-on-azure-stack/">Packaging and publishing templates on Azure Stack</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/04/29/arm-concepts-in-azure-stack-for-the-wap-administrator-multi-tier-applications/">Multi-tier applications</a></li> <li><a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2016/06/29/arm-concepts-in-azure-stack-for-the-wap-administrator-in-guest-configuration-with-arm-and-technologies-such-as-virtual-machines-extensions-including-powershell-desired-state-configuration-d/">In-guest configuration with ARM, and technologies such as Virtual Machines Extensions, including PowerShell Desired State Configuration (DSC)</a></li> <li>Troubleshooting IaaS deployments in Azure Stack —this post</li> </ol> With no more delay, let’s get started! <hr /> <h1>WAP Troubleshooting</h1> While we’ve already discussed the WAP architecture for IaaS in previous posts from this series, let’s summarize the components required – a fabric based on Windows Server 2012 R2, a fabric management infrastructure based on System Center 2012 R2 and Windows Azure Pack for offering cloud services to tenants as depicted in the picture below: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts1.png" /> And specifically, for enabling the Virtual Machine Clouds (a.k.a. VM Clouds or simply IaaS) service in WAP, the System Center 2012 R2 components required are: <ul> <li>Virtual Machine Manager (VMM)</li> <li>Service Provider Foundation (SPF)</li> <li>(Optional) Operations Manager (OpsMgr) – for usage</li> <li>(Optional) Service Management Automation (SMA) – for executing automation runbooks</li> </ul> This is depicted in the picture below: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts2.gif" /> As you can see, there are several moving parts involved just for the VM Clouds service in WAP (meaning tenants can deploy VMs and VM networks via a self-service portal). So, when something goes wrong (like a tenant VM deployment failing), the root cause could be in WAP, SPF, VMM, at the storage level, or event in Hyper-V! To help with this potential challenge, back when WAP was released, the Building Clouds blog team (aka.ms/buildingclouds) and the community had been very active providing guidance and troubleshooting for the initial scenarios. At the same time, the official WAP documentation was growing to cover the different areas (hence, not only IaaS, but PaaS too, such as Web Sites and SQL). The WAP troubleshooting article in TechNet covers the different components and scenarios in great detail: <ul> <li><a href="https://technet.microsoft.com/en-us/library/dn554311.aspx">Windows Azure Pack troubleshooting</a></li> </ul> And, finally, WAP administrators have a plethora of troubleshooting information for <a href="https://technet.microsoft.com/en-us/library/hh801901(v=ws.11).aspx">Windows Server 2012 R2</a>, <a href="https://technet.microsoft.com/en-US/library/mt169373(v=ws.11).aspx">Hyper-V</a>, and <a href="https://technet.microsoft.com/en-us/library/hh546785(v=sc.12).aspx">System Center 2012 R2</a> (<a href="https://technet.microsoft.com/library/gg610610.aspx">VMM</a>, <a href="https://technet.microsoft.com/en-us/library/jj642895(v=sc.12).aspx">SPF</a>, <a href="https://technet.microsoft.com/library/hh205987.aspx">Operations Manager</a>, and so on). Now, let’s see what resources we’ve available for troubleshooting Azure Stack TP1. <hr /> <h1>Azure Stack Troubleshooting</h1> At the time of this writing, the Azure Stack version we have available is Azure Stack Technical Preview 1. This means that we’re working with a very early version of the product and which is deployed on a one-node configuration for evaluation purposes. Hence, the guidance and links provided on this blog apply to Azure Stack TP1 only. First, let’s start with a quick overview of the Azure Stack TP1 architecture, which is described on <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-architecture/">this</a> article: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts3.png" /> The same article explains the roles of each of the components, and also, if you read the comments, you’ll see that this diagram is missing the BGP VM, which acts as a router between different VMs in the TP1 single-node deployment. As you can see in the picture above, the architecture and components on Azure Stack TP1 are very different from what you were used in WAP. New technologies from Windows Server 2016 Technical Preview 4 (such as Storage Spaces Direct) and from Microsoft Azure (such as Service Fabric) are used. With so many new components, let’s take a look at the resources available for you to troubleshoot Azure Stack TP1. <hr /> <h1>Azure Stack Troubleshooting – Where to go and how to contribute</h1> In case you haven’t noticed, there is a very comprehensive list of known issues, workarounds and troubleshooting guidance in the Azure Stack documentation (direct link <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-troubleshooting/">here</a>). I’d suggest that you refer to this site for troubleshooting topics on Azure Stack as it’s been updated regularly. The articles are organized by categories, so that it’s easier to navigate and find answers depending on a specific area (such as Platform Image Repository, templates or TP1 deployment itself). With that said, we will not start writing additional or new troubleshooting guidance for Azure Stack on this blog post, because the Azure Stack documentation is available in azure.microsoft.com and every one of us can contribute to it! You only need to have a GitHub account (if you don’t have one, you can get one <a href="https://github.com/join">here</a>), go to the specific document, and click on the Edit on GitHub link as depicted in the picture below: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts4.png" /> This will bring you to the article on the Azure GitHub repository, and from here you can easily contribute by clicking on the edit button as highlighted in yellow in the picture below: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts5.png" /> Make the edits in your fork of this project, propose a file change and then submit a pull request. Pull requests are reviewed by the Azure Stack team, and if everything looks good, they’d merge the request into their repository, and everybody will see your contribution: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts6.png" /> <hr /> <h1>Azure Stack Troubleshooting – Most common issues</h1> Alright, the list of known issues provided in the link above is quite comprehensive, but which are the most common issues faced when working with IaaS in Azure Stack? At the time of this writing, these were some of the most common issues we’ve seen when working with customers: <div> <table style="border-collapse: collapse;background: #bfbfbf" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px">Disclaimer – These common issues only apply to Azure Stack TP1 POC and were taken from the Azure Stack troubleshooting <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-troubleshooting/">article</a>. You could expect these issues to be fixed in future Azure Stack releases.</td> </tr> </tbody> </table> </div> <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt">“Gateway Timeout” error message when working with virtual machines In Azure PowerShell, the error message may be: Gateway Timeout: The gateway did not receive a response from ‘Microsoft.Compute’ within the specified time period. This is a known issue, and should be fixed in a future release. As a workaround, restarting the Compute Resource Provider (CRP) services on the xRPVM, or restarting this VM, should solve the issue.</td> </tr> </tbody> </table> </div> <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt">Performance issues when deploying or deleting tenant virtual machines Some improvements on deployment and deletion times have been implemented in the <a href="https://azure.microsoft.com/en-us/blog/announcing-incremental-release-for-azure-stack-technical-preview-1/">incremental release for Azure Stack TP1</a> (April 2016). In case you still see issues, here are some steps that may help with poor performance during VM management tasks: <ol> <li>Restart the WinRM service on the Hyper-V Host</li> <li>If that doesn’t work, restart the CRP service on the xRPVM</li> <li>If that doesn’t work, restart the xRPVM</li> </ol> </td> </tr> </tbody> </table> </div> <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt">A new image added to the Platform Image Repository (PIR) may not show up in the portal When <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-add-image-pir/">Adding an image to the Platform Image Repository (PIR) in Azure Stack</a>, it can take some time (5 to 10 minutes) for the image to show up in the Azure Stack portal, after running “CopyImageToPlatformImageRepository.ps1”.Also, if the value for -Offer and/or -SKU contains a space, the manifest will be invalid and a gallery item will not be created. This is a known issue, and the current workaround is to ensure you don’t use space, for example changing the SKU from “Windows Server 2012 R2 Standard” to either “WindowsServer-2012-R2-Standard” or “WindowsServer2012R2Standard”.Finally, we’ve seen reports where increasing the number of virtual processors (to 4 or 8) and memory (to 8 GB) for the xRPVM would solve this situation.</td> </tr> </tbody> </table> </div> <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt">Network security groups cannot be created using default tags In Azure Stack TP1, it is possible to deploy security rules with a sourceAddressPrefix of “*” or “10.0.0.0/24”, but using a tag like “Internet” or “VirtualNetwork” fails. This is because default tags are not supported in TP1. This is a known issue that should be fixed in a future release.</td> </tr> </tbody> </table> </div> <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt">Network resolution issues from tenant virtual machines With this release, virtual machines should be able to connect to the internet, for example for some of the virtual machine extensions.If you are having internet connectivity issues from within the virtual machines, it is likely due to the fact that we do not have the iDNS feature yet in this Technical Preview 1 release, meaning that a shared DNS feature from Azure is not configured by default.You can confirm this by looking at the “DNS servers” settings for the associated virtual network: <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts7.png" /> In the portal, this can be changed to 192.168.100.2 and another public DNS value for the second one that is required. This can also be controlled when deploying via a template, by using this setting in the “dhcpOptions” for the virtual network “dnsServers”: [“192.168.100.2”] This setting can also be used when deploying a virtual machine via a template that also includes a virtual network. <img alt="" src="https://msdnshared.blob.core.windows.net/media/2016/08/080916_0843_ARMconcepts8.png" /> If you need to change this for an existing virtual network, virtual machines that are already deployed will need to be stopped and restarted. When logging into the restarted VM, you should confirm it has picked up the new settings from the Network Controller, via DHCP. Doing changes directly in the VM may work, but would be a change “out of band” for the Network Controller, so is not desired. Disabling/enabling the virtual NIC within the VM would also be a possibility at this stage (since you have access to both tenant and service admin sides in the POC).</td> </tr> </tbody> </table> </div> <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt">Error “Operation could not be completed within the specified time” when running the New-StorageContainer cmdlet This is a known issue that should be fixed in a future release.Workaround:You can stop the WAC (WacServer.exe) process inside the ACS VM, using task manager. Service fabric should automatically restart it</td> </tr> </tbody> </table> </div> <h1></h1> <hr /> <h1>Azure Stack Troubleshooting – Tools available</h1> Now, let’s review some of the tools available to help you troubleshoot Azure Stack TP1: <a href="https://blogs.technet.microsoft.com/privatecloud/2016/02/26/tool-arm-template-checker-for-microsoft-azure-stack/">Tool: ARM Template Checker for Microsoft Azure Stack</a> Let’s imagine this situation: you have a JSON template that you’ve been using to deploy resources in your Azure subscription (for example, a virtual network, VMs and NSGs). When you deploy the template in your Azure subscription it works like a charm, but it fails to deploy on your Azure Stack subscription. For scenarios like this, you can use the ARM template checker tool that as the name implies, it’ll help you to check your template, and it will indicate if it detects incompatibilities on your template that would prevent the successful deployment on Azure Stack. For example, your template might reference an Azure region (such as West Europe) that does not exist on Azure Stack (the only region on Azure Stack TP1 is local). Also, your template, might make references to resource providers or APIs available in Azure, but not available in Azure Stack yet. <a href="https://github.com/victorar/ARM-Deployment-Troubleshooter">ARM-Deployment-Troubleshooter</a> Think about this scenario: you take one of the templates from the <a href="https://github.com/Azure/AzureStack-QuickStart-Templates">Azure Stack Quick Start GitHub repository</a> (or any template you may have written), deploy it to a resource group in your Azure Stack subscription, and for some reason, the deployment fails and maybe you get just a generic error in the Azure Stack portal or in PowerShell. It’s difficult to know where the deployment failed, isn’t it? (and this is even more complex when you’ve nested templates such as <a href="https://github.com/Azure/AzureStack-QuickStart-Templates/tree/master/sharepoint-2013-non-ha">SharePoint</a>). This script can help you to troubleshoot ARM deployments on Azure Stack TP1. Basically, you pass the Resource Group as parameter to this script, and then, the script will contact ARM and will get you all the information and logs from the deployments available on the resource group, and it will save all that information in a log file, hence, you’ve in a single place all the logs and deployment details. Among the details collected from the deployments on the resource group, the script gets you: <ul> <li>The template used during the deployment</li> <li>The deployment parameters</li> <li> <div>Details of the deployment operations</div> <ul> <li>Here you can see which specific action failed (if any)</li> </ul> </li> <li>Resources in the resource group</li> <li> <div>Details about the virtual machines,</div> <ul> <li>VM status</li> <li>VM Agent Status</li> <li>Installed VM extensions on the VM</li> </ul> </li> </ul> For example, one of my colleagues was troubleshooting a complex deployment, and using this script, he got the logs and noticed the following error on the Custom Script VM Extension: <div> <table style="border-collapse: collapse" border="0"> <colgroup> <col style="width: 1247px" /></colgroup> <tbody valign="top"> <tr> <td style="padding-left: 14px;padding-right: 14px;border: solid 0.5pt"> { “name”: “PowerShellExec”, “type”: “Microsoft.Compute.CustomScriptExtension”, “typeHandlerVersion”: “1.7.0.0”, “substatuses”: null, “statuses”: [ { “code”: “ProvisioningState/failed/3”, “level”: “Error”, “displayStatus”: “Provisioning failed”, “message”: “Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (404) Not Found.”, “time”: “0001-01-02T00:00:00Z” } ] }</td> </tr> </tbody> </table> </div> As you can see on the snippet above, the Custom Script Extension is in failed state, and the error message clearly indicates that it couldn’t download the required files, as it received a 404 error code (not found). In this particular case, the environment required a proxy to connect to the internet, and additional configuration was required to allow this particular VM to access the internet to download the required files. <a href="https://gallery.technet.microsoft.com/Deployment-Checker-for-76d824e1">Deployment Checker for Azure Stack Technical Preview 1</a> Let’s imagine this scenario: you are eager to test Azure Stack TP1 and you got one server for installing and testing it, but after reading the <a href="https://azure.microsoft.com/en-us/documentation/azure-stack/">online documentation</a> for <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-deploy/">hardware requirements</a>, you’re still not sure if your server meets the requirements to deploy Azure Stack TP1, and you’d like to know if it would be possible to run Azure Stack on your hardware before you download the Azure Stack TP1 installation files. This script will help you to check if your hardware meets the requirements / prerequisites for deploying Azure Stack TP1. The script goes through the prerequisite checks done by the Azure Stack TP1 installer and it will indicate if your server meets the requirements beforehand. <hr /> <h1>Azure Stack Troubleshooting – Additional resources</h1> Now, let’s review additional documents / links available for Azure Stack troubleshooting: <ul> <li> <div><a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-troubleshooting/">Microsoft Azure Stack troubleshooting</a></div> Official article from the Azure Stack team with detailed troubleshooting guidance. Expect this list to grow over time!</li> <li> <div><a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-faq/">Frequently asked questions for Azure Stack</a></div> Also an official article from the Azure Stack team, which is frequently updated (last update was a couple of weeks ago!) with common asks and topics being answered directly by the Azure Stack team.</li> <li> <div><a href="https://social.msdn.microsoft.com/Forums/azure/en-US/b7946e8d-c9fa-41c3-b407-98c6d1aa475e/azure-stack-known-issues-and-workarounds-tips-and-pitfalls-and-faqs-posted?forum=AzureStack">FAQ, known issues and workarounds</a></div> Collection of known issues and workarounds provided and maintained in the Azure Stack Forum.</li> <li> <div><a href="https://social.msdn.microsoft.com/Forums/en-US/home?forum=AzureStack">Azure Stack Forum</a></div> MSDN forum dedicated for Azure Stack. Great place to learns from others, but also, this is the right place to place your questions when you face problems with your Azure Stack environment.</li> <li> <div><a href="https://social.msdn.microsoft.com/Forums/en-US/ea3207a5-9895-4c5a-b834-91b53e677ea1/azure-stack-logs?forum=AzureStack">Azure Stack Logs</a></div> Entry in the Azure Stack forum with a comprehensive list of logs for different Azure Stack components, as well as instructions on how to gather logs manually and automatically.</li> <li> <div><a href="https://channel9.msdn.com/Blogs/azurestack">The Azure Stack Channel</a></div> Channel 9 channel dedicated for Azure Stack resources (deployment, best practices, and more).</li> </ul> <hr /> <h1>Conclusion</h1> The resources provided on this blog should help you to troubleshoot the most common and known issues with Azure Stack TP1, specifically for IaaS (the focus of this series). Also, with this blog post, we conclude this series that had as an original goal to map the IaaS concepts that WAP administrators are familiar with to the new Azure Stack TP1. We covered this series from a wide variety of angles, to help you understand more how cloud services are delivered on Azure Stack, and how the consistency with Azure via Azure Resource Manager is a key differentiator to bring the power of Azure to your datacenter. Thanks and until next time! Victor, Tiander and Bruno ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/08/09/arm-concepts-in-azure-stack-for-the-wap-administrator-troubleshooting-iaas-in-azure-stack/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Azure Stack API’s – Working directly with the Resource Manager API Layer (Technical Preview 1)</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/08/01/azure-stack-apis-working-directly-with-the-resource-manager-api-layer-technical-preview-1/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/08/01/azure-stack-apis-working-directly-with-the-resource-manager-api-layer-technical-preview-1/#respond</comments> <pubDate>Mon, 01 Aug 2016 21:37:18 +0000</pubDate> <dc:creator><![CDATA[Shawn Gibbs [MSFT]]]></dc:creator> <category><![CDATA[Microsoft Azure Stack]]></category> <category><![CDATA[API]]></category> <category><![CDATA[Azure Stack]]></category> <category><![CDATA[MAS]]></category> <category><![CDATA[Shawn Gibbs]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=9165</guid> <description><![CDATA[Introduction To work with the Azure’s Resource Manager, you have a number of options. For example, you have these SDK’s to simplify development: Azure .NET SDK’s https://azure.microsoft.com/en-us/documentation/api/ Azure Resource Manager SDK’s – JAVA, Python, and Ruby https://azure.microsoft.com/en-us/blog/azure-resource-manager-preview-sdks/ Azure Resource Manager PowerShell Cmdlets https://msdn.microsoft.com/en-us/library/azure/mt125356.aspx Note: I can’t stress enough that this is simply a model I... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/08/01/azure-stack-apis-working-directly-with-the-resource-manager-api-layer-technical-preview-1/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[<h2>Introduction</h2> To work with the Azure’s Resource Manager, you have a number of options. For example, you have these SDK’s to simplify development: <ul> <li>Azure .NET SDK’s <a href="https://azure.microsoft.com/en-us/documentation/api/">https://azure.microsoft.com/en-us/documentation/api/</a></li> <li>Azure Resource Manager SDK’s – JAVA, Python, and Ruby <a href="https://azure.microsoft.com/en-us/blog/azure-resource-manager-preview-sdks/">https://azure.microsoft.com/en-us/blog/azure-resource-manager-preview-sdks/</a></li> <li>Azure Resource Manager PowerShell Cmdlets <a href="https://msdn.microsoft.com/en-us/library/azure/mt125356.aspx">https://msdn.microsoft.com/en-us/library/azure/mt125356.aspx</a></li> </ul> Note: I can’t stress enough that this is simply a model I use, mostly for validation and there certainly are other choices depending on project and requirements. Again this is for MAS TP1 which uses Azure AD so this may also be different moving forward for you. The beauty of cloud consistency means that these tools and patterns are also the method in which you can develop against Azure Stack’s Resource Manager. Keeping in mind Azure Stack is in Technical Preview and not all API’s are available. This blog post offers another way, one that takes away the complexity for SDK’s and PowerShell modules and allows for the ability to understand and learn the API’s as a Restful service in their most foundational form. <h2>Why work directly with APIs?</h2> Besides the ability to learn what’s happening underneath the covers, so to speak, debugging and translation to other languages can be easier. In PowerShell the obvious and easiest option is to utilize the Azure PowerShell cmdlets like Get-AzureRmSubscription or Get-AzureRmVM but this is hard to translate into other scripting or coding languages and if trouble exists it’s a little more complicated to debug. This should not be considered a recommendation on best practice as the note above highlights but for the purposes of testing it should suffice. <h2>To Begin</h2> No matter the method in which you choose to develop, either SDK’s, PowerShell, CLI or directly with APIs there are some basic requirements for a project that need to be met, some of which are managed by the PowerShell or CLI: These are: <ul> <li>Authentication and authorization – Click <a href="https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/">Here</a> for information on authenticating a service principal with ARM.</li> <li>The application needs to be registered with Azure Active Directory and given permission – Click <a href="https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/">Here</a> for more details.</li> <li>Restful requests can then be made to the API’s correct URI’s with the above information used to create a bearer token – Click <a href="https://azure.microsoft.com/en-us/documentation/articles/resource-manager-supported-services/">Here</a> for Azure’s documentation for ARM API’s. (Note: This is for Azure public cloud so the API versions and available resources will differ from Azure Stacks API’s but this is a great place to start in a cloud consistent world)</li> </ul> In the Technical Preview of Azure Stack – which uses Azure Active Directory -, the first step is to create an application in the Azure Portal. Next, give that application delegated permission to the Azure Stack API application which was created during the install of the technical preview. <h3>Step 1</h3> Create an application in the Classic Azure Portal <a href="https://manage.windowsazure.com/">https://manage.windowsazure.com</a> within the Active Directory you used to install Azure Stack. Add application: <ol> <li>Within the directory used for Azure Stack select Applications tab and then select Add+ in the bottom menu to add an application.</li> <li>When asked ‘What do you want to do?’ select the “Add an application my organization is developing” option.</li> <li>Under the ‘Tell us about your application’ screen enter a name for your application and select the ‘Web application’ type.</li> <li>Then enter a sign in URL, here you can enter <a href="http://localhost/">http://localhost</a></li> <li>Under APP ID URI enter a unique App URI, for example <a href="https://localhost/appname/">https://localhost/appname/</a></li> </ol> <h3>Step 2</h3> Configure the applications authorization to Azure Stack’s API’s. Configure Application: <ol> <li>Select the configure tab and take note of the Client ID GUID (you’ll need this later)</li> <li>Under Keys, select the drop down called ‘select duration’ and pick 1 year.</li> <li>Click save and go back to the keys section and copy the newly created key (this is the only chance to get it!)</li> <li>Under the permissions section click add application and in the dialog box drop down the show menu and select all apps. Click the check button.</li> <li>In the list of applications find the AzureStack.local-Api application and select it, then click the plus sign now in the name column. Then click the check.</li> <li>It’s now added to the permissions list so drop down the delegated permissions and select the Access AzureStack.local-Api app and then click save again.</li> <li>As a last piece of required data, select the ‘VIEW ENDPOINTS’ and in the new dialog box you’ll see several choices. The important piece here is GUID you can see in each dialog box for each of the endpoints listed. This is an easy way to get your Tenant ID in GUID format.</li> </ol>   <h2>Act on Azure Stacks API’s</h2> This next steps requires their own sections. I’ll show some examples in PowerShell and Python but essentially all we are doing is sending a correctly formed HTTPS request to the Azure Stack API to perform the action we wish to perform. The request can be a GET request just like when you request a web page from a site but in API terms this is a request for information. Or it can be other types like a DELETE request or a PUT request which will delete a resource or create a resource. All requests made to a service, even web sites require a header but for ARM API’s they require some specific information. <h3>Getting Tenants Authorization Token</h3> To retrieve the AAD Token for the tenant’s authorization to access Azure Stacks API’s we’ll make a POST request to the OAUTH token endpoint <a href="https://login.microsoftonline.com/%7b0%7d/oauth2/token">https://login.microsoftonline.com/{0}/oauth2/token</a> where {0} is your tenant ID from the earlier steps in creating and authorizing applications. We also need to set the grant type and scope. Using PowerShell, let’s set some parameters: <pre style="margin-left: 3em">$ClientID = "<Enter you Client ID>" $ClientKey = "<Enter your client secret>" $TenantID = "<Enter Tenant ID GUID from Endpoints>" $User = <"Enter the tenant user name, for example:Tenant1@shawngibbs.onmicrosoft.com" $Password = "<Enter your Tenant password>" $AppIdUri = "https://azurestack.local-api/" $AADURI = "https://login.microsoftonline.com/{0}/oauth2/token" -f $TenantID </pre>   In Python, setting parameters looks like this: <pre style="margin-left: 3em">CLIENT_ID = ""<Enter you Client ID>" CLIENT_SECRET =""<Enter your client secret>" CLIENT_TENANTID = "<Enter Tenant ID GUID from Endpoints>" CLIENT_USERNAME = "Tenant1@shawngibbs.onmicrosoft.com" CLIENT_PASSWORD = "<Enter your Tenant password>" CLIENT_RESOURCE = "https://azurestack.local-api/" CLIENT_LOGIN_URL= "https://login.microsoftonline.com/" URL = CLIENT_LOGIN_URL + CLIENT_TENANTID + "/oauth2/token" </pre>   Making the request for token. Since PowerShell and Python differ in how they deal with the object model and this in turn changes the returned data, we’ll handle it in a way that is easy to deal with, although there may certainly be better ways to do the next step. For Python, we’ll set the acceptable response type to JSON with a request header: headers = {“Accept”:”application/json”. For PowerShell, this can be set to content type in the command parameters. The request will require a body of content that represents the grant request information and type. For PowerShell, the request body: <pre style="margin-left: 3em">$GrantBody = "grant_type=password&scope=openid&resource={0}&client_id={1}&client_secret={2}&username={3}&password={4}" -f $AppIdUri, $ClientID, $ClientKey, $User, $Password </pre>   For Python, the request body: <pre style="margin-left: 3em">params = {"grant_type": "password", "scope": "openid", "resource": CLIENT_RESOURCE, "client_id": parameters.CLIENT_ID, "client_secret": parameters.CLIENT_SECRET, "username": CLIENT_USERNAME, "password": parameters.CLIENT_PASSWORD} </pre>   Now let’s make the calls to the authorization API and parse out the token we will use to make additional request to the resource managers API. For PowerShell: <pre style="margin-left: 3em">$AADTokenResponse = Invoke-RestMethod -Uri $AADURI -ContentType "application/x-www-form-urlencoded" -Body $GrantBody -Method Post -Verbose $AADtoken = $AADTokenResponse.access_token </pre> For Python: <pre style="margin-left: 3em">response = requests.post(URL, data = params, headers=headers) response_json = response.json() token = response_json['access_token'] </pre> The end result is that we have the JWT (‘JSON Web Token’) now saved as a variable in PowerShell and Python. This now gets attached to future requests as the ‘Authorization’ part of the requests header. We’ll also set some other header variables just set language and response type. In PowerShell: <pre style="margin-left: 3em">$Headers = @{Authorization = "Bearer $AADtoken " "Accept" = "application/json" "x-ms-effective-locale" = "en.en-us" } </pre> In Python: <pre style="margin-left: 3em">headers = {"Authorization": "Bearer "+ token, "Accept": "application/json", "x-ms-effective-locale":"en.en-us"} </pre> At this point, we set the URI of the specific resources API we wish to get or set and make additional calls with the above headers that include the authorization token. For brevity, we’ll simply request subscriptions for the specific tenant, parse the response and since multiple subscriptions may exist, we’ll walk through each. In PowerShell: <pre style="margin-left: 3em">$GetSubscriptionsURI = "https://api.azurestack.local/subscriptions?api-version=1.0&includeDetails=true" $Subscriptions = (Invoke-RestMethod -Uri $GetSubscriptionsURI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Subscriptions </pre> In Python: <pre style="margin-left: 3em">SUBURL = "https://api.azurestack.local/subscriptions?api-version=1.0&includeDetails=true" response = requests.get(SUBURL, headers=headers, verify=False) response_json = json.loads(response.text) response_value = response_json['value'] for sub in response_value: print("My subscription ID is: " + sub['subscriptionId'])</pre>   <h2>Result</h2> At this point, you have the basics needed to communicate directly with the Azure Stack Resource Management API’s. Even if this is not the model you choose to do your development moving forward, it should at least enlighten you to what is happening. These API’s are everything you need when you want to perform exactly the same tasks that you do via the portal, PowerShell or CLI. ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/08/01/azure-stack-apis-working-directly-with-the-resource-manager-api-layer-technical-preview-1/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>ARM concepts in Azure Stack for the WAP Administrator – In-guest configuration with ARM, and technologies such as Virtual Machines Extensions, including PowerShell Desired State Configuration (DSC)</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/06/29/arm-concepts-in-azure-stack-for-the-wap-administrator-in-guest-configuration-with-arm-and-technologies-such-as-virtual-machines-extensions-including-powershell-desired-state-configuration-d/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/06/29/arm-concepts-in-azure-stack-for-the-wap-administrator-in-guest-configuration-with-arm-and-technologies-such-as-virtual-machines-extensions-including-powershell-desired-state-configuration-d/#respond</comments> <pubDate>Wed, 29 Jun 2016 21:25:00 +0000</pubDate> <dc:creator><![CDATA[Tiander Turpijn [MSFT]]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[ARM]]></category> <category><![CDATA[Azure Automation]]></category> <category><![CDATA[Azure Resource Manager]]></category> <category><![CDATA[Azure Stack]]></category> <category><![CDATA[AzureStack]]></category> <category><![CDATA[Building Clouds]]></category> <category><![CDATA[building clouds blog]]></category> <category><![CDATA[Hybrid Cloud]]></category> <category><![CDATA[Microsoft Azure]]></category> <category><![CDATA[PowerShell DSC]]></category> <category><![CDATA[WAP]]></category> <category><![CDATA[Windows Azure Pack]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=8765</guid> <description><![CDATA[Hello Readers! This is part 7 of the blog post series “ARM concepts in Azure Stack for the WAP Administrator.” In this post we’ll focus on the VM configuration itself, leveraging Azure Resource Manager (ARM), VM Extensions and PowerShell DSC. Note Some information relates to pre-released product which may be substantially modified before it’s commercially... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/06/29/arm-concepts-in-azure-stack-for-the-wap-administrator-in-guest-configuration-with-arm-and-technologies-such-as-virtual-machines-extensions-including-powershell-desired-state-configuration-d/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Hello Readers! This is part 7 of the blog post series “ARM concepts in Azure Stack for the WAP Administrator.” In this post we’ll focus on the VM configuration itself, leveraging Azure Resource Manager (ARM), VM Extensions and PowerShell DSC. Note Some information relates to pre-released product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Here is the table of contents for the series of post so that you’ll find it easier to navigate across the series: Table of contents <ol> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/02/08/arm-concepts-in-azure-stack-for-the-wap-administratorintroduction-post/">Introductory post</a>, and some first information on the <a href="https://azure.microsoft.com/en-us/documentation/articles/azure-stack-poc/">Azure Stack POC</a> architecture and ARM’s role</li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/02/15/arm-concepts-in-azure-stack-for-the-wap-administrator-cloud-service-delivery/">Cloud Service Delivery</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/02/24/arm-concepts-in-azure-stack-for-the-wap-administrator-offers-plans-and-subscriptions-2/">Plans, offers, and subscriptions</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/04/29/arm-concepts-in-azure-stack-for-the-wap-administrator-multi-tier-applications/">Resource Deployment</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/04/01/arm-concepts-in-azure-stack-for-the-wap-administrator-packaging-and-publishing-templates-on-azure-stack/">Packaging and publishing templates on Azure Stack</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/04/29/arm-concepts-in-azure-stack-for-the-wap-administrator-multi-tier-applications/">Multi-tier applications with ARM</a></li> <li>In-guest configuration with ARM, and technologies such as Virtual Machines Extensions, including PowerShell Desired State Configuration (DSC) – this post</li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/08/09/arm-concepts-in-azure-stack-for-the-wap-administrator-troubleshooting-iaas-in-azure-stack/">Troubleshooting IaaS deployments in Azure Stack—this maps to an understanding of how the different Resource Providers (RPs) work together in an Azure Stack installation</a></li> </ol> <hr /> <h2>Introduction</h2> Victor Arzate has done a great job in laying down the foundation for this blog post by describing how to <a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2016/03/18/arm-concepts-in-azure-stack-for-the-wap-administrator-resource-deployment/">deploy resources</a> and <a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2016/04/29/arm-concepts-in-azure-stack-for-the-wap-administrator-multi-tier-applications/">multi-tier applications</a>. In this blog post we will dive deeper in how to configure a VM, also known as in-guest configuration. We will briefly revisit the options you have in Windows Azure Pack (WAP), look at Azure Stack and discover the similarities between the two. <hr /> <h2>VM deployment and configuration in Windows Azure Pack</h2> Let’s revisit the options in WAP to deploy a VM: <ul> <li>VM Standalone – mapped to a VM template in System Center Virtual Machine Manager (SCVMM)</li> <li>VM Role – allows integration of application installation during deployment</li> </ul> <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image128.png"><img width="216" height="175" title="image" style="padding-top: 0px;padding-left: 0px;margin: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb118.png" border="0" /></a></blockquote> And as mentioned in the previous posts, Service Management Automation (SMA) can be used to automate and orchestrate a VM deployment and configuration (and much more) in WAP. Desired State Configuration (DSC) can be used to declare the end state of your deployment which can be applied during or after a deployment. With stand-alone virtual machines, you usually deploy a VM with only the operating system installed, but what about if you need more than this? Let’s say, for example, you want to deploy a VM with SQL server? Then you need a technology that allows you to configure the VM itself, once it has been deployed with an OS. VM Roles allow you to perform this as it will deploy the VM with the OS desired and second, it will allow you to perform in-guest configuration via PowerShell DSC. For our example with SQL Server, PowerShell DSC allows you to install the required OS features (for example, .Net Framework) and also it allows you to install the application and configure it as required (in this case, SQL Server). How to create VM roles and use PowerShell DSC is out of scope of this blog, but this has been extensively documented. Two great blog posts which talk about VM role deployment and DSC are: <ul> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2014/02/28/automationthe-new-world-of-tenant-provisioning-with-windows-azure-pack-part-1-introduction-and-table-of-contents/">WAP Tenant provisioning by Charles Joy</a></li> <li><a href="http://www.hyper-v.nu/archives/bgelens/2015/02/integrating-vm-role-with-desired-state-configuration-part-1-introduction-and-scenario/">VM Role and DSC integration by Ben Gelens</a></li> </ul> If you are looking for a DSC jump start, then please check out <a target="_blank" href="https://channel9.msdn.com/Series/Getting-Started-with-PowerShell-Desired-State-Configuration-DSC/01">this great video</a> and if you are wondering where you can find DSC resources, please check the <a target="_blank" href="http://www.powershellgallery.com/items?q=dsc&x=0&y=0">PowerShell Gallery</a>. Let’s now look at Azure Stack. <hr /> <h2>VM deployment and configuration in Azure Stack</h2> One of the biggest differences between WAP and Azure Stack is Azure Resource Manager (ARM). If you are looking for a primer on ARM I would encourage you to check out <a target="_blank" href="https://channel9.msdn.com/Events/Build/2015/2-659">Ryan Jones’ presentation on ARM</a>. Since ARM is the consistent management layer between Azure and Azure Stack and consumes JSON based templates for VM deployment and configuration, it’s the first obvious step to explore. As pointed out a couple of times already during the blog post series, please do check out and try the available Azure Stack templates <a target="_blank" href="https://github.com/Azure/AzureStack-QuickStart-Templates">here</a>. Notice the green button in the picture below; in a couple of clicks you can download a zip file and explore all sample templates on your local machine or test them in your Azure Stack environment: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image221.png"><img width="885" height="225" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb139.png" border="0" /></a></blockquote> So with an ARM template you can deploy and configure your VM’s, right? Correct! Let’s look at the options: For new VM’s deploy an ARM template leveraging the: a) Custom Script extension, see <a target="_blank" href="https://github.com/Azure/AzureStack-QuickStart-Templates/tree/master/101-vm-ext-win-cs-scriptfile">this</a> template as an example b) DSC extension, see <a target="_blank" href="https://github.com/Azure/AzureStack-QuickStart-Templates/tree/6a82de37650656be5fd48549df65bb9d96698a28/ad-non-ha">this</a> template as an example c) DSC extension and Azure Automation DSC for pull server functionality, see <a target="_blank" href="https://github.com/Azure/azure-quickstart-templates/tree/master/201-vmss-automation-dsc">this</a> template as an example For existing VM’s: d) Push a DSC configuration using PowerShell Remoting e) Enable the DSC VM extension and assign a configuration f) Enable the DSC VM extension and assign a DSC configuration, leveraging Azure Automation for pull server functionality <ol></ol>   In this blog post will focus on options d and f. Note: Before we move on, it is good to emphasize that DSC investments you have made – or are going to make – in WAP, Azure or Azure Stack – can be reused in all these areas. Write once, run everywhere!   Let’s look at the relevant VM extensions in an ARM template. VM extension skeleton. Please note the highlighted section in red, these are different in each VM extension as depicted below. <pre> { "type": "Microsoft.Compute/virtualMachines/extensions", "name": "MyExtension", "apiVersion": "2015-05-01-preview", "location": "[parameters('location')]", "dependsOn": ["[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'))]"], "properties": { "publisher": "Publisher Namespace", "type": "extension Name", "typeHandlerVersion": "extension version", "autoUpgradeMinorVersion":true, "settings": { // Extension specific configuration goes in here. } } }</pre> Custom Script Extension: <pre> { "publisher": "Microsoft.Compute", "type": "CustomScriptExtension", "typeHandlerVersion": "1.7", "settings": { "fileUris": [ "http: //Yourstorageaccount.blob.core.windows.net/customscriptfiles/YourScriptGoesHere.ps1" ], "commandToExecute": "powershell.exe-ExecutionPolicyUnrestricted -YourScriptGoesHere.ps1" }, "protectedSettings": { "commandToExecute": "powershell.exe-ExecutionPolicyUnrestricted -YourScriptGoesHere.ps1", "storageAccountName": "yourStorageAccountName", "storageAccountKey": "yourStorageAccountKey" } }</pre> You can refer to <a target="_blank" href="https://github.com/Azure/AzureStack-QuickStart-Templates/tree/master/101-vm-ext-win-cs-scriptfile">this</a> sample from the <a target="_blank" href="https://github.com/Azure/AzureStack-QuickStart-Templates">Azure Stack Quick Start GitHub repository</a> for a complete template using the custom script extension. The Custom Script Extension can be used to invoke a script after deployment to do some post configuration work. For example, we could invoke an Azure Automation runbook leveraging this extension, like a <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/automation-webhooks/">webhook</a> enabled runbook.   DSC Extension: <pre> { "publisher": "Microsoft.Powershell", "type": "DSC", "typeHandlerVersion": "2.1", "settings": { "ModulesUrl": "https://UrlToZipContainingConfigurationScript.ps1.zip", "SasToken": "Optional : SAS Token if ModulesUrl points to Azure Blob Storage", "ConfigurationFunction": "ConfigurationScript.ps1\\ConfigurationFunction", "Properties": { "ParameterToConfigurationFunction1": "Value1", "ParameterToConfigurationFunction2": "Value2", "ParameterOfTypePSCredential1": { "UserName": "UsernameValue1", "Password": "PrivateSettingsRef:Key1(Value is a reference to a member of the Items object in the protected settings)" }, "ParameterOfTypePSCredential2": { "UserName": "UsernameValue2", "Password": "PrivateSettingsRef:Key2" } } }, "protectedSettings": { "Items": { "Key1": "PasswordValue1", "Key2": "PasswordValue2" }, "DataBlobUri": "optional : https: //UrlToConfigurationData.psd1" } }</pre> <h1></h1> If you want to make sure that you are using the latest version of the Windows Management Framework (WMF) you can add “wmfVersion”: “latest” , see the <a target="_blank" href="https://blogs.msdn.microsoft.com/powershell/2016/02/26/arm-dsc-extension-settings/">ARM DSC Extension Settings</a> for more information. If you want to use the latest DSC extension version, you can add “autoUpgradeMinorVersion”: true right under the line “typeHandlerVersion”: “2.1”, see <a target="_blank" href="https://blogs.msdn.microsoft.com/powershell/2015/10/02/how-to-use-wmf-4-with-azure-dsc-extension-in-azure-resource-manager-arm/">this link</a> for an example. Note: autoUpgradeMinorVersion works for any VM extension.   Note: it is in the Azure Automation backlog to support invoking an Azure Automation runbook based on a webhook in an ARM template. If you want to provide feedback on this specific topic then please navigate to <a target="_blank" href="https://feedback.azure.com/forums/246290-automation/suggestions/13227531-webhooks-arm-template">this link</a>. Examples of Azure Stack templates which use the DSC extension can be found <a target="_blank" href="https://github.com/Azure/AzureStack-QuickStart-Templates/tree/master/ad-non-ha">here</a>. <hr /> <h2>Creating and deploying your own DSC Configuration</h2> In the previous posts we showed you how to deploy a new VM leveraging an ARM template which included the DSC extension to complete the in-guest configuration, so we already have covered that. You can leverage DSC in two different ways: in Push or Pull mode. As you can guess based on the names, in push mode we push the DSC configuration to a node whereas in a pull mode, the node pulls the configuration from a so called DSC Pull Server. Luckily for us, there’s a DSC Pull Server up in the cloud called Azure Automation DSC which takes a way a lot of complexity in setting up a local pull server. A local pull server is a very valid option in a fully disconnected environment, but out of scope for this blog post. Go <a target="_blank" href="https://msdn.microsoft.com/en-us/powershell/dsc/pullserver">here</a> if you want to read up how to install a pull server. Using the Azure Automation DSC Pull Server assumes that your nodes have Internet access, but this is by far the easiest way to manage DSC configurations because your configurations are located and managed in a central place. Let’s look at the following for this blog post: <ul> <li>Create your own DSC configuration</li> <li>Push the configuration to a node and apply</li> <li>Upload your DSC configuration to Azure Automation and compile <ul> <li>This will generate a MOF file which will get consumed by the DSC Local Configuration Manager (LCM) – the DSC engine if you will</li> </ul> </li> <li>Assign the DSC configuration to an existing VM</li> <li>Look at the compliancy state in Azure Automation</li> </ul> <hr /> <h2>Create your own DSC configuration</h2> A DSC configuration is like a function in PowerShell and we will use it to declare our end state. Perform the following steps on a machine which has Internet access since we will upload the DSC configuration to Azure Automation. 1. Open PowerShell ISE and let’s create this simple website configuration: <div style="overflow: auto;border-top: black 1px solid;;border-right: black 1px solid;width: 650px;border-bottom: black 1px solid;border-left: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">Configuration MyCorpWebsite { param ( $NodeName ) Node $NodeName { WindowsFeature IIS { Name = ‘Web-Server’ Ensure = ‘Present’ } WindowsFeature ASP { Ensure = “Present” Name = “Web-Asp-Net45” } Service ‘W3svc’ { Name=‘w3svc’ StartupType = ‘Automatic’ State = ‘Running’ DependsOn = ‘[windowsfeature]iis’ } } } </div> </td> </tr> </tbody> </table> </div> <h1></h1> 2. Save your DSC configuration locally in a folder, I’ve saved mine to C:\DSC as MyCorpWebsite.ps1 3. Load your DSC configuration into memory so that we can call it (just run the PowerScript in step 1) 4. Let’s generate the MOF file which will be consumed by the Local Configuration Manager, notice that I’m passing a parameter called –NodeName which will generate a MOF file for specifically that node: MyCorpWebsite -NodeName HRB1 -OutputPath c:\DSC\configurations <a href="https://msdnshared.blob.core.windows.net/media/2016/06/image577.png"><img width="460" height="167" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb445.png" border="0" /></a> <hr /> <h2>Push the DSC configuration to a node and apply</h2> Now that you have created a DSC configuration and compiled it into a MOF file, we can push it to a node. Before you can push a DSC configuration to a node, you need to make sure that either WinRM listeners or PowerShell Remoting has been setup on your target machine. Enable-PSRemoting is an easy way to create the required WinRM listeners. A lot already has been written about how to setup PowerShell Remoting and creating WinRM listeners, if you are looking for information on just setting up the required WinRM listeners you can explore <a target="_blank" href="http://www.powershellmagazine.com/2014/04/01/desired-state-configuration-and-the-remoting-myth/">this article</a>. Assuming that you have the prerequisites in place, we can now push the configuration to our node (in my example my host is called HRB1): Start-DscConfiguration –path C:\dsc\configurations –Verbose -Wait -Force –Credential (Get-Credential) –Computername HRB1 Notice that we didn’t have to use PowerShell Remoting because of the WinRM listener being configured through Enable-PSRemoting. It will first prompt us for our credentials: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image579.png"><img width="606" height="215" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb447.png" border="0" /></a></blockquote> After we’ve authenticated, we will see this is our output: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image580.png"><img width="609" height="304" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb448.png" border="0" /></a> <h1></h1> </blockquote> Let’s check with PowerShell Remoting if our configuration got applied: <a href="https://msdnshared.blob.core.windows.net/media/2016/06/image581.png"><img width="661" height="105" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb449.png" border="0" /></a> Cool stuff! <hr /> <h2>Upload your DSC configuration to Azure Automation and compile</h2> The remainder of this blog post will focus on option f (Enable the DSC VM extension and assign a DSC configuration, leveraging Azure Automation for pull server functionality ) – as previously discussed in this blog post. It is assumed that you are familiar with Azure Automation and that you’ve created an Azure Automation account in your subscription. If you are new to Azure Automation, please go <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/learning-paths/automation/">here</a> to start. We will now upload a DSC configuration to Azure Automation and compile it. Let’s use the same configuration as we’ve used previously with the exception that we are going to take out the node section since Azure Automation is going to assign the configuration to the node: <div style="overflow: auto;border-top: black 1px solid;;border-right: black 1px solid;width: 650px;border-bottom: black 1px solid;border-left: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">Configuration MyCorpWebsite { WindowsFeature IIS { Name = ‘Web-Server’ Ensure = ‘Present’ } WindowsFeature ASP { Ensure = “Present” Name = “Web-Asp-Net45” } Service ‘W3svc’ { Name=‘w3svc’ StartupType = ‘Automatic’ State = ‘Running’ DependsOn = ‘[windowsfeature]iis’ } } </div> </td> </tr> </tbody> </table> </div> 1. Use the following PowerShell script to upload your DSC configuration to Azure Automation and compile it: <div style="overflow: auto;border-top: black 1px solid;;border-right: black 1px solid;width: 650px;border-bottom: black 1px solid;border-left: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008 009 010 011 012 013</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">Add-AzureRmAccount #Get your Azure Automation account where you want to upload your DSC config to $AAaccount = Get-AzureRmAutomationAccount -Name DscAzStack -ResourceGroupName DscAzStack #Import DSC configuration $AAaccount | Import-AzureRmAutomationDscConfiguration -SourcePath ‘C:\DSC\MyCorpWebsite.ps1’ -Published -Force $AAaccount | Get-AzureRmAutomationDscConfiguration -Name MyCorpWebsite #Compile the DSC configuration $job = $AAaccount | Get-AzureRmAutomationDscConfiguration -Name MyCorpWebsite | Start-AzureRmAutomationDscCompilationJob #Get the status of the compilation job $job | Get-AzureRmAutomationDscCompilationJob </div> </td> </tr> </tbody> </table> </div>   That will give you this output: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image283.png"><img width="430" height="354" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb193.png" border="0" /></a></blockquote> Starting the compilation job: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image284.png"><img width="716" height="197" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb194.png" border="0" /></a></blockquote> After a short while we see the completion in the Azure Automation portal: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image285.png"><img width="441" height="387" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb195.png" border="0" /></a></blockquote> Now that we have uploaded and compiled a DSC configuration into Azure Automation we can assign this configuration to a VM. There are two options for assigning a configuration to a VM: 1. Through the Azure Automation portal. This is currently limited to Azure VM’s only within the same subscription 2. Through PowerShell, for VM’s residing outside Azure, like on-premises VM’s or in different clouds like AWS Since this blog post is focused on Azure Stack, PowerShell is going to be our option of choice. <hr /> <h2></h2> <h2></h2> <h2>Assign the DSC configuration to an existing VM</h2> <h3></h3> In the <a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2016/04/29/arm-concepts-in-azure-stack-for-the-wap-administrator-multi-tier-applications/">previous post</a> Victor talked already about leveraging <a target="_blank" href="https://github.com/Azure/azure-quickstart-templates/tree/master/dsc-extension-azure-automation-pullserver">this</a> Github template which you can use to onboard a non Azure VM. Let’s drill down a bit on that template. The Github template leverages what is called a DSC metaconfiguration file to onboard the nodes and to configure the Local Configuration Manager (LCM). The DSC metaconfiguration file is stored <a target="_blank" href="https://github.com/Azure/azure-quickstart-templates/blob/master/dsc-extension-azure-automation-pullserver/UpdateLCMforAAPull.zip">here</a>. Let’s download, extract and examine the file the PowerShell way: <blockquote> <div style="overflow: auto;width: 650px;border: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008 009</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">$MetaConfigFileURL = ‘https://github.com/Azure/azure-quickstart-templates/raw/master/dsc-extension-azure-automation-pullserver/UpdateLCMforAAPull.zip’ $MetaConfigFile = ‘UpdateLCMforAAPull’ $OutFolder = ‘C:\DSC’ Invoke-WebRequest -Uri $MetaConfigFileURL ` -OutFile ($OutFolder + ‘\’ + $MetaConfigFile + ‘.zip’) Expand-Archive ($OutFolder + ‘\’ + $MetaConfigFile + ‘.zip’) -DestinationPath $OutFolder psedit ($OutFolder + ‘\’ + $MetaConfigFile + ‘.ps1’)</div> </td> </tr> </tbody> </table> </div> </blockquote>   The last line in the above PowerShell script will open up the metaconfiguration file: <div style="overflow: auto;border-top: black 1px solid;;border-right: black 1px solid;width: 650px;border-bottom: black 1px solid;border-left: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">[DscLocalConfigurationManager()] Configuration ConfigureLCMforAAPull { param ( [Parameter(Mandatory=$True)] $RegistrationUrl, [Parameter(Mandatory=$True)] [PSCredential]$RegistrationKey, [Int]$RefreshFrequencyMins = 30, [Int]$ConfigurationModeFrequencyMins = 15, [String]$ConfigurationMode = “ApplyAndMonitor”, [String]$NodeConfigurationName, [Boolean]$RebootNodeIfNeeded= $False, [String]$ActionAfterReboot = “ContinueConfiguration”, [Boolean]$AllowModuleOverwrite = $False, [String]$Timestamp = “” ) if(!$RefreshFrequencyMins -or $RefreshFrequencyMins -eq “”) { $RefreshFrequencyMins = 30 } if(!$ConfigurationModeFrequencyMins -or $ConfigurationModeFrequencyMins -eq “”) { $ConfigurationModeFrequencyMins = 15 } if(!$ConfigurationMode -or $ConfigurationMode -eq “”) { $ConfigurationMode = “ApplyAndMonitor” } if(!$ActionAfterReboot -or $ActionAfterReboot -eq “”) { $ActionAfterReboot = “ContinueConfiguration” } if(!$NodeConfigurationName -or $NodeConfigurationName -eq “”) { $ConfigurationNames = $null } else { $ConfigurationNames = @($NodeConfigurationName) } Settings { RefreshFrequencyMins = $RefreshFrequencyMins RefreshMode = “PULL” ConfigurationMode = $ConfigurationMode AllowModuleOverwrite = $AllowModuleOverwrite RebootNodeIfNeeded = $RebootNodeIfNeeded ActionAfterReboot = $ActionAfterReboot ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins } ConfigurationRepositoryWeb AzureAutomationDSC { ServerUrl = $RegistrationUrl RegistrationKey = $RegistrationKey.GetNetworkCredential().Password ConfigurationNames = $ConfigurationNames } ResourceRepositoryWeb AzureAutomationDSC { ServerUrl = $RegistrationUrl RegistrationKey = $RegistrationKey.GetNetworkCredential().Password } ReportServerWeb AzureAutomationDSC { ServerUrl = $RegistrationUrl RegistrationKey = $RegistrationKey.GetNetworkCredential().Password } } </div> </td> </tr> </tbody> </table> </div> These settings can all be modified and you can call these from within your own Github repository or a storage container from within Azure or Azure Stack. For example if you want to change the refresh cycle or the reboot behavior. You can find more information how to do so right <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/automation-dsc-onboarding/#generating-dsc-metaconfigurations">here</a>. Since the azuredeploy.json file contains parameters, we can also pass them through PowerShell instead of editing the azuredeploy.parameters.json file. <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image309.png"><img width="629" height="286" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb213.png" border="0" /></a></blockquote> We can start the onboarding process to Azure Automation DSC in the following way and passing parameters to the New-AzureRmResourceGroupDeployment cmdlet. Notice that I’m passing also our DSC configuration MyCorpWebsite which we’ve created earlier, uploaded and compiled to Azure Automation DSC. You can find the variable below specified as nodeConfigurationName. If you have worked before with DSC, you probably have noticed that I have not specified an AllNodes section in the DSC configuration. This is because – in my example – Azure Automation acts as a pull server and assigns the configuration to the node, hence the MyCorpWebsite.localhost value. Please explore <a target="_blank" href="https://msdn.microsoft.com/en-us/powershell/dsc/configdata">this</a> link if you want to know more about AllNodes configuration and how to separate configuration and environment data. <div style="overflow: auto;border-top: black 1px solid;;border-right: black 1px solid;width: 650px;border-bottom: black 1px solid;border-left: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">$AAaccount = Get-AzureRmAutomationAccount -Name DscAzStack -ResourceGroupName DscAzStack $keys = $AAaccount | Get-AzureRmAutomationRegistrationInfo $RgDeployParams =@{ TemplateUri = “https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/dsc-extension-azure-automation-pullserver/azuredeploy.json” Mode = ‘Incremental’ ResourceGroupName = ‘DSCRG’ TemplateParameterObject = @{ vmName = ‘DSCVM2’ registrationKey = $keys.PrimaryKey registrationUrl = $Keys.Endpoint nodeConfigurationName = ‘MyCorpWebsite.localhost’ timestamp = [datetime]::Now.ToString() } } New-AzureRmResourceGroupDeployment @$RgDeployParams -Force -Verbose </div> </td> </tr> </tbody> </table> </div> <h1></h1>   In the screenshot below you can see that the onboarding went successful: <a href="https://msdnshared.blob.core.windows.net/media/2016/06/image317.png"><img width="684" height="344" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb219.png" border="0" /></a> We can see in Azure Automation that the node has successfully on-boarded and it’s status: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image341.png"><img width="521" height="189" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb238.png" border="0" /></a></blockquote> Let’s RDP into the VM and check the configuration on the VM itself: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image342.png"><img width="437" height="132" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb239.png" border="0" /></a></blockquote> Cool! If we check the LCM on the machine, we can see that the VM is configured in Pull mode and being managed by Azure Automation DSC: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image343.png"><img width="437" height="255" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb240.png" border="0" /></a></blockquote> And if we run Get-DscConfiguration we can see our configuration: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image344.png"><img width="366" height="203" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb241.png" border="0" /></a></blockquote> <hr /> <h2>Installing applications/software with DSC</h2> Recently I got questions if you can also leverage DSC in a DevOps scenario where you need to configure the VM with packages. Yes absolutely! Let me first emphasize that DSC is not a replacement for System Center Configuration Manager (SCCM), which is a change & configuration management solution where software distribution is an important component. SCCM is build for software distribution in a potentially connected/disconnected environment where technologies like BITS, checkpoint restarting, bandwidth throttling, etc. combined with hard and software inventory has its own place. Now back to DSC, how can I get dependency software (packages) on the VM? Well you can leverage the <a target="_blank" href="https://msdn.microsoft.com/en-us/powershell/dsc/packageresource">DSC package resource</a> to start with: <blockquote> <div style="overflow: auto;width: 650px;border: black 1px solid;padding: 5px"> <table border="0" cellspacing="0" cellpadding="5"> <tbody> <tr> <td valign="top"> <div style="background: #cecece;padding: 5px">001 002 003 004 005 006 007 008</div> </td> <td nowrap="nowrap" valign="top"> <div style="background: #fcfcfc;padding: 5px">Package PackageExample { Ensure = “Present” # You can also set Ensure to “Absent” Path = “$Env:SystemDrive\TestFolder\TestProject.msi” Name = “TestPackage” ProductId = “ACDDCDAF-80C6-41E6-A1B9-8ABD8A05027E” }</div> </td> </tr> </tbody> </table> </div> </blockquote> You can define a GUID (in the above example ProductId) which will make sure that only a specific package will get installed and not a rogue MSI. <a target="_blank" href="http://social.technet.microsoft.com/wiki/contents/articles/29105.installing-msi-packages-using-powershell-desired-state-configuration.aspx">This example</a> shows how to install 7Zip. Another option is to use an open source package manager like <a target="_blank" href="https://chocolatey.org/">Chocolatey</a>. Out of scope for this blog post, but if you want to get started with Azure Automation and Chocolately, please check out <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/automation-dsc-cd-chocolatey/">this</a> blog post. It will talk about continuous deployment to Virtual Machines using Automation DSC and Chocolatey in great detail. <hr /> <h2>Azure Automation Hybrid Runbook Worker</h2> Azure Automation runbooks are by default executed by Azure runbook workers. As the name says, those runbook worker reside in Azure. This would become a challenge if you want to execute runbooks in your Azure Stack environment. Well not completely, since the Hybrid Runbook Worker (HRB) is designed to execute runbooks on a machine/VM where the HRB role is enabled. This could be a VM within your Azure Stack environment. Why does this makes a difference? Well by running it in your Azure Stack environment you can access local resources (like local accounts), leverage local PowerShell modules and DLL’s and you can access your Azure Stack VM’s. This scenario also allows you to push DSC configurations to your VM’s if you don’t want to onboard them to Azure Automation DSC, but obviously you can run any PowerShell script against your Azure Stack VM’s. Read <a target="_blank" href="https://azure.microsoft.com/en-us/documentation/articles/automation-hybrid-runbook-worker/">this</a> if you want to install the HRB role in your Azure Stack environment. The image below shows an Azure Stack VM where the HRB role is enabled: <blockquote><a href="https://msdnshared.blob.core.windows.net/media/2016/06/image348.png"><img width="379" height="343" title="image" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border-width: 0px" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/06/image_thumb245.png" border="0" /></a></blockquote> Using a HRB, you can potentially investigate which Service Management Automation (SMA) runbooks you can leverage using a HBR. Remember that SMA uses PowerShell which is being used in Azure Automation as well. So if you have SMA runbooks like <a target="_blank" href="https://blogs.technet.microsoft.com/privatecloud/2013/08/15/automationservice-management-automation-runbook-spotlightexchange-distribution-list-creation/">these</a> or from the <a target="_blank" href="https://gallery.technet.microsoft.com/site/search?query=sma%20runbook&f%5B0%5D.Value=sma%20runbook&f%5B0%5D.Type=SearchText&ac=4">SMA gallery</a> these can most likely just be copied and re-used in Azure Automation. <hr /> <h2>Summary</h2> The most important takeaway from this post is that you should be able to reuse your Windows Azure Pack investments in Desired State Configuration (DSC) in Azure Stack. Your runbooks in Service Management Automation (SMA) can be potentially re-used in Azure Automation, the Hybrid Runbook Worker role might resolve challenges around executing remote runbooks versus executing them locally. In this post we have talked about: <ul> <li>Perform in-guest configurations in WAP and Azure Stack VM’s through DSC</li> <li>Create your own DSC configuration</li> <li>Upload your configuration to Azure Automation DSC and compile it</li> <li>Onboard an existing on-premises VM to Azure Automation DSC and apply a DSC configuration</li> <li>Install packages with DSC and links to integrate package managers like Chocolately</li> <li>Leverage the Azure Automation Hybrid Runbook Worker to execute runbooks locally against your Azure Stack environment</li> </ul> Happy automating! Tiander. ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/06/29/arm-concepts-in-azure-stack-for-the-wap-administrator-in-guest-configuration-with-arm-and-technologies-such-as-virtual-machines-extensions-including-powershell-desired-state-configuration-d/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Backup & Site Recovery (OMS)</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/06/06/backup-site-recovery-oms/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/06/06/backup-site-recovery-oms/#comments</comments> <pubDate>Mon, 06 Jun 2016 12:15:11 +0000</pubDate> <dc:creator><![CDATA[Kristian Nese [MSFT]]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[ARM]]></category> <category><![CDATA[Azure]]></category> <category><![CDATA[Azure Site Recovery]]></category> <category><![CDATA[JSON]]></category> <category><![CDATA[Kristian Nese]]></category> <category><![CDATA[MSOMS]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=8795</guid> <description><![CDATA[We have recently announced the GA for our Backup & Site Recovery (OMS) in Azure Resource Manager, and I would like to use this opportunity to level set on what we are bringing, as well as give you some context and a real kick-start into deploying these resources. Context Microsoft Operations Management Suite (OMS) made its... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/06/06/backup-site-recovery-oms/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[<h1></h1> We have recently announced the GA for our Backup & Site Recovery (OMS) in Azure Resource Manager, and I would like to use this opportunity to level set on what we are bringing, as well as give you some context and a real kick-start into deploying these resources. Context Microsoft Operations Management Suite (OMS) made its entry as a Management-as-a-Service offering, delivered entirely from the cloud as a SaaS solution, helping organizations to gain insight into their operations across clouds. With insight, we got a holistic view of the entire operations from a Windows/Linux point of view, security, identity, malware, updates, configuration changes and much more – regardless of clouds. This was an important and strategic move for us – knowing that organizations aren’t running entirely from a single datacenter anymore and that the cloud cadence had definitively been forming the landscape and the new demand for management in an entirely new way. It was about time to reduce the complexity of doing cloud management. Let us start this blog post by doing a breakdown of Microsoft OMS in the context of Microsoft Azure. <h3>Microsoft Azure</h3> First thing first, we need to emphasize that OMS is a constellation of some first-class citizens in Microsoft Azure. <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms1.jpg"><img class="alignnone size-full wp-image-8805" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms1.jpg" alt="oms1" width="214" height="168" /></a> This is important to know and be aware of, as you will bring this into consideration when you are later planning to deploy OMS into your organization, or behalf of customers if you are a Service Provider. Microsoft Azure has been undergoing huge changes over the last 14-16 months with the release of Azure Resource Manager (ARM) API – and the new portal (portal.azure.com) that is built upon the new ARM model. For those of you who have been using Azure for a while, you know that the ‘previous’ Azure, also referred to as Service Management API and classic is still there, it is still available, and you can deploy and manage your resources into that model as well. However, moving forward you will likely focus entirely on Azure in the context of Azure Resource Manager, which also brings consistency ‘down to earth’ with Microsoft Azure Stack. The reason why I am bringing all this up is to give you a better understanding of where we are coming from and where we are going with OMS in all of this. OMS is a set of Azure services and during its birth, it was based on the following services in Classic Azure: <ul> <li>Operational Insight</li> <li>Azure Automation</li> <li>Azure Site Recovery</li> <li>Azure Backup</li> </ul> These were the services you got when you started with OMS. They would surface into the OMS Workspace and gave you a consolidated view of what was going on. However, most of the configuration had to take place on the actual resource level in the Azure portal. In Azure now, they are referred to as: <ul> <li>Log Analytics (formerly known as Operational Insight)</li> <li>Azure Automation (same name, but new capabilities, features and Resource Provider)</li> <li>Backup and Site Recovery (formerly known as Azure Backup and Azure Site Recovery, are now sharing the same Resource Provider within ARM)</li> </ul> What does this really mean? Since these services has reached ARM, this gives us plenty of more opportunities! In regards to deployment, operations, management, RBAC and much more, we can leverage ARM templates to literally instantiate whatever we need in Azure. In other words, we can treat our OMS resources just as any first class citizen in Azure. Each of these Resource Providers have their unique namespace with different resource types. Log Analytics: “Microsoft.OperationalInsights/workspaces” Azure Automation: “Microsoft.Automation/automationAccounts” Azure Recovery Vault: “Microsoft.RecoveryServices/vaults” Since they are now within ARM, we can take advantage of built-in RBAC capabilities, Tags, policies, resource locks and much more. It’s also worth mentioning that OMS will likely pull on other Azure services as well, such as Storage Accounts when you want to enable diagnostics on services and ingest this into Log Analytics for further analysis and research, and also globally or locally redundant storage for backup and replication scenarios. <h2>Backup and Site Recovery (OMS)</h2> Historically, there hasn’t been a clear distinguish between backup and disaster recovery for most customers and this has in some situations lead to confusion – while that’s the last thing you need when you are running into a situation where you need to perform either restore or a DR failover. We want to make this as simple as possible so that you have a one stop solution when you need to manage your backup and recovery scenarios regardless of clouds, locations and workloads with Backup and Site Recovery (OMS). Let us have a look at the new Resource Provider for Backup and Site Recovery (OMS) within Azure Resource Manager to point out some of the changes we are bringing. <h2>Deployment</h2> For deploying Backup and Site Recovery (OMS), you can use your preferred method whether this is through PowerShell cmdlets, ARM templates or the portal directly. <h3>Portal Experience</h3> <ol> <li>Login to <a href="https://portal.azure.com">https://portal.azure.com</a></li> <li>Click ‘New’ and search for OMS</li> <li>Select ‘Backup and Site Recovery (OMS)’ and click create</li> </ol> <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms2.jpg"><img class="alignnone size-medium wp-image-8806" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms2-201x300.jpg" alt="oms2" width="201" height="300" /></a> <ol start="4"> <li>Assign a name to the resource, select Azure region where you want to create the vault and a Resource Group</li> </ol> <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms3.jpg"><img class="alignnone size-medium wp-image-8816" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms3-236x300.jpg" alt="oms3" width="236" height="300" /></a> That’s it! You have now created your Backup and Site Recovery (OMS) vault! <h3>Azure Resource Manager (ARM) template</h3> Simply click on this URL and you will be sent to the Azure Portal where you can specify the input parameters: <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fkrnese%2FAzureDeploy%2Fmaster%2FOMS%2FMSOMS%2FBackupandRecoveryOMS%2Fazuredeploy.json" target="_blank">Deploy to Azure!</a> <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms4.jpg"><img class="alignnone size-medium wp-image-8826" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms4-300x269.jpg" alt="oms4" width="300" height="269" /></a> <h3>PowerShell</h3> <ol> <li>Login to your Azure subscription using Login-AzureRmAccount –credential (get-credential)</li> </ol> <ol start="2"> <li>Run the following cmdlet to create a new vault in an existing resource group:</li> </ol> New-AzureRmRecoveryServicesVault -Name MyRecoveryVault -ResourceGroupName OMSRecovery -Location westeurope -Verbose Or, you can deploy the template from GitHub using PowerShell:   <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms10.jpg"><img class="alignnone wp-image-8885" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms10-300x126.jpg" alt="oms10" width="417" height="175" /></a> Once deployed, you will be able to use your vault to configure the following scenarios – all from a single pane of glass! <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms5.jpg"><img class="alignnone size-medium wp-image-8827" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms5-300x102.jpg" alt="oms5" width="300" height="102" /></a> With Site Recovery as part of the Resource Provider, you can now easily configure and setup your DR scenario(s), whether this is protection of HyperV/VMM environments to Azure or between your own datacenters, or VMware/physical. We have invested in the user experience to make it as simple as possible, where we guide you through the correct workflow depending on the scenario you are configuring for. When you’re in the portal, you can look under ‘All Settings’ for the ‘Getting Started’ section. <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms6.jpg"><img class="alignnone size-medium wp-image-8835" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms6-219x300.jpg" alt="oms6" width="219" height="300" /></a> If you click on ‘Site Recovery’, we will ask you the right questions to help you configure your Site Recovery scenario. Here’s a screenshot that shows the applicable steps for configuring protection of Hyper-V virtual machines on-prem to Azure <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms7.jpg"><img class="alignnone size-medium wp-image-8845" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms7-300x173.jpg" alt="oms7" width="300" height="173" /></a> If you select anything different than showed above, the blades will update and reflect those changes so that you are confident to configure it correctly. For backup scenarios, we are doing exactly the same, asking you where your workload is running and what you want to protect. <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms8.jpg"><img class="alignnone size-medium wp-image-8855" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms8-300x126.jpg" alt="oms8" width="300" height="126" /></a> Once you have configured your scenarios, you can manage them later from the same location. <a href="https://msdnshared.blob.core.windows.net/media/2016/06/oms91.jpg"><img class="alignnone size-full wp-image-8875" src="https://msdnshared.blob.core.windows.net/media/2016/06/oms91.jpg" alt="oms9" width="293" height="182" /></a> Summary With all the core components of OMS available within Azure Resource Manager, we can now deploy and manage these resources in a declarative way just as we would do with any other resource in Azure. Since combining both backup and site recovery in the same resource provider, we believe we have made it much simpler to configure and orchestrate the operations to ensure business continuity for our customers, regardless of clouds, locations and workloads. You now have a one stop solution for all of this – and we encourage you to get started using the examples provided above to see how Backup and Site Recovery (OMS) can help you to an effective solution for your business continuity plans. Kristian Nese, Senior Program Manager ECG CAT (Feel free to join the conversation on twitter, by pinging me at @KristianNese ) ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/06/06/backup-site-recovery-oms/feed/</wfw:commentRss> <slash:comments>4</slash:comments> </item> <item> <title>Part 3: How to configure WDS, Unattend.xml file, Windows PE Image, and Nano Server image to deploy a Nano Server at-a-scale</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/#respond</comments> <pubDate>Fri, 13 May 2016 13:50:07 +0000</pubDate> <dc:creator><![CDATA[Anders Ravnholt [MSFT]]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=8076</guid> <description><![CDATA[Over a series of blog posts we will describe a solution for how to deploy Nano Server at scale using Microsoft tools. The blog posts are: Part – 1: Nano Server Domain Join (Deployment-at-a-scale an introduction) Part – 2: How to build a Windows PE and Nano Server image to deploy Nano Server at-a-scale Part... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Over a series of blog posts we will describe a solution for how to deploy Nano Server at scale using Microsoft tools. The blog posts are: <ul> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/02/nano-server-domain-join-deployment-at-a-scale-part-1-introduction/">Part – 1: Nano Server Domain Join (Deployment-at-a-scale an introduction)</a> </li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/">Part – 2: How to build a Windows PE and Nano Server image to deploy Nano Server at-a-scale</a> </li> <li>Part – 3: How to configure WDS, Unattend.xml file, Windows PE Image, and Nano Server image to deploy a Nano Server at-a-scale (This blog post) </li> <li>Part – 4: Bare Metal Deployment (BMD) Considerations </li> </ul> In the previous blog post (<a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/">here</a>) we discussed how to build a Windows PE and Nano Server image to deploy Nano Server. In this blog post we will discuss how to configure WDS, Unattend.xml file, WINPE Image, and Nano Server image to deploy Nano Server at-a-scale. The high level tasks in this blog post will be: <ul> <li>Pre-requisites for the solution </li> <li>Configuring WDS server </li> <li>Import Windows PE Image </li> <li>Import Nano Server Image </li> <li>Configure Unattend.xml file within WDS </li> <li>Deploy Nano Server using a Gen2 VM with input (Example 1). </li> <li>Deploy Nano Server using a Gen2 VM without input (Example 2). </li> <li>Next Step </li> </ul> Pre-requisites for the solution: The following Pre-requisites are needed in order to deploy Nano Server and join it to a domain: <ol> <li>AD domain </li> <li>DHCP Server with IP scope which the VM or physical server can lease an IP address from </li> <li>WDS Server (Domain joined) </li> <li>Modified WinPE Image (<a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/">as created in the previous blog post</a>) </li> <li>Nano WIM / VHD / VHDX Image (<a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/">as created in the previous blog post)</a> </li> <li>Domain account(s) to create the AD computer object and authenticate with WDS server. </li> <li>Hyper-V server with two Gen2 VMs connected to same network as WDS server (used as examples in this blog post to simulate a physical UEFI Server)). </li> </ol> Please verify that these pre-requisites are available before starting the configuration of the WDS server. In this blog post we’ll be using two examples for the deployment of Nano Server and joining it to the domain. Example 1: Use a simple unattend file to deploy Nano Server and provide all needed information manually during the process (<a href="https://1drv.ms/v/s!Am8Gg73bSTCtquoDNPEHRG3-hODPNA">Video</a>). Example 2: Store all information in the Unattend file and provide no information during the installation (<a href="https://1drv.ms/v/s!Am8Gg73bSTCtquoDNPEHRG3-hODPNA">Video</a>) Configuring Windows Deployment Server <ol> <li>Login as an administrator on the WDS Server </li> <li>Start Server Manager > Click Tools > Windows Deployment Services </li> <li>Select the WDS Server that should be used for Nano Server Deployment. </li> <li>Right click on WDS server and select Add Image Group </li> <li>Name the Image Group e.g. WIM and click Ok </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto1.png" alt="" /> Import WinPEImage <ol> <li>Copy the Windows PE Image (that was created earlier) to the WDS server (if it was made on another server) to a folder on the WDS server e.g. C:\WinPEImage\media\sources\boot.wim </li> <li>Browse to the location where you copied the Windows PE Image e.g. C:\WinPEImage\media\sources\boot.wim </li> <li>Click Open and click Next </li> <li>Give an Image Name and image description and click Next e.g. WinPEBoot </li> <li>Click Next </li> <li>Verify that the WinPE WIM Image imports successfully with a message saying: “The selected images were successfully added to the server” and click Finish. </li> </ol> Import Nano Server WIM image <ol> <li>Copy the Nano WIM Image (that was created earlier) to the WDS server (if it was made on another server) to a folder on the WDS server e.g. C:\WinPEImage\NanoServer </li> <li>Right click on Install Group created earlier and select Add Install Image. </li> <li>Browse to the location where you placed the Nano WIM Image e.g. C:\WinPEImage\NanoServer </li> <li>Click Open and click next </li> <li>Give an Image Name and image description and click next e.g. Windows Server 2016 Nano TP5 </li> <li>Click Next </li> <li>Verify that the Nano Server WIM Image imports successfully with a message saying “The selected images were successfully added to the server” and click Finish. </li> </ol> Creating Unattend.xml files The solution uses unattend files to install Nano Server using WDS. The unattend file holds information that is needed to deploy the Nano Server such as disk partitioning, user name to authenticate with WDS as well as domain join user and Server Name. The solution allows you to decide how much information you would like to capture in the unattend file. For the information that is not specified in the unattend file, WDS / PowerShell script will prompt for the needed information. In the unattend file examples provided we are using US as default language and partitioning the disk as default as well. To change this please reference to the unattend link below. For more information on unattend files (click <a href="https://technet.microsoft.com/da-DK/library/c026170e-40ef-4191-98dd-0b9835bfa580">here</a>) Creating an unattend file that asks for information. The first unattend file is the simplest one. To obtain the unattend file do the following. <ol> <li>Go to GitHub project: <a href="https://github.com/uday31in/Nano/tree/master/WinPENanoDomainJoin">WinPENanoDomainJoin</a> </li> <li>Download the following two files and save them to c:\WinPEImage </li> </ol> <ul style="margin-left: 54pt"> <li><a href="https://github.com/uday31in/Nano/blob/master/WinPENanoDomainJoin/Gen2NoCredential.xml" title="Gen2NoCredential.xml">Gen2NoCredential.xml</a> </li> <li><a href="https://github.com/uday31in/Nano/blob/master/WinPENanoDomainJoin/Gen2WithCredential.xml" title="Gen2WithCredential.xml">Gen2WithCredential.xml</a> </li> </ul> <ol> <li>Open Gen2NoCredential.xml with a xml editor </li> <li>Go to the following section: </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto2.png" alt="" /> <ol> <li>Replace Domain, User Name and Password with a user that can authenticate with WDS Domain Server. </li> <li>Save the file in the WDS Remote Install directory e.g. D:\RemoteInstall </li> </ol> Creating an unattend file that as all information in the unattend file. <ol> <li>Open Gen2WithCredential.xml with a xml editor </li> <li>Go to the following section: </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto3.png" alt="" /> This session is authentication WDS with a Domain user that is known by WDS. <ol> <li>Replace Domain, User Name and Password with a user that can authenticate with WDS Domain Server. </li> <li> <div>Go to the following section </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto4.png" alt="" /> This section specifies which WIM file and Image group and Image Name that should be used for deployment </li> <li>Replace: Filename, ImageGroup and ImageName with the one configured in WDS in step “Configuring Windows Deployment Server”. </li> <li>Go to the following section </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto5.png" alt="" /> This section specifies the computer name of the Nano Server <ol> <li>Replace the computer name with one you would like to use for deployment. </li> <li>Save the file in the WDS Remote Install directory e.g. D:\RemoteInstall </li> </ol> Configure Unattend file with WDS (Example 1 NoCredentials) <ol> <li>Open WDS console </li> <li>Right click on the WDS server used for Nano Deployment and select Properties. </li> <li>Select Client in the Tab </li> <li>Enable unattend installation </li> <li>Click on x64 (UEFI) architecture </li> <li>Click browse and go to the location where the first unattend file was saved (<a href="https://github.com/uday31in/Nano/blob/master/WinPENanoDomainJoin/Gen2NoCredential.xml" title="Gen2NoCredential.xml">Gen2NoCredential.xml</a>). </li> <li> <div>Check “Do not join the client to a domain after an Installation” </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto6.png" alt="" /> </li> <li>Click Ok </li> </ol> Deploy Nano Server using a Gen2 VM with input (Example 1). <ol> <li>Open Hyper-V console on a Hyper-V server connected to the same network as WDS Server </li> <li>Create a Gen2 VM and connect the VM to the same network as WDS Server </li> <li>Verify that the VM is set to boot from the network adapter connected to the network where the WDS Server </li> <li>Start the VM </li> <li>Select the Nano Server image created earlier e.g. Windows Server 2016 Nano TP5 and click next </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto7.png" alt="" /> <ol> <li>Select the partition and click next. </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto8.png" alt="" /> <ol> <li>Wait for the server to install </li> </ol> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto9.png" alt="" /> <ol> <li> <div>Provide User and Password for Domain user that is going to join the Server to the domain </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto10.png" alt="" /> </li> <li> <div>Provide Computer Name e.g. Nano5 and press Enter </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto11.png" alt="" /> </li> <li> <div>Login with the user specified for Domain join e.g. fabric\administrator </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto12.png" alt="" /> </li> <li> <div>Check that Nano Server is joined to the domain and computer Name is right. </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto13.png" alt="" /> </li> </ol> Configure Unattend file with WDS (Example 2 With Credentials) <ol> <li>Open WDS console </li> <li>Right click on the WDS server used for Nano Deployment and select Properties. </li> <li>Select Client in the Tab </li> <li>Enable unattend installation </li> <li>Click on x64 (UEFI) architecture </li> <li>Click browse and go to the location where the first unattend file was saved (<a href="https://github.com/uday31in/Nano/blob/master/WinPENanoDomainJoin/Gen2NoCredential.xml" title="Gen2NoCredential.xml">Gen2NoCredential.xml</a>). </li> <li> <div>Check “Do not join the client to a domain after an Installation” </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto14.png" alt="" /> </li> <li>Click Ok </li> </ol> Deploy Nano Server using a Gen2 VM without input (Example 2). <ol> <li>Open Hyper-V console on a Hyper-V server connected to the same network as WDS Server </li> <li>Create a Gen2 VM and connect the VM to the same network as WDS Server or use the VM from example 1 </li> <li>Verify that the VM is set to boot from the network adapter connected to the network where the WDS Server </li> <li> <div>Start the VM </div> Note: If the VM does not download the WinPE image disabling secure boot might help. This is mostly if a WindowsPE image is used from a beta release of Windows Server. </li> <li>Verify that no questions are asked and deployment and install of Nano Server happens automatically. </li> <li> <div>Login with the user specified for Domain join in the unattend file e.g. fabric\administrator </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto15.png" alt="" /> </li> <li> <div>Check that Nano Server is joined to the domain and Computer Name is right. </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part3Howto16.png" alt="" /> </li> </ol> Next Steps The Nano Server team hopes you have found the series of blog posts helpful in your process of deploying Nano Server at-a-scale. Please don’t forget to share your feedback with us via the comments section below or using the <a href="http://windowsserver.uservoice.com/forums/295068-nano-server">User Voice forum</a>! Regards Nano Server Team ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Part 2: How to build a Windows PE and Nano Server image to deploy Nano Server at scale</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/#respond</comments> <pubDate>Wed, 04 May 2016 12:49:56 +0000</pubDate> <dc:creator><![CDATA[Anders Ravnholt [MSFT]]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=7895</guid> <description><![CDATA[Over a series of blog posts we will describe a solution for how to deploy Nano Server at scale using Microsoft tools. The blog post series are: Part – 1: Nano Server Domain Join – Introduction Part – 2: How to build a Windows PE and Nano Server image to deploy Nano Server at scale... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Over a series of blog posts we will describe a solution for how to deploy Nano Server at scale using Microsoft tools. The blog post series are: <ul> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/02/nano-server-domain-join-deployment-at-a-scale-part-1-introduction/">Part – 1: Nano Server Domain Join – Introduction</a> </li> <li>Part – 2: How to build a Windows PE and Nano Server image to deploy Nano Server at scale (This blog post) </li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/">Part – 3: How to configure WDS, Unattend.xml file, Windows PE Image, and Nano Server image to deploy a Nano Server at-a-scale</a> </li> <li>Part – 4: Bare Metal Deployment (BMD) Consideration </li> </ul> In this blog post we will explain how to build Windows Pre-installation Environment (Windows PE) and Nano Server WIM images to provision Nano Server for deployment at scale. Windows PE allows you to add optional components to the image, which will enable more advanced scenarios than what is available by default. Following the creation of the Windows PE Image, we will create a Nano Server WIM image with the needed components and configuration to run on a virtual or physical server in a datacenter. For general Nano Server deployment steps, see the Nano Server Deployment Guide: <a href="https://aka.ms/NanoServer">https://aka.ms/NanoServer</a> The high level tasks in this blog post are: <ul> <li>Steps to build a Windows PE Image </li> <li>Steps to build a Nano Server WIM Image </li> <li>Next steps </li> </ul> Steps to build a Windows PE Image: To build a Windows PE image please follow these steps: <ul> <li>Download and install the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 with Windows PE tools </li> <li>Add the required optional components to the Windows PE image for this scenario </li> <li>Create a batch file for the Windows PE Image </li> <li>Add PowerShell file to the Windows PE image </li> <li>Add configuration files to the Windows PE image </li> <li> <div>Unmount the Windows PE image and create media </div> </li> </ul> Download and install Windows Assessment and Deployment Kit with Windows PE tools The Windows ADK is a collection of tools and documentation that can be used to customize, assess, and deploy Windows operating systems to new computers. The Windows ADK enables two key scenarios: Windows deployment and Windows assessment. For this solution we are using the Windows PE sub component which is a minimal operating system designed to prepare a computer for installation and servicing of Windows. To install Windows PE please do the following: <ol style="margin-left: 54pt"> <li>Download the Windows ADK for Windows 10 from here <a href="https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx">https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx</a> </li> <li>Run adksetup.exe </li> <li>Click install ADK </li> <li>Read license agreement and accept if in agreement. </li> <li> <div>Select the following features </div> <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0646_Part2Howto1.png" alt="" /> </li> <li>Click Install </li> <li>Once the wizard has installed with the selected components, click Start, and type deployment. Right-click Deployment and Imaging Tools Environment and then select Run as administrator </li> <li> <div>To create a fresh WinPE image repository in C:\ do the following </div> Type copype amd64 C:\WinPEImage </li> </ol> Add the required optional components into Windows PE image for this scenario By default, the Windows PE images does not have support for PowerShell, DISM and Disk configuration, all of which are required by the solution to configure Nano Server during provisioning described in this blog post series. To enable these features you need to add these optional packages to the Windows PE image using DISM: WinPE-WMI, WinPE-NetFx, WinPE-Scripting, WinPE-PowerShell, WinPE-DismCmdlets, WinPE-SecureBootCmdlets, WinPE-StorageWMI, WinPE-WDS-Tools, WinPE-Setup, WinPE-Setup-Client.ing. To add the optional components into the Windows PE image please do the following: <ol style="margin-left: 54pt"> <li> <div>Mount the Windows PE image running this command line: </div> Dism /Mount-Image /ImageFile:”C:\WinPEImage\media\sources\boot.wim” /index:1 /MountDir:”C:\WinPEImage\mount” </li> <li>Open a browser and go to <a href="https://github.com/uday31in/Nano/tree/master/WinPENanoDomainJoin">https://github.com/uday31in/Nano/tree/master/WinPENanoDomainJoin</a> </li> <li>Download DISMWinPEInst.ps1 and save it as a file in C:\WinPEImage </li> <li>Run DISMWinPEInst.ps1 from an elevated PowerShell prompt </li> <li> <div>Verify that all packages are installed correctly going through the output list of installed components and check that the components mentioned above have been installed. </div> </li> </ol> Add configuration files into the Windows PE image In addition to the components added to the Windows PE image we need to modify the wpeinit file, create a boot.cmd and WinPENanoDomainJoin.ps1 file which will be launched as part of the Nano Server image deployment. The role of the files being added are the following: <ul style="margin-left: 54pt"> <li> <div>Wpeinit.ini </div> By adding this file to the image you can specify which script Windows PE will execute as part of the boot process </li> <li> <div>Boot.cmd </div> This file will execute the PowerShell script as Windows PE cannot execute PowerShell natively from Wpeinit.ini. </li> <li> <div>WinPENanoDomainJoin.ps1 </div> This file contains the PowerShell script that will add Nano Server to the domain and automate the deployment. </li> </ul> Create the WinPENanoDomainJoin.ps1 PowerShell script This script is stored on <a href="https://github.com/uday31in/Nano/tree/master/WinPENanoDomainJoin">GitHub</a> for easy access and reference as a sample script. The script should be downloaded and added to the Windows PE image and will be run after the Nano Server WIM file is installed to the physical or virtual server. The script will generate a domain blob and inject this into the Nano Server image using the parameters given by the unattend.xml or manually provided by the administrator during install. <ul style="margin-left: 54pt"> <li>Open a browser and go to <a href="https://github.com/uday31in/Nano/tree/master/WinPENanoDomainJoin">https://github.com/uday31in/Nano/tree/master/WinPENanoDomainJoin</a> </li> <li>Download <a href="https://github.com/uday31in/Nano/blob/master/WinPENanoDomainJoin/WinPENanoDomainJoin.ps1" title="WinPENanoDomainJoin.ps1">WinPENanoDomainJoin.ps1</a> and save in C:\WinPEImage </li> <li>Copy C:\WinPEImage\WinPENanoDomainJoin.ps1 C:\WinPEImage\mount\ </li> </ul> Create boot.cmd to launch WinPENanoDomainJoin.ps1 The boot.cmd file is used to execute the WDS setup and following this launch the WinPENanoDomainJoin.ps1 script. To create the WinPENanoDomainJoin.ps do the following: <ul style="margin-left: 54pt"> <li>Open Notepad </li> <li> <div>Add the following lines and save as boot.cmd in C:\WinPEImage\ </div> x:\sources\setup /wds /noreboot cd %~dp0% x:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File WinPENanoDomainJoin.ps1 </li> <li>Copy C:\WinPEImage\Boot.cmd C:\WinPEImage\mount\ </li> </ul> Create Winpeshl.ini to launch boot.cmd Winpeshl.ini controls whether a customized shell is loaded in Windows PE instead of the default Command Prompt window. To load a customized shell, create a file named Winpeshl.ini and place it in %SYSTEMROOT%\System32 of your customized Windows PE image. To do this do the following: <ul style="margin-left: 54pt"> <li>Start a command prompt </li> <li>Run Notepad C:\WinPEImage\mount\Windows\System32\Winpeshl.ini </li> <li> <div>Insert the following lines and save the file </div> [LaunchApp] AppPath = x:\boot.cmd </li> <li> <div>Save the file </div> </li> </ul> Create lang.ini to set install language The lang.ini will set the language used during the installation in the GUI. In this blog post we will use English US as the UI language. <ol style="margin-left: 54pt"> <li>Start a command prompt </li> <li>Run Notepad C:\WinPEImage\mount\sources\lang.ini </li> <li> <div>Insert the following lines and save the file </div> [Available UI Languages] en-US = 3 [Fallback Languages] en-US = en-us </li> </ol> Save changes made to the wim file and unmount the image. To save all the changes made to the Windows PE image do the following. <ul style="margin-left: 54pt"> <li>Start a command prompt as administrator </li> <li>Run: Dism /Unmount-Image /MountDir:”C:\WinPEImage\mount” /commit </li> </ul> Steps to build a Nano Server Image: This section will explain how to build a Nano server WMI image to be deployed via WDS. This will be split into two options, physical hardware and virtual machines. To create this image, we are using standard OEM drivers for physical servers and using virtual drivers for virtual WIM image. If special drivers are needed these can be added as part of creating the WIM image which is explained here: <a href="https://aka.ms/nanoserver">https://aka.ms/nanoserver</a> . It is also possible to create VHD and VHDX files following the same concept and import these into WDS. This will not be part of this blog post but is explained <a href="https://aka.ms/nanoserver">here</a>. Download the latest Windows Server 2016 image and load NanoServerImageGenerator PowerShell module <ol style="margin-left: 54pt"> <li>Download the latest Windows Server 2016 build from here: <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview">https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview</a> </li> <li>Mount the image as a drive by right clicking on the ISO file and select mount </li> <li>Copy NanoServerImageGenerator folder from the \NanoServer folder in the Windows Server Technical Preview ISO to a folder on your hard drive </li> <li>Start Windows PowerShell as an administrator, change directory to the folder where you have placed the NanoServerImageGenerator folder and then import the module with Import-Module .\NanoServerImageGenerator -Verbose </li> </ol> Nano Server in a virtual machine In this section we’ll describe how to create the Nano Server WIM file to be used with virtual machines. Create a WIM for the Datacenter edition that includes the following features: Failover Clustering, Scale-out File Server and the Hyper-V guest drivers. Also enable Remote Management by running the following command which will prompt you for an administrator password for the new WIM file. New-NanoServerImage -Edition Datacenter -DeploymentType Guest -Clustering -Storage -EnableRemoteManagementPort -MediaPath <path to root of media> -BasePath .\Base -TargetPath .\NanoServerVM\<WMI File Name>.WIM Example: New-NanoServerImage -Edition Datacenter -DeploymentType Guest -Clustering -Storage -EnableRemoteManagementPort -MediaPath E:\ -BasePath .\Base -TargetPath .\NanoServerVM\NanoServerVM.WIM Nano Server on a physical computer This section describes how to create the Nano Server WIM file to be used with physical hardware using the pre-installed device drivers. If your hardware requires a driver that is not already provided in order to boot or connect to a network, follow the steps <a href="https://aka.ms/nanoserver">here</a>. Create a WIM that includes the OEM drivers, Hyper-V, Scale-out File Server, Failover Clustering features and enable Remote Management by running the following command which will prompt you for an administrator password for the new WIM. New-NanoServerImage -Edition Datacenter -DeploymentType Host -MediaPath <path to root of media> -BasePath .\Base -TargetPath .\NanoServerPhysical\NanoServer.WIM -OEMDrivers -Compute –Clustering –Storage -EnableRemoteManagementPort Example: New-NanoServerImage -Edition Datacenter -DeploymentType Host -MediaPath E:\ -BasePath .\Base -TargetPath .\NanoServerPhysical\NanoServer.WIM -OEMDrivers -Compute –Clustering –Storage -EnableRemoteManagementPort Next steps In the next blog post we will configure Windows Deployment Server (WDS) with the newly created Windows PE and Nano Server WIM images. Then, we will configure two different unattend.xml files with input parameters required during the installation of Nano Server. Lastly we will provision a Nano Server using WDS and a VM running on Hyper-V. Following this blog post we will release two more blogs posts: <ul> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/">Part – 3: How to configure WDS, Unattend.xml file, Windows PE Image, and Nano Server image to deploy a Nano Server at-a-scale</a> </li> <li>Part – 4: Bare Metal Deployment (BMD) Considerations </li> </ul> That’s it for now. Please don’t forget to share your feedback with us via the comments section below or using the <a href="http://windowsserver.uservoice.com/forums/295068-nano-server">User Voice forum</a>! Regards The Nano Server Team ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Part 1: Nano Server Domain Join (Deployment-at-a-scale an introduction)</title> <link>https://blogs.technet.microsoft.com/privatecloud/2016/05/02/nano-server-domain-join-deployment-at-a-scale-part-1-introduction/</link> <comments>https://blogs.technet.microsoft.com/privatecloud/2016/05/02/nano-server-domain-join-deployment-at-a-scale-part-1-introduction/#respond</comments> <pubDate>Mon, 02 May 2016 14:31:55 +0000</pubDate> <dc:creator><![CDATA[Anders Ravnholt [MSFT]]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Cloud Computing]]></category> <category><![CDATA[Deployment]]></category> <category><![CDATA[Modern Datacenter]]></category> <category><![CDATA[Windows Server]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/privatecloud/?p=7855</guid> <description><![CDATA[Over a series of blog posts we will describe a solution for how to deploy Nano Server at scale using Microsoft tools. The blog posts are: Part – 1: Nano Server Domain Join (Deployment-at-a-scale an introduction) (This blog post) Part – 2: How to build a Windows PE and Nano Server image to deploy Nano... <a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/02/nano-server-domain-join-deployment-at-a-scale-part-1-introduction/" class="read-more">Read more</a>]]></description> <content:encoded><![CDATA[Over a series of blog posts we will describe a solution for how to deploy Nano Server at scale using Microsoft tools. The blog posts are: <ul> <li>Part – 1: Nano Server Domain Join (Deployment-at-a-scale an introduction) (This blog post) </li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/">Part – 2: How to build a Windows PE and Nano Server image to deploy Nano Server-at-a-scale</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/">Part – 3: How to configure WDS, Unattend.xml file, Windows PE Image, and Nano Server image to deploy a Nano Server at-a-scale</a></li> <li>Part – 4: Bare Metal Deployment (BMD) Considerations</li> </ul> Introduction As we are in the final leg of Windows Server 2016 development, many of you are already planning to deploy Nano Server in your organization at a large scale. For those of you who are evaluating Windows Server 2016 and Nano Server and have provided feedback, a huge THANK YOU. We are listening closely to your comments and have been actively making changes based on your input. Today’s topic is a great example. Nano Server When deploying at scale, we see that most deployments are in clusters with homogeneous hardware such as a rack or two of servers configured with identical hardware configurations. In this case, we want to focus on providing a highly optimized and standardized, minimal footprint image that can be deployed and managed at scale. That’s where Nano Server comes in. Nano Server is “Just-enough-OS” and provides the optimal choice to run in your datacenters and private cloud for Compute, Storage, DNS, Web and Containers workload to name a few. Nano Server is provided on the Windows Server 2016 media, but is not part of the Setup experience like you may be used to seeing with the other two options: “Server with Desktop Experience” or “Server Core”. Instead, Nano Server uses image based deployment and requires you to create an image for your configuration in order to deploy it (see <a href="https://aka.ms/nanoserver">https://aka.ms/nanoserver</a> for instructions). In many scenarios, you might want to join Nano Server to your Active Directory domain for authentication or because your workload requires it such as Clustering. Nano Server is refactored from the ground-up to provide a minimal base OS footprint and thus Nano Server does not have the capability to do online domain join at the time of deployment which is typically used by most deployment/provisioning system like: Windows Deployment Services (WDS), Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager (SCCM). For Nano Server, domain join is an offline process. Since offline domain join may be new to some of you, there are some important considerations for this process. For Nano Server to join a domain offline, this involves creating a domain blob and applying the blob to an instance of Nano Server. The offline domain blob is a high privileged asset representing machine identity on the network and is important to safeguard. While these domain blobs are used one time only, you should secure these domain blobs (typically stored on a file share) and applying auditing and access control policies. When deploying generic images across datacenters, security and access control has an additional challenge because either: <ul> <li>the generic image lacks security context to use for domain join, or</li> <li>you have to explicitly specify a domain credential that can be used for domain join and ensure it is not stored in plain text</li> </ul> Thus, when using offline domain join, you must use a security credential to read the offline domain blob from your network. As with any online domain join operation, using offline domain join post deployment on Nano Server, a full reboot of the machine is required. This may require significant time on higher-end scale up servers if doing Bare Metal Deployment (BMD) – increasing overall time it will take for installation. Your Feedback (Thanks!) Based on your feedback we have received about the need to be able to easily domain join Nano Server deployments at scale, we have come up with a solution using Microsoft tools that are available today. This will enable you to deploy Nano Server in large numbers and still automate the deployment in a similar fashion to your Server with Desktop Experience and Server Core deployments today. The Challenges & Design Goals: The primary challenge that is addressed with this solution is “Deployment at scale of Nano Server” with customized images with the following design criteria’s in mind: <ul> <li>Simplicity: Only use one tool</li> <li>Speed: Minimize Reboots: Deploy end-to-end with a minimum of reboots, as a reboot can take long time (10+ minutes on large scale up physical servers)</li> <li>Security: Stay secure without taking high risks</li> <li>Automation: Minimum of / no manual steps in the process outside the deployment</li> <li>Goal: Full deployment and Domain Join in under 3 mins from boot to login screen</li> </ul> The Solution In order to address the above challenges & design goals, the following components enable most, if not all of the these: <ul> <li>Windows Deployment Services (WDS) only</li> <li>WinPE image with .NET and PowerShell added</li> <li>Embedded PowerShell script</li> <li>Variables controlled via Unattend xml file in WDS</li> <li>No storage or blob files stored on shares</li> <li>No storage of usernames / passwords to allow for maximum security.</li> </ul> Scoop of the solution: The main objective for the proposed solution is to provision a Nano Server image to a physical or virtual machine and domain join the server to a domain based on the following user input, which can be stored in an unattend.xml file or be provided by the administrator as part of the provisioning process. – User Name – Password – Machine Name * the domain name is taken from the user name Requirements for the solution: The following requirements are needed in order to deploy Nano Server and join it to a domain: <ol> <li>AD domain</li> <li>DHCP Server with IP scope which the VM or Physical server can connect with</li> <li>WDS Server</li> <li>Modified WinPE Image</li> <li>Unattend XML file</li> <li>Nano WIM / VHD / VHDX Image</li> <li>Domain account(s) to create the AD computer object and authenticate with WDS server.</li> </ol> The process <ol> <li>Server PXE boots and gets an IP address from the DHCP Server</li> <li>Downloads and boots the modified WinPE Image from the WDS server</li> <li>Selection of Image from WDS (Automated)</li> <li>Partitioning of Server (Automated)</li> <li>Deployment of WIM / VHD / VHDX & Unattend.xml</li> <li>PowerShell executes and joins Nano Server to the domain with domain credentials</li> <li>Server reboots and is fully provisioned, including joined to the domain.</li> </ol>   <img src="https://msdnshared.blob.core.windows.net/media/2016/05/051516_0635_Part1Nano1.png" alt="" />   This process takes about 2½ minutes using a virtual machine in our test environment. This might take longer depending on your network speed, disk performance, and if using a physical server, the post time for the server. You can read more about WinPE <a href="https://technet.microsoft.com/en-gb/library/cc721977(v=ws.10).aspx">Order of Operations in WinPE</a> and <a href="https://technet.microsoft.com/en-gb/library/cc766093%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396">WinPE Limitations</a>. The videos We have recorded two videos which show the deployment of Nano Server using WDS Video 1: <a href="https://1drv.ms/v/s!Am8Gg73bSTCtquoDNPEHRG3-hODPNA">This video deploys Nano Server to a VM without asking any questions, all information is stored in the unattend.xml file on the WDS server</a>. Video 2: <a href="https://1drv.ms/v/s!Am8Gg73bSTCtquoENPEHRG3-hODPNA">This video shows deployment of Nano Server with parameters given for Image, Partitions, User & Password and Server Name</a>. Various scenarios between the two videos can be achieved, based on how much data is given in the unattend.xml file and automation done around it. Next Step Blog Posts In the next few blog posts, we will drill into this topic further. Here’s what we’re planning: <ul> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/04/part-2-how-to-build-a-windows-pe-and-nano-server-image-to-deploy-nano-server-at-scale/">Part – 2: How to build a Windows PE and Nano Server image to deploy Nano Server at-a-scale</a></li> <li><a href="https://blogs.technet.microsoft.com/privatecloud/2016/05/13/how-to-configure-wds-unattend-xml-file-windows-pe-image-and-nano-server-image-to-deploy-a-nano-server/">Part – 3: How to configure WDS, Unattend.xml file, Windows PE Image, and Nano Server image to deploy a Nano Server at-a-scale</a></li> <li>Part – 4: Bare Metal Deployment (BMD) Considerations</li> </ul> Regards The Nano Server Team ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/privatecloud/2016/05/02/nano-server-domain-join-deployment-at-a-scale-part-1-introduction/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> </channel> </rss>