You are browsing the archive for Azure.

Azure Backup: Create a Recovery Services vault with Azure PowerShell

9:46 am in Azure, Azure Backup, Azure PowerShell, PowerShell, Public Cloud, Recovery Services vault by Wim Matthyssen

A Recovery Services vault is an online storage entity used to backup workloads to the Azure cloud. You can use it to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases, but it can also be used by System Center Data Protection Manager (SCDPM) or Azure Backup Server (MABS v1 and MABS v2) to enable cloud backups.

clip_image002[5]

These days it is quite easy to create or manage a Recovery Services vault through the Azure portal, but it is even faster when you make use of a scripting language like Azure PowerShell to automate the setup. Therefore, below you can find the PowerShell script I mostly use to do all the work for me. You can just copy and paste or you can download the complete script (.ps1) from the Microsoft TechNet gallery.

To use the script, first adjust all variables to your use. Afterwards login into an Azure PowerShell window as an administrator and when asked login with the credentials for your Azure Subscription.

The script will first create a Resource Group and then the Recovery Services vault in your Azure Subscription. At the end, it will also set the storage redundancy for the newly created vault. Keep in mind that you can only use Locally Redundant Storage (LRS) or Geo Redundant Storage (GRS).

clip_image004[6]

clip_image006[6]

clip_image008[5]

Useful Azure PowerShell cmdlets for Azure Backup

List all available Azure Backup PowerShell cmdlets

clip_image010[7]

List all available Recovery Services vaults in your subscription

clip_image012[4]

Hope this post helps you when you start using Azure Backup.

Wim Matthyssen (@wmatthyssen)

Azure IaaS: Troubelshooting Windows Update error 8024402F

3:31 pm in 8024402F, ARM, ASM, Azure, hybrid cloud, PowerShell, Windows Server 2012 R2, Windows Update, WSUS by Wim Matthyssen

 
Last week I was troubleshooting a Windows Update issue at several Azure IaaS VMs for a customer. All those Windows Server 2012 R2 servers were workgroup members and had no Network Security Group (NSG) attached which could block the connection to the Microsoft Update servers. But whenever starting Windows Update the below error was shown after a few minutes.

clip_image002

To get this error fixed I followed the below steps. Be aware that you can retry running Windows Update again after each step because it could be already working again.

 

Step 1

If the server has been configured to use WSUS to get its updates, first wipe out those registry keys by running the below command in a PowerShell window (with admin privileges). Press Y to delete all registry keys when asked:

clip_image004

clip_image006

This also may reset some Windows Update settings, for instance, the one that decides if updates should install automatically or after asking permission.  Therefore, you need to set your preferred settings afterwards.

Check for updates using Windows Update and see if the issue has been resolved, if not proceed to step 2.

 

Step 2

If you still receive the same error, run the following PowerShell Script to rename the SoftwareDistribution and catroot2 folder. These folders, which are maintained by the WUAgent (Windows Update Agent), are essential components for Windows Update. However, sometimes the content of these folders could prevent Windows Update from applying new updates to the server. When having trouble with Windows Update, it is safe to delete this folder. The server will always re-download all the necessary files, or re-create the folder and re-download all the components, if removed.

clip_image008

Now please check for updates using Windows Update to see if the issue has been resolved.

 

Step 3

If step 2 also does not fix the problem, you could try running the below command from an elevated PowerShell window. This command will import proxy information used by Internet Explorer in the Windows HTTP Services (WinHTTP). Several server roles, like the Microsoft Windows Update client, rely on WinHTTP to manage all HTTP and HTTPS traffic. Windows Update uses it mainly to scan for available updates.

clip_image010

 

Step 4

As a last solution, you could try running the Windows Update Troubleshooter tool. To download and startup this tool run the below PowerShell commands.

clip_image012
clip_image014

When the tool opens, go through all steps to get Windows Update fixed.

If all goes well, Windows Update should be working again by the use of one of the above steps. Hope it helps and if you have any questions feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

MABS: DPM database size has exceeded the threshold limit (ID 3168)

10:18 am in Azure, Azure Backup, DPM database, ID 3168, MABS, Microsoft Azure Backup Server by Wim Matthyssen

Last week I saw the below Warning message pop up at a customer’s Microsoft Azure Backup Server (MABS). The description of this Warning message described the following:

“DPM database size has exceeded the threshold limit.

DPM database size: 1.15 GB

DPM database location: e:\DPMDB\ on “servername” (ID 3168)”

clip_image002

I could also find the same Warning message in the Event Viewer.

clip_image004

The message itself was confusing because the E: drive where the DPM database is located had plenty of free disk space and the DPM Database size alert was unmarked as you can see in the below screenshots.

clip_image006

clip_image008

Another important point is that the only way to open the Tape Catalog Retention box (on a MABS server) is by clicking the Modify Catalog Alert Threshold size … link which is only show in the Recommended action field of the warning message itself.

clip_image010

However, in the end I was able to solve this warning, by marking the setting Alert me when DPM database size reaches: and changing the size to 10 GB. Afterwards I unmarked this setting again and pressed OK. Almost directly after that, the Warning message disappeared.

clip_image012

clip_image014

Conclusion

Probably this warning message is some sort of bug in the MABS software or some kind of leftover from DPM 2012 (tape backups) on which the MABS v1 code is based. For the moment, the only way to get rid of this Warning message is by using the above workaround.

If you have any questions, feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

Microsoft Azure Backup Server: Unable to configure protection for a SQL database (ID 3170 and 33424)

2:45 pm in Azure, Azure Backup, ID 3170, ID 33424, MABS, Microsoft Azure Backup Server, SQL Server by Wim Matthyssen

Last week while configuring backup for some SQL databases for a customer with the Microsoft Azure Backup Server (MABS), I received the following Protection Status error: Unable to configure protection.

clip_image002

When opening the Monitoring tab on the MABS server, to investigate the problem, I found the following description for the error:

DPM could not start a recovery, consistency check, or initial replica creation job for SQL Server 2012 database “SQLServername\model” on “SQL Server” for following reason: (ID 3170)

The DPM job failed for SQL Server 2012 database “SQLServername\model” on “SQL Server” because the protection agent did not have sysadmin privileges on the SQL Server instance. (ID 33424 Details:)

clip_image004[6]

You can also find the similar error description in the Event Viewer on the MABS server, by opening the Application and Services LogsDPM Alerts.

clip_image006[6]

As the error suggests, the problem is that the built-in NT Authority\SYSTEM does not have sysadmin rights on that SQL Server instance. So to resolve this issue, perform the following steps. Open Microsoft SQL Server Management Studio on the SQL server. Open Security, open Logins, select the NT\AUTHORITY SYSTEM user and click Properties. In the Server Roles screen sysadmin should be checked, what for this specific database was not the case. So check sysadmin and press OK to save. You need to repeat this step for all instances having this problem.

clip_image008[5]

clip_image010[6]

After fixing this, you need to perform a consistency check on the MABS for all those databases with status Unable to configure protection. To do so right-click the unprotected database and select Perform consistency check …, which will retry the protection and solve the problem.

clip_image012

After completion, the Protection Status should be showing OK.

clip_image014

Hope this helps you fixing this problem when it occurs. If you have, any questions feel free to contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

How to install Microsoft Azure Backup Server v2 on Windows Server 2016

7:53 pm in Azure, Azure Backup, Hybrid backup, MABS, MABS v2, Microsoft Azure Backup, Microsoft Azure Backup Server, Microsoft Azure Backup Server v2, Modern Backup Storage, PowerShell, Windows Server 2016 by Wim Matthyssen

Last week Microsoft released the second version (v2) of their Microsoft Azure Backup Server (MABS v2). As a hybrid backup solution, this new release based on System Center Data Protection Manager 2016 (SCDPM 2016) enables you to store data onto disk (low RTO) and in Azure (long retention, up to 99 years). MABS v2 uses RCT-based change tracking by using Windows Server 2016. This makes backups more reliable and scalable, but also improves backup performance (backup jobs could be up to 70 percent faster). MABS v2, which is included with the Azure Backup service and currently has version number 12.0.332.0., now not only supports Windows Server 2016 (W2K16) but also vSphere 6.5 (Preview mode). Beside those, you can also use it now to backup business critical Microsoft workloads such as SQL 2016, SharePoint 2016 and Exchange 2016. Those can be running on premise (physical servers, Hyper-V or VMware) or in the Azure cloud. As a nice extra, you can also back up Windows 10 client workloads.

clip_image002

In a previous blog post, I already told you all about MABS v1 on how to install it on a Windows Server 2012 R2. In this blog post, I will show you how you can deploy MABS v2 on a W2K16 server.

MABS v2 server requirements

  • MABS v2 can be installed as an on premise standalone physical server or VM, but also as an Azure IaaS VM (minimum size A2 Standard).
  • MABS v2 will run on following supported Operating Systems: Windows Server 2012 R2 and Windows Server 2016 (is required if you want to use the Modern Backup Storage feature).
  • MABS v2 must be domain joined. Be sure to add the server to the domain before the MABS installation. Microsoft does not support adding this server to the domain after the MABS installation.
  • The processor minimum requirements for a MABS v2 server are 1GHz dual-core CPU, recommended 2.33 GHz quad-core CPU.
  • The minimum RAM needed by a MABS v2 server is 4GB, recommended is 8 GB.
  • The recommended hard drive space is 3 GB.
  • MABS v2 must have .NET 3.5 SP1, .NET 4.6.1 features installed as a prerequisite.
  • MABS v2 should also have Hyper-V PowerShell installed.
  • MABS v2 should be running a dedicated, single-purpose server. Either it cannot be running on the same server, which has SCDPM or a SCDPM agent installed.
  • A validate Windows Server license is needed for the MABS v2 server.
  • The MABS v2 server needs to have access to the Internet because Microsoft Azure should be accessible from the MABS server.
  • To temporarily store, the largest restore from the Azure cloud, some scratch space is required when needed. So keep approximately 5 % of the total amount of data that needs to be backed-up to the cloud free on the C: drive.
  • A separate data disk for the backup storage pool is required. Like every other backup product the recommendation for the size of this disk is 1.5 times the size of the data you are going to protect.

MABS v2 prerequisites installation

Before we start the prerequisites installation, be shore to have a Recovery Services vault in place (create a new one, or use an existing) and download the vault credentials. When downloaded, place this file on the C:\Temp folder of the MABS server.

clip_image004

clip_image006

To install all required prerequisites, logon to the server you wish to use for your MABS v2 installation, open PowerShell and administrator and run the following commands to install .NET 3.5 SP1 and Hyper-V PowerShell (be shore to have the Windows Server 2016 installation ISO mounted – in my example to the D: drive). Be aware the server will reboot when the installation is completed. You can also download the complete script (.ps1) from the Microsoft TechNet Gallery.

clip_image008

MABS v2 software download

To download the MABS v2 software open PowerShell as an administrator and run the following PowerShell script. You can download the complete script (.ps1) from the Microsoft TechNet gallery. The script will download all the necessary files (8 files), extract them and start the setup.

MABS v2 installation

Click Microsoft Azure Backup Server to launch the setup wizard.

clip_image010

Setup will start copying some temporary files.

clip_image012

On the Welcome screen, click the Next.
clip_image014

This opens up the Prerequisite Check section. On this screen, click on the Check button to determine if the hardware and software prerequisites for Azure Backup Server have been met. If all of is OK, you will see a message indicating that the machine meets the requirements. Click Next.

clip_image016

On the SQL Settings page select, Install new Instance of SQL Server with this Setup, to install SQL 2016 SP1. Click Check and Install. You could encounter some error messages. If so follow the instructions and most likely, you should reboot the server and start the MABS installation all over again.

clip_image018

If the computer meets, the software and hardware requirements click Next.

clip_image020

Provide a location for the installation of all the files and click Next. In my example, I changed all locations to my E: drive.
clip_image022

Provide a strong password for restricted local user accounts (this password will not expire) and click Next.
clip_image024

It is strongly recommended to use Microsoft update when you check for updates because this will offer all security and important updates for MABS. Select whether to use Microsoft Update or not and click Next.

clip_image026

Review all settings and if all are OK click Install.

clip_image028

clip_image030

Click Next to start the Microsoft Azure Recovery Service Agent installation.

clip_image032

Click Install.

clip_image034

clip_image036

When the agent installation is completed, click Next.

clip_image038

Provide your vault credentials to register the machine to the Azure backup vault. Click Next.
clip_image040

Provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can automatically generate a passphrase or provide your own minimum 16-character passphrase. Also, enter a location to save the passphrase. If all is done click Next.

clip_image042

Once registration succeeded the wizard proceeds with the installation and configuration of SQL Server 2016 SP1. This could take some time.

clip_image044

clip_image046

It is possible that you receive the following error message, if so just click OK (you can change the staging area after the MABS setups completes).
clip_image048

When setup completes successfully, click Close.
clip_image050

Double click the Microsoft Azure Backup server icon on your desktop to launch MABS.

clip_image052

clip_image054

You can also verify if the MABS server connection to the Recovery Services vault. To do so go to your Recovery Services vault, click Overview and click Backup management servers. There you should see the newly installed MABS server.

clip_image056

As a final step, do not forget to run Windows update to install all necessary updates after the MABS installation.

clip_image058

Now you are ready to start working with this brand new product. Have fun and till next time!

Wim Matthyssen (@wmatthyssen)

New features for Azure Backup and Azure Site Recovery released

10:02 am in Azure, Azure Backup, Azure Site Recovery, Cloud, Modern Backup Storage, Windows Server 2016 by Wim Matthyssen

Microsoft was very busy on the last day of May, because yesterday they launched many new features, not only for Azure Backup but also for Azure Site Recovery. I tried to list some of them below.

Azure Backup

  • Windows Server System State backups with Azure Backup now in public preview

This new extension allows the Azure Backup agent (MARS Agent) to integrate with the Windows Server Backup feature that is available natively on every Windows Server. It allows and provides seamless and secure backups of your Windows Server System State directly to Azure without the need to provision any on-premises infrastructure.

You can read more about it here

 

clip_image002

  • Microsoft Azure Backup Server v2 released which allows Windows Server 2016 and vCenter/ESXi 6.5 protection

This week Microsoft also released the second version (v2) of their Microsoft Azure Backup Server (MABS v2), which supports Windows Server 2016, vSphere 6.5 and the latest business critical applications such as SQL 2016, SharePoint 2016 and Exchange 2016. This new version is available for download from a Recovery Services vault in the Azure Portal or directly from here.

 

clip_image004

If you are interested to read more about MABS v2 you can do so over here

An important remark to make is that when you install MABS v2 on a Windows Server 2016 the VMware protection will be in preview mode, because VMware first needs to release support for VDDK 6.5.

In addition, the UserVoice I opened to address this issue to the Azure Team will be closed, so everyone who voted will get some votes back.

  • Introducing Modern Backup Storage with Azure Backup Server on Windows Server 2016

With the latest release of Azure Backup Server (MABS v2), which is based on System Center Data Protection Manager 2016 (SCDPM 2016), Modern Backup Storage can be used. This technology will improve performance and reduces consumption (50 % disk storage savings and 3x faster backups) by leveraging ReFS block cloning and deduplication.

 

clip_image006

You can read more about it here

 

Azure Site Recovery

  • Disaster recovery for Azure IaaS virtual machines with Azure Site Recovery is now in public preview

This will allow you to use Azure Site Recovery (ASR) to easily replicate and protect IaaS based applications running on Azure to a different Azure region of your choice without deploying any additional infrastructure components or software appliances in your subscription.

 

clip_image007

You can read more about it here

 

Enjoy reading about these nice new features and have fun testing them out.

Wim Matthyssen (@wmatthyssen)

Azure Security Center: Endpoint Protection installation failed with “Permission denied”

2:56 pm in Azure, Azure Security Center, Cloud, Endpoint Protection, Microsoft Antimalware by Wim Matthyssen

Most of you who are already familiar with Azure Security Center (ASC), know that it periodically analyzes the security state of your Azure resources. Whenever Security Center identifies a potential security vulnerability, it creates a recommendation. Last week when trying to apply the solution for such a Recommendation, namely Install Endpoint Protection, the Endpoint Protection installation failed with “Permission denied”.

clip_image002

The error showed that the installation failed because of an RBAC issue (permission error), However, the user used was a Subscription co-admin (Role Owner), so that could not cause the problem because he has all permissions needed.

Because Endpoint Protection is deployed as an extension and deployments of extensions are handled by the VM agent, my next troubleshoot step was to check the log of Azure VM agent on that particular VM.

The path to access this log is: “C:\WindowsAzure\Logs\WaAppAgent.log

clip_image004

clip_image006

But also no issue over here.

Therefore, after troubleshooting for some time, I finally opened a support request to Microsoft. As a response to this request, Microsoft confirmed that this error is under investigation of the product team and that there currently is a design change request in the making to get this problem fixed. For the moment, the problem only occurs in some Azure Regions. In the meantime as a temporary workaround in wait for the real fix, they suggest to install the Azure Antimalware extension from Compute or Azure PowerShell instead of with ASC.

To deploy the Azure Antimalware extension using the Azure Portal you can follow these steps:

Log in to the Azure portal

Select the VM, select Extensions and click Add on the Extensions blade

clip_image008

Select Microsoft Antimalware and click Create on the Microsoft Antimalware blade

clip_image010

To enable Antimalware with the default settings just click OK without putting in any configuration values. If you prefer you can also configure it with your own settings and values

clip_image012

Once the extension successfully installs, it reflects in ASC and the recommendation for that specific VM is gone. Hope this helps!

Wim Matthyssen (@wmatthyssen)

Azure PowerShell: Migrate an Azure ASM Virtual IP address (VIP) to an ARM Public IP address (PIP)

12:13 pm in ARM, ASM, Azure, Azure PowerShell, Cloud, PIP, Public Cloud, Public IP address, VIP, Virtual IP address by Wim Matthyssen

The last weeks, I am assisting some customers with the migration of their existing Azure Service Manager (ASM) VMs to the Azure Resource Manager (ARM) portal. Most of those workloads are migrated with the use of Azure Site Recovery (ASR). The only thing ASR cannot handle for the moment is the migration of the Cloud Services Virtual IP Address (VIP). This public IP address can for example used by an IIS website running on a specific IaaS virtual machine (VM) which is part of that Cloud Service. You can work around this problem, as in many of these cases, by using Azure PowerShell. Below I will wake you through this process with an example.

Overview used Azure VMs:

clip_image002
1) First, we need to login and prepare the ARM environment. To do so run following PowerShell commands (change variables as needed):

clip_image004

clip_image006

2) Next we need to login to the ASM environment

clip_image008

3) As the next step we need to reserve the public IP Address

clip_image010

4) Next we need to de-associate the Reserverd IP address from the Cloud Service. Press Yes when asked

clip_image012

clip_image014

5) When you now check the list of reserved IP addresses, it will show the reserved IP address 40.68.191.13 as unassigned. The attribute InUse is set to False and the ServiceName and DeploymentName attributes are empty

clip_image016

6) Also check if the Reserved IP address is valid for migration

clip_image018

7) Next we need to prepare the Reserved IP address for migration

clip_image020

8) Now run the following PowerShell command to finalize the migration of the Reserved IP address

clip_image022

9) You can verify the availability of the migrated Public IP address by login in to the Azure portal. Under Public IP address, you should see the resource with the correct IP address

clip_image024

clip_image026

10) Now, you can move this resource to the correct resource group. When you do so, and your asked to Confirm the move, click Yes

clip_image028

clip_image030

clip_image032

11) Afterwards you can assign the public IP address to whichever resource you would like

clip_image034

clip_image036

That concludes this blog post. Hope it comes to your use.

Wim Matthyssen (@wmatthyssen)

Azure IaaS: Build a VM from a Bring your Own License (BYOL) image with Azure PowerShell

9:16 am in ARM, Azure, Azure Hybrid Use Benefit, BYOL, Cloud, IaaS, PowerShell by Wim Matthyssen

For all people who do not yet know, with the Azure Hybrid Use Benefit you can use your on-premises Windows Server licenses that includes Software Assurance for Windows Server (Standard and Datacenter Editions) virtual machines (VM) in Azure. More recently also Azure Hybrid Use Benefits for Windows Client which includes Windows 10 (only Enterprise customers with Windows 10 Enterprise E3/E5 per user or Windows VDA per user – User Subscription Licenses or Add-on User Subscription Licenses – are eligible) came in Preview.

By using your existing licenses, you only pay for the base compute rate (equal to the Linux rate for VMs) without the Windows licenses cost, which can save you up to 40 %.

You can download the Azure Hybrid Use Benefit datasheet here

clip_image002

These days it’s even simpler to deploy a new Azure server VM whit your own on premise license via the Windows Server BYOL images available in the Azure Marketplace. There are images available for the following Server Oss (*be aware that not all Azure Subscriptions can use the BYOL images):

  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (not available in all regions)

You can search for the Windows Server images by running following PowerShell command:

clip_image004

In the above screenshot, you can see that some Skus now contain the BYOL suffix.

You can search for the Windows Client images by running following PowerShell command:

clip_image006

To build a VM with from a BYOL image you can run following Azure PowerShell script (adjust all variables for your own use):

clip_image008

The script is also available on Microsoft TechNet

When the script is completed and the VM is build, you can log into the VM via remote desktop. Like you can see the VM is not registered and you’ll able to use your own Windows product key.

clip_image010

Hope this comes in handy!

Wim Matthyssen (@wmatthyssen)

Azure IaaS: VM status Running (Installing Extensions)

6:13 am in ASM, Azure, Azure PowerShell, Cloud, IaaS, Installing Extension, Microsoft, Public Cloud by Wim Matthyssen

Last week while migrating Azure IaaS VMs from ASM to ARM, I noticed that one VM was showing the status “Running (Installing Extension)” in the Azure Classic portal. When I tried to connect to that specific VM with RDP no connection could be made. This status also prevented me from doing some automation activities, the VM however still responded to a ping.

clip_image002

When I opened the DASHBOARD page of the VM and looked at the extensions, I saw that the Microsoft.Compute.VMAccessAgent showed following error:

clip_image003

The simplest way I found to resolve this error was to delete the extension, and add it back. To do so login to the Azure portal with your Azure account. Go to Virtual Machines and click on the specific VM. On the opened blade select Extensions, right click the VMAccessAgent and click Delete. When asked to delete the extension select Yes

clip_image005

clip_image006

clip_image007

clip_image008

To reinstall the VMAccess extension open PowerShell ISE, connect to your Azure subscription with your Azure account and run the following command (replace cloud service name and VM name by your own)

clip_image010

To check the current status of the extension, run following command (replace cloud service name and VM name by your own):

clip_image012

Or you can also check trough both Azure portals

clip_image014

clip_image016

After the reinstallation of the VMAccessAgent, it ran with STATUS Success and I was able to reconnect to the VM with RDP. This concludes this blog post, hope it helps whenever you have this issue.

Wim Matthyssen (@wmatthyssen)