You are browsing the archive for DC.

2016: My blog year in an overview

2:37 pm in Azure, Azure Backup, Azure RemoteApp, Client Hyper-V, Cloud, DC, Hyper-V, IaaS, PowerShell, Private Cloud, Public Cloud, Replica DC, SCAC 2012 R2, SCVMM 2012 R2, System Center 2016, W2K12R2, Windows 10 by Wim Matthyssen

Hi all,

As a blogger completely focused on Microsoft technologies, it was a fun year of writing about all those interesting and ever changing products and services. As we almost end the year 2016 and are preparing for 2017 to start, I wanted to make a list of all the blog posts I wrote throughout the twelve months of 2016. During the year, I’ve published 26 blog posts mostly about Azure, the System Center Suite and Hyper-V. Below you can find them all divided by technology.

 

clip_image002

Azure Compute – IaaS (ASM)

Step-by-step: Move an Azure IaaS VM between different Azure Subscriptions

Clean up Azure PowerShell when using different Azure subscriptions

Replica DCs on Azure – Removing the Azure Endpoints

Replica DCs on Azure – Transferring FSMO roles to the IaaS DCs

Replica DCs on Azure – Manage the Time Configuration settings on the DCs

Replica DCs on Azure – Domain Controller Health Check

Replica DCs on Azure – Promote the Azure IaaS VMs to a domain controller

Replica DCs on Azure – Add the Active Directory Domain Services role

Replica DCs on Azure – Adjustment of some server settings before promoting the DCs

Replica DCs on Azure – Initialize and format the additional data disk

Replica DCs on Microsoft Azure – Create the VMs with Azure PowerShell

Step by step: Change the drive letter of the Temporary Storage on an Azure IaaS v1 VM

 

Azure Networking

How to connect an Azure ARM VNet to an ASM VNet using VNet Peering

Replica DCs on Azure – Switch DNS servers for the VNet

Replica DCs on Azure – Create the Active Directory site for the Azure VNet

 

Azure Backup

Microsoft Azure Backup Server: Install a new version of the Microsoft Azure Recovery Services Agent

Microsoft Azure Backup Server: System State backup fails with WSB Event ID: 546

Microsoft Azure Backup Server: System State backup fails with the message replica is inconsistent

Step by step: How to install Microsoft Azure Backup Server (MABS)

 

Azure RemoteApp

An RDP connection to the Azure RemoteApp custom VM fails with the following error: “No Remote Desktop License Servers available”

 

Windows 10

How to deploy Windows 10 from a USB flash drive

 

System Center

System Center 2016 evaluation VHDs download links

Step by step: How to connect SCAC 2012 R2 to SCVMM 2012 R2 and Microsoft Azure

Step by step: Installing SCAC 2012 R2

 

Hyper-V

A list of tools that can be used to do a V2V from VMware to Hyper-V

Client Hyper-V – Using nested virtualization to run Client Hyper-V on a Windows 10 VM

 

Before I wrap up this blog post, I want to thank you all for reading my blog posts in 2016, and I really hope you will keep doing so in 2017. I wish you all a healthy, successful and outstanding New Year! See you all in 2017!

Wim Matthyssen (@wmatthyssen)

How to connect an Azure ARM VNet to an ASM VNet using VNet Peering

4:25 pm in ARM, ASM, Azure, Azure virtual network, Cloud, DC, DNS, VNet peering by Wim Matthyssen

Hi all,

In this blog post I will show you how you can connect an Azure Resource Manager (ARM) virtual network (VNet) to a classic or Azure Service Manager (ASM) VNet using VNet Peering.

VNet Peering, which was made generally available (GA) on September 28th, is a mechanism that allows you to connect two VNets in the same region through the Azure backbone network as they were a single network. This means that you don’t need a VNet gateway anymore, like when you setup a VNet-to-VNet VPN connection. It will allow full connectivity between the entire address space of the peered VNets. So, for example when VNet peering is setup, all virtual machines in the peered VNets will be able to communicate with each other. If you’re interested you can read more about VNet Peering via following link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Before we start setting things up, first some things to keep in mind:

  • VNet Peering requires that both VNets are located the same Azure region
  • The VNets must be in the same Azure Subscription (only for ARM – ASM VNet Peering)
  • The IP address space of both VNets must not overlap
  • Using your peer’s VNet gateway (UseRemoteGateways and AllowGatewayTransit settings) is not supported when peering with an ASM VNet
  • There is a small charge for data transferred between VNets using VNet Peering (inbound and outbound data transfer $ 0,01 per GB)
  • To be clear, you can find below a drawing of my ARM – ASM VNet Peering setup

clip_image002

After all this is said and shown, we can start

1) First of all login to the Azure portal and sign in with your Azure account

2) Select Virtual Networks

clip_image004

3) Select your ARM VNet (in my case AZU-Vnet-ARM)

clip_image006

4) Click Peerings (like you can see there is one connected device AZU-APP-01)

clip_image008

5) Click Add

clip_image010

6) In the Add Peering blade, name your link (in my case LinkToVNetASM). Under Peer details select Classic. Choose the correct Subscription and the ASM Virtual Network you want to peer with. Leave Allow virtual network access Enabled, this will allow communication between the two virtual networks. Then click OK

clip_image011

7) After clicking OK the peering link will be created

clip_image012

8) When done, the two virtual networks are peered and you will see the PEERING STATUS between the two virtual networks is in a Connected state

clip_image014

9) Like you can see, both VMs can ping each other. Don’t forget to allow ping through the Windows Firewall

clip_image016

clip_image018

10) After adding AZU-DC-01 (10.0.1.36) as DNS server to the AZU-Vnet-ARM VNet, I was able to add AZU-APP-01 to the azuvlab.local domain which was created an AZU-DC-01

clip_image020

clip_image022

clip_image024

This concludes this blog post. If you have any questions don’t hesitate to contact me via twitter.

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Removing the Azure Endpoints

10:04 am in Azure, Azure Endpoints, Cloud, DC, hybrid cloud, IaaS, PowerShell, RDP, Replica DC, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica DCs on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

All VMs that you create in Azure can automatically communicate using a private network channel with other VMs in the same cloud service or VNet. However, other resources on the Internet or resources from other VNets require endpoints to handle the inbound network traffic to those VMs. That’s why when you create a new Azure  IaaS v1 VM (Azure Service Manager deployment model), Azure automatically creates two endpoints: Remote Desktop and Windows PowerShell Remoting. Both endpoints consist of a protocol (TCP or UDP) and have a public (for example 54036) and a private (for example 3389) port. The public port is used by the Azure load balancer to listen for incoming traffic to the IaaS VM from the Internet. The private port on the other hand is used by the IaaS VM itself to listen for incoming traffic to an application or service running on the VM.

After the creation of this new VM it’s possible to create additional endpoints if needed. The VM deployment wizard provides pre-defined endpoint configurations not only for Remote Desktop and PowerShell, but also for SSH, FTP, SMTP, DNS, HTTP, POP3, IMAP, LDAP, HTTPS, SMTPS, IMAPS, POP3S, MSSQL and MySQL. If the needed service isn’t in this list,  you can also  also create your own service endpoint and define the protocols and ports needed.

You can manage and isolate the incoming traffic to the public ports of these endpoints by configuring access control list (ACL) rules. By using ACLs, you can for example, only permit access to a specific service from a set of trusted hosts or networks.

However, for security best practices, it’s always advisable when an IaaS VM is configured and a Site-to-site VPN (S2S) exists, to remove all endpoints you don’t need (like RDP) and only to use them when their really needed (for example to access a IIS hosted website from the Internet on port 443). When the S2S is in place, you can connect to the VM through the use of the standard local RDP port (3389) via the secure IPsec VPN tunnel instead of connecting over the public Internet.

In this blog post I will show you how you can delete the RDP and PowerShell endpoint manually by making use of the Azure Classic Portal (AZGR-DC-01) and how to do it with the use of Azure PowerShell (AZGR-DC-02). So, let’s get started.

Manually remove the Azure Endpoints through the Azure Classic Portal

1) Logon to the Azure Classic Portal as a Service administrator or Co-administrator

2) In the navigation pane, click VIRTUAL MACHINES and then click the name of the VM where the endpoint needs to be deleted (AZGR-DC-01)

clip_image002

3) Select ENDPOINTS

clip_image004

4) Select the Remote Desktop endpoint and click DELETE

clip_image006

5) Select YES when asked Are You sure that you want to delete endpoint Remote Desktop? This will start the deletion process

clip_image008

clip_image010

clip_image012

6) When the Remote Desktop endpoint is successfully deleted, you can test or you’re still able to RDP to the VM over the Internet. First of all, like you can see the CONNECT button is disabled

clip_image014

7) If we try to connect through the previously downloaded RDP file, no connection is possible

clip_image016

clip_image017

clip_image018

clip_image019

8) However, when we logon to GR-DC-01 and open mstsc via Run, we are still able to RDP to AZGR-DC-01 like it should, because we connect over the internal network

clip_image021

clip_image022

clip_image024

9) You can also repeat the above steps, to delete the Remote PowerShell endpoint

 

Remove the Azure Endpoints through the use of Azure PowerShell

1) Open Windows PowerShell ISE, logon with your Azure account and select the correct Azure Subscription

2) Run following Azure PowerShell cmdlet:

clip_image026

3) Run following cmdlet to check the existing endpoints for the VM

clip_image028

4) Like you can see only the Remote PowerShell endpoint still exists, which we also can verify in the Azure Classic Portal

clip_image030

5) To delete the PowerShell endpoint run following cmdlet:

clip_image032

6) After running this cmdlet no endpoint longer exist for the AZGR-DC-02 VM

clip_image034

clip_image036

That ends the final part of this series. If had a lot of fun while writing these series and I really hope, it’s useful for some people. If someone has any questions about the series or a specific part of it, you can always contact me through my Twitter handle.

Till next time!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Switch DNS servers for the VNet

7:18 am in Azure, Cloud, DC, DNS, hybrid cloud, IaaS, Replica DC, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica domain controllers (DCs) on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

After we successfully installed both IaaS virtual machines (VMs) as DCs there are still some Azure related actions we can perform. One of them is changing the DNS servers used in the VNet (AZU-VNET-01) to primary use the DNS installed on both IaaS DCs. By doing this we will minimize the data (DNS related actions) out of the Azure data center, which will reduce Azure network costs. We can do this changes through use of the Azure Classic Portal or via the network configuration file (NetworkConfig.xml). I will show both steps below, so let’s get started.

By making use of the Azure Classic Portal

1) Logon to the Azure Classic Portal as a Service administrator or Co-administrator

2) In the navigation pane, click Networks and then click the name of your VNet (AZU-VNET-1)

image

3) Click Configure

image

4) In the dns servers section, delete the on premise DC (GR-DC-01) by clicking the X next to the IP ADDRESS

image

image

5) To add and register both Azure IaaS DNS servers (AZGR-DC-01 and AZGR-DC-02) with the VNet and Azure, just type their name and IP Address in the boxes. I will also add the on premise DNS server (GR-DC-01) as third failback DNS server. When added click Save

image

6) When asked click YES, this will start updating the VNet

image

image

7) When finished successfully, click OK

image

image

8) When the DNS list is updated, we must restart all IaaS VMs (AZGR-DC-01 and AZGR-DC-02) connected to the VNet, so they can pick up the new DNS settings

Before the reboot:

image

After the reboot:

image

9) To check if DNS is working like it should after the changes, ping the on premise DC (GR-DC-01). If all is OK, you should get replies like shown it the below screenshot

image

By making use of the network configuration file

1) Logon to the Azure Classic Portal as a Service administrator or Co-administrator

2) In the navigation pane, click Networks, click the name of your VNet (AZU-VNET-1) to select it and at the bottom of the screen click EXPORT

image

3) Select your SUBSCRIPTION and click het check mark button

image

4) The NetworkConfig.xml file will be downloaded. When finished click View downloads

image

5) Click Open folder

image

 

6) Right click the NetworkConfig.xml file and select Edit

image

 

7) You can see in the original file there is just one DNS servers used (GR-DC-01 – 192.168.2.4)

image

8) Change the DNS servers like in the screenshot below and save the file

image

9) Go back to the Azure portal, click NEW at the bottom, click NETWORK SERVICES, click VIRTUAL NETWORK and then click IMPORT CONFIGURATION

image

10) Browse the changed NetworkConfig.xml file and click the arrow

image

 

11) Verify the changes and press the check mark button at the bottom if all is fine

image

12) The import will start

image

13) When the import is successfully finish press the OK button

image

14) Like you can see, the DNS servers (AZGR-DC-01 and AZGR-DC-02) are added

image

15) Reboot all IaaS VMs connected to the VNet to adjust their DNS settings

That ends this part of the series. I hope it’s useful, till next time!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Transferring FSMO roles to the IaaS DCs

7:27 am in Azure, Cloud, DC, FSMO, hybrid cloud, IaaS, PowerShell, Replica DC, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica domain controllers (DCs) on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

After we successfully installed both IaaS virtual machines (VMs) as DCs and verified everything was running smoothly (time synchronization included) there is still one AD related action we can perform, namely transferring the Flexible Single Master Operation (FSMO) roles between the on premise DC and the ones running on Azure.

Like you probably all know, some of these FSMO roles (5 in total) are rarely used, such as the Schema and Domain naming Master roles, while others are highly used, such as the PDC emulator and Relative ID (RID) Master role. One thing to keep in mind is that each FSMO role only exists once in the domain and forest. When the entire domain is running on Microsoft Azure it’s completely logical that all FSMO roles are ran on a single Azure IaaS DC or split over different Azure IaaS DCs. However, in most production environments a hybrid (combination of on premise and Microsoft Azure resources) cloud scenario is used. In this case you should see Azure as any other secondary site and the placement of the FSMO roles should be treated in that way. Therefore, always assess all pros and cons before moving certain or all FSMO roles to a DC running as an Azure IaaS VM. In either case, I will show you how you can transfer all or some of the FSMO roles to one of the DCs running on Azure. In my examples all these transfers are done by use of the GUI, but you can also use the command-line tool Ntdsutil.

To transfer the FSMO role(s), a user must be a member of the following group(s):

image

Transfer the Schema Master role (GUI)

1) Logon to one of the Azure IaaS DCs (AZGR-DC-01), open the Schmmgmt.dll library by opening Run and typing:

image

2) Press OK if the installation is succeeded

image

3) Also from the Run command open an MMC Console by typing mmc

image

4) On the Console menu, press Add/Remove Snap-in, select Active Directory Schema, click Add> and press OK

image

5) Right-click the Active Directory Schema icon and press Operation Master…

image

6) Click Change

image

7) Click Yes

image

8) Click OK

image

image

Transfer the Domain Naming Master role (GUI)

1) Logon to one of the Azure IaaS DCs (AZGR-DC-02), open Administrative Tools and click on Active Directory Domains and Trusts

image

2) Right-click the Active Directory Domains and Trusts icon and press Operation Masters…

image

3) Press the Change button

image

4) Press Yes to confirm the change

image

5) Press OK

image

image

Transfer the RID Master, PDC Emulator and Infrastructure Master role (GUI)

  • The RID master role and the PDC emulator role should be owned by the same DC as a best practice

1) Logon to one of the DCs running on Azure (AZGR-DC-01 or AZGR-DC-02) trough RDP, open Run and type dsa.msc and press OK

image

2) When the Active Directory Users and Computers window is opened right click the domain and click Operations Masters…

image

3) In the Operations Masters window, each tab will show you who the current Operations master is for a specific FSMO (RID, PDC and Infrastructure). For example, the RID Operations master is shown in the screenshot below

image

4) To transfer the role just press Change…

image

5) Select Yes

image

6) Press OK

image

7) Like you can see the role is transferred to AZGR-DC-02

image

8) If you want to transfer another role for example to AZGR-DC-01, select Active Directory Users and Computers and select Change Domain Controller…

image

9) Select AZGR-DC-01 out of the list and press OK. This will switch the DC

image

image

10) Now repeat steps 2 till 6 to switch the Infrastructure role to AZGR-DC-01

image

Check the location of all FSMO roles (PowerShell)

1) Logon to one of the DCs running on Azure (AZGR-DC-01 or AZGR-DC-02) trough RDP and open PowerShell as an Administrator

2) Run following command (save as .ps1 or run directly)

image

That ends the this part of this series. Please continue through the rest of the series to complete the setup (if all are available). Till next time!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Manage the Time Configuration settings on the DCs

1:46 pm in Azure, Cloud, DC, hybrid cloud, IaaS, PowerShell, Replica DC, Time Service, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica domain controllers (DCs) on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

Because time management is one of the most critical things to take care of in an AD domain, I will discuss this topic in this part of the series. Like you probably all know, all DCs should be in time synchronization with the DC holding the PDC Emulator role. This DC is responsible for the time in the AD environment. Therefore it’s a best practice to manually set this server to synchronize his time with an external time source on the Internet (time.windows.com, be.pool.ntp.org, us.pool.ntp.org, …). In their place all other DCs sync their time with the this PDC Emulator.

Other than the DCs, all member servers and workstations will sync time with their authenticated DC. Be aware that when the local time of a server or workstation is out of sync (more than 5 minutes – default setting) Kerberos authentication will fail and users won’t be able to login. Besides all that, time stamps are also used in AD replication process. Below I will list some commands you can run in PowerShell, which will manage the time configuration settings on the DCs. Some oh these commands can also be used on a member server or even on a workstation. I hope you have some time to go through it.

 

 

* Picture source: https://technet.microsoft.com/en-us/library/cc773013.aspx

Check and set the Time Zone on a DC (PowerShell):

1) Logon to one of the DCs, open PowerShell and check the Time Zone via following cmdlet:

clip_image003

2) To set the time zone, run following command:

clip_image005

Set the DC which holds the PDC Emulator role to synchronize time with an external time server (PowerShell):

1) To find the server who holds the PDC Emulator FSMO role run following PowerShell command:

clip_image007

2) Logon to the DC holding the PDC Emulator role (GR-DC-01), open PowerShell As an Administrator and run the below command to check the current time against an external time server (time.windows.com):

clip_image009

3) The following command needs to be run on the PDC Emulator (GR-DC-01). Logon to an Azure DC, open PowerShell as an Administrator and run the below command to set the current time in synchronization with an external time server (time.windows.com):

clip_image011

4) The following command needs to be run on the Azure IaaS DCs (or all other DCs not holding the PDC Emulator role). Logon to an Azure DC (AZGR-DC-01), open PowerShell as an Administrator and run the below command to set the current time in synchronization with the PDC Emulator (GR-DC-01):

clip_image013

5) To check if all if the time settings are applied correctly, open up PowerShell (as admin) again and run following command. If you run this on the PDC Emulator and on another DC, you should see different settings under [TimeProviders] if all is configured well:

clip_image015

clip_image017

This concludes this part of the series, but if you’re interested in reading more about the Windows Time Service you can do so via following Microsoft TechNet article: Windows Time Service Technical Reference

Till next time!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Promote the Azure IaaS VMs to a domain controller

12:59 pm in Azure, Cloud, DC, hybrid cloud, IaaS, PowerShell by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica DCs on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

We will start were we left of in the previous blog post http://scug.be/wim/2016/06/06/replica-dcs-on-azure-add-the-active-directory-domain-services-role/ . We have just installed the Active Directory Domain Services (AD DS), so now it’s time to promote both servers to a domain controller (DC). We will use both the GUI (AZGR-DC-01) and PowerShell (AZGR-DC-02). So let’s kickoff.

Promote this server to a domain controller (GUI)

1) Logon to the server (AZGR-DC-01) as a domain administrator and open Server Manager. If you start were I left off in the previous blog post, you should see a question mark near the flag. Click on it and click on Promote this server to a domain controller

image

image

2) Select Add a domain controller to an existing domain. Normally the correct Domain is filled in automatically, if this is not the case select the proper domain or enter the domain name in the field provided. Select a user (Enterprise Administrator) who has to rights to add a domain controller to the domain and apply the proper credentials

image

3) Select both Domain Name System (DNS) server and Global Catalog (GC). Select the Site (AZU-VNET-1) to which the DC belongs. Fill in the Directory Services Restore Mode (DSRM) password and click Next. As a quick comment I just want to remind you that for best practice reasons this password should be documented, as it can help you to gain access to the AD environment in the event that all domain administrator accounts lose access

image

4) Since we are not using a parent zone, you will receive below warning message A delegation for this DNS server cannot be created because the authoritative zone cannot be found… We may ignore the warning message, as this will not affect whether the DNS feature gets installed. Click Next

image

5) In the Replicate from field select the on premise DC (GR-DC-01) to replicate from and click Next

image

6) Select as location for the AD DS database, log files and SYSVOL data the added Azure data disk with drive letter E: and click Next

image

7) The following window summaries all selected options. If all is right click Next

image

8) If the prerequisites check passes successfully, click Install

image

9) Installation will start and once it’s completed, by clicking on the Close button, the server will reboot. If the server is restarted the DC setup is completed

image

image

image

 

Promote this server to a domain controller (PowerShell)

1) Logon to the server (AZGR-DC-02) as a domain administrator and open PowerShell as Administrator

2) Run following PowerShell automation script (store with .ps1 extension or copy and run directly) to promote this server to a DC:

image

3) When asked enter a username and password (this user should have Enterprise Administrator rights)

image

4) Fill in the Directory Services Restore Mode (DSRM) password and confirm it a second time

image

5) Installation will go on and when succeeded the server will reboot. After the restart the DC installation is completed

image

image

This ends the seventh part of the series. Still a few steps to go, so please continue through the rest of the series to complete the setup. Till next time!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Add the Active Directory Domain Services role

2:57 pm in Azure, Cloud, DC, hybrid cloud, IaaS, PowerShell by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica DCs on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

As a next step we need to install the Active Directory Domain Services (AD DS) role. We can do this trough the GUI (on Azure IaaS v1 VM 1 – AZGR-DC-01) or with the use of PowerShell (on Azure IaaS v1 VM 2 – AZGR-DC-02). Below I will show you both.

Install AD DS (GUI)

1) Logon to the server trough RDP, open Server Manager, on the Dashboard select Add roles and features

image

2) Click Next on the Before you begin screen

3) Select Role-based or feature-based installation and click Next

4) Select to correct server and click Next

5) Select Active Directory Domain Services

image

6) On the screen popped up, select Add Features

image

7) Click Next on the Select server roles page

image

8) Click Next

image

9) Click Next

image

10) Click Install

image

11) Wait until the installation is finished and then click Close

image

image

 

Install AD DS (PowerShell)

1) Logon to the server trough RDP and open a PowerShell window (as an administrator)

2) To install AD DS, run the following command as shown below

image

image

image

3) You can also verify the success of the role installation by running following command

image

That ends this part of the series. In the next part we will start were we ended, with the promotion of the server to a DC. So please continue through the rest of the series to complete the setup. Till next time!

Wim Matthyssen (@wmatthyssen)

Microsoft Azure Backup Server: System State backup fails with WSB Event ID: 546

7:07 am in Azure, Azure Backup, DC, IaaS, Microsoft Azure Backup Server, PowerShell, Public Cloud by Wim Matthyssen

After setting up a Microsoft Azure Backup Server (MABS) running on an IaaS v1 VM for a customer, I encountered a problem with a System State backup. The server having the problem was a Domain Controller (DC) also running as an Azure IaaS v1 VM and a member of the Domain Controller Protection Group on the MABS server. You can see the error message found on the MABS server in the screenshot below

clip_image002

“DPM cannot create a backup because Windows Server Backup (WSB) on the protected computer encountered an error (WSB Event ID: 546, WSB Error Code: 0x1751870). (ID 30229 Details: Internal error code: 0x80990ED0)”

On the DC itself following error message was found:

clip_image004

“The backup operation attempted at ‘‎2016‎-‎05‎-‎10T14:00:28.139491000Z’ has failed to start, error code ‘2155348032’ (The backup storage location is invalid. You cannot use a volume that is included in the backup as a storage location. ). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.”

To fix this problem I followed the steps below:

1) On the server with the problem, verify if no other backup or recovery operation is running by opening a PowerShell window (as administrator) and typing:

clip_image006

If the command output indicates that no operation is running, then you can proceed to step 2. Otherwise wait until the current job is completed and retry the failed System State backup job

2) In the same PowerShell windows type the following command:

clip_image008

Verify of the writer named System Writer is running Stable and without any errors. If so proceed to step 3. Otherwise manually restart the VSS Writer, if it fails again it’s necessary to reboot the server

3) Open Services and verify if the Cryptographic Services is running and set to startup Automatically.

clip_image009

clip_image011

4) The check if Windows Server Backup (WSB) is able to take a local System State Backup, open up PowerShell (as an administrator) and run the below command. When asked press (Y). Be aware it could take a while before the job completes:

clip_image013

clip_image015

clip_image017

If the backup is successfully proceed to step 5. Otherwise check the Windows event viewer for other errors

5) Open the registry editor and go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine. Create a key called SystemStateBackup and set the values of this entry as follows:

Name: AllowSSBToAnyVolume
Data type: DWORD
Value data: 1

clip_image018

clip_image020

You also can use PowerShell (as an administrator) to create the registry key, to do so run following command:

6) When done, logon to the MABS server and retry the failed System State backup job by right-clicking and selecting Perform consistency check … Verification will start and at the end the job will complete with success

clip_image022

image

This concludes this blog post, hope it’s useful. Till next time!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Adjustment of some server settings before promoting the DCs

9:05 pm in Azure, Cloud, DC, hybrid cloud, IaaS, PowerShell by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica DCs on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

Before we promote the servers to DCs, we can do some configuration like for example adding the server(s) to the domain, place the server(s) in the correct organizational unit (OU), create an inbound rule in Windows Firewall to allow ICMPv4 and set the correct time zone. Installing all Windows Updates is also an important step to do for security reasons, but also to fix problems or to foresee additions to the operating system (OS). Below I will show you how you can do all of the above by using the GUI or/and trough PowerShell.

Add the server to the domain (GUI)

1) Logon to the server trough RDP, open Server Manager, select Local Server and select WORKGROUP

image

2) Click Change…

image

3) Fill in the name of the Domain (for example contoso.local) and when asked enter a username and password of an account who is able to add a server to the domain. Click OK

image

4) Click OK when the “Welcome to the contoso.local domain.” shows up

image

5) Click OK

image

6) Click Close

image

7) Click Restart Now

image

8) After the reboot the server is added to the domain

image

Add the server to the domain (PowerShell)

1) Logon to the server trough RDP and open PowerShell as an administrator. Run following cmdlets (replace contoso.local by your own domain name):

image

2) When asked restart the server with following cmdlet:

image

3) After the reboot the server is added to the domain

image

 

Place the server(s) in the correct OU (GUI)

1) Logon to an on premise DC and open Active Directory Users and Computers by opening Run and typing dsa.msc. Click OK

image

2) Click Action and select Find…

image

3) In the Find Computers screen, select Computers in the Find: field and Entire Directory in the In: field. Type the name in the Computer name field (in my case I typed I the 4 first characters of both Azure IaaS VMs who will be promoted to DC)

image

4) Select both servers and right-click. Select Move…

image

5) Select the correct OU (in my case DC) and click OK. Close the Find Computers window

image

6) After a refresh (F5), the servers are added to the correct OU

image

 

Place the servers in the correct OU (PowerShell)

1) Logon to an on-premise DC trough RDP and open PowerShell as an administrator. Run following cmdlets (replace contoso.local by your own domain name):

image

2) After a refresh (F5), the servers are added to the correct OU

image

 

Install Windows Updates (GUI)

1) Logon to the server trough RDP, open Run and type wuapp.exe. Click OK

image

2) To change Windows Update settings (mostly already taken care of with a GPO), click Change settings

image

3) Change the settings like your company prefers. Press OK

image

4) The server will start Checking for updates…

image

5) Install all necessary updates and if needed reboot (repeat this step until all updates are installed)

image

 

Enable ICMPv4 rule in Windows Firewall (PowerShell)

1) Logon to the server trough RDP and open PowerShell as an administrator. Run following cmdlet:

image

2) Like you can see the rule is created and I’m now able to ping the server

image

image

 

Set the time zone (PowerShell)

1) Open up PowerShell as an administrator and run the following command:

image

image

 

Enabling the High Performance Power Plan (PowerShell)

1) Open up PowerShell as an administrator and run the following script:

image

image

 

That ends the fifth part of this series. Please continue through the rest of the series to complete the setup (if all are available).

Till next time!

Wim Matthyssen (@wmatthyssen)