How to install Microsoft Azure Backup Server v2 on Windows Server 2016

June 8, 2017 at 7:53 pm in Azure, Azure Backup, Hybrid backup, MABS, MABS v2, Microsoft Azure Backup, Microsoft Azure Backup Server, Microsoft Azure Backup Server v2, Modern Backup Storage, PowerShell, Windows Server 2016 by Wim Matthyssen

Last week Microsoft released the second version (v2) of their Microsoft Azure Backup Server (MABS v2). As a hybrid backup solution, this new release based on System Center Data Protection Manager 2016 (SCDPM 2016) enables you to store data onto disk (low RTO) and in Azure (long retention, up to 99 years). MABS v2 uses RCT-based change tracking by using Windows Server 2016. This makes backups more reliable and scalable, but also improves backup performance (backup jobs could be up to 70 percent faster). MABS v2, which is included with the Azure Backup service and currently has version number 12.0.332.0., now not only supports Windows Server 2016 (W2K16) but also vSphere 6.5 (Preview mode). Beside those, you can also use it now to backup business critical Microsoft workloads such as SQL 2016, SharePoint 2016 and Exchange 2016. Those can be running on premise (physical servers, Hyper-V or VMware) or in the Azure cloud. As a nice extra, you can also back up Windows 10 client workloads.

clip_image002

In a previous blog post, I already told you all about MABS v1 on how to install it on a Windows Server 2012 R2. In this blog post, I will show you how you can deploy MABS v2 on a W2K16 server.

MABS v2 server requirements

  • MABS v2 can be installed as an on premise standalone physical server or VM, but also as an Azure IaaS VM (minimum size A2 Standard).
  • MABS v2 will run on following supported Operating Systems: Windows Server 2012 R2 and Windows Server 2016 (is required if you want to use the Modern Backup Storage feature).
  • MABS v2 must be domain joined. Be sure to add the server to the domain before the MABS installation. Microsoft does not support adding this server to the domain after the MABS installation.
  • The processor minimum requirements for a MABS v2 server are 1GHz dual-core CPU, recommended 2.33 GHz quad-core CPU.
  • The minimum RAM needed by a MABS v2 server is 4GB, recommended is 8 GB.
  • The recommended hard drive space is 3 GB.
  • MABS v2 must have .NET 3.5 SP1, .NET 4.6.1 features installed as a prerequisite.
  • MABS v2 should also have Hyper-V PowerShell installed.
  • MABS v2 should be running a dedicated, single-purpose server. Either it cannot be running on the same server, which has SCDPM or a SCDPM agent installed.
  • A validate Windows Server license is needed for the MABS v2 server.
  • The MABS v2 server needs to have access to the Internet because Microsoft Azure should be accessible from the MABS server.
  • To temporarily store, the largest restore from the Azure cloud, some scratch space is required when needed. So keep approximately 5 % of the total amount of data that needs to be backed-up to the cloud free on the C: drive.
  • A separate data disk for the backup storage pool is required. Like every other backup product the recommendation for the size of this disk is 1.5 times the size of the data you are going to protect.

MABS v2 prerequisites installation

Before we start the prerequisites installation, be shore to have a Recovery Services vault in place (create a new one, or use an existing) and download the vault credentials. When downloaded, place this file on the C:\Temp folder of the MABS server.

clip_image004

clip_image006

To install all required prerequisites, logon to the server you wish to use for your MABS v2 installation, open PowerShell and administrator and run the following commands to install .NET 3.5 SP1 and Hyper-V PowerShell (be shore to have the Windows Server 2016 installation ISO mounted – in my example to the D: drive). Be aware the server will reboot when the installation is completed. You can also download the complete script (.ps1) from the Microsoft TechNet Gallery.

clip_image008

MABS v2 software download

To download the MABS v2 software open PowerShell as an administrator and run the following PowerShell script. You can download the complete script (.ps1) from the Microsoft TechNet gallery. The script will download all the necessary files (8 files), extract them and start the setup.

MABS v2 installation

Click Microsoft Azure Backup Server to launch the setup wizard.

clip_image010

Setup will start copying some temporary files.

clip_image012

On the Welcome screen, click the Next.
clip_image014

This opens up the Prerequisite Check section. On this screen, click on the Check button to determine if the hardware and software prerequisites for Azure Backup Server have been met. If all of is OK, you will see a message indicating that the machine meets the requirements. Click Next.

clip_image016

On the SQL Settings page select, Install new Instance of SQL Server with this Setup, to install SQL 2016 SP1. Click Check and Install. You could encounter some error messages. If so follow the instructions and most likely, you should reboot the server and start the MABS installation all over again.

clip_image018

If the computer meets, the software and hardware requirements click Next.

clip_image020

Provide a location for the installation of all the files and click Next. In my example, I changed all locations to my E: drive.
clip_image022

Provide a strong password for restricted local user accounts (this password will not expire) and click Next.
clip_image024

It is strongly recommended to use Microsoft update when you check for updates because this will offer all security and important updates for MABS. Select whether to use Microsoft Update or not and click Next.

clip_image026

Review all settings and if all are OK click Install.

clip_image028

clip_image030

Click Next to start the Microsoft Azure Recovery Service Agent installation.

clip_image032

Click Install.

clip_image034

clip_image036

When the agent installation is completed, click Next.

clip_image038

Provide your vault credentials to register the machine to the Azure backup vault. Click Next.
clip_image040

Provide a passphrase to encrypt/decrypt the data sent between Azure and your premises. You can automatically generate a passphrase or provide your own minimum 16-character passphrase. Also, enter a location to save the passphrase. If all is done click Next.

clip_image042

Once registration succeeded the wizard proceeds with the installation and configuration of SQL Server 2016 SP1. This could take some time.

clip_image044

clip_image046

It is possible that you receive the following error message, if so just click OK (you can change the staging area after the MABS setups completes).
clip_image048

When setup completes successfully, click Close.
clip_image050

Double click the Microsoft Azure Backup server icon on your desktop to launch MABS.

clip_image052

clip_image054

You can also verify if the MABS server connection to the Recovery Services vault. To do so go to your Recovery Services vault, click Overview and click Backup management servers. There you should see the newly installed MABS server.

clip_image056

As a final step, do not forget to run Windows update to install all necessary updates after the MABS installation.

clip_image058

Now you are ready to start working with this brand new product. Have fun and till next time!

Wim Matthyssen (@wmatthyssen)

New features for Azure Backup and Azure Site Recovery released

June 1, 2017 at 10:02 am in Azure, Azure Backup, Azure Site Recovery, Cloud, Modern Backup Storage, Windows Server 2016 by Wim Matthyssen

Microsoft was very busy on the last day of May, because yesterday they launched many new features, not only for Azure Backup but also for Azure Site Recovery. I tried to list some of them below.

Azure Backup

  • Windows Server System State backups with Azure Backup now in public preview

This new extension allows the Azure Backup agent (MARS Agent) to integrate with the Windows Server Backup feature that is available natively on every Windows Server. It allows and provides seamless and secure backups of your Windows Server System State directly to Azure without the need to provision any on-premises infrastructure.

You can read more about it here

 

clip_image002

  • Microsoft Azure Backup Server v2 released which allows Windows Server 2016 and vCenter/ESXi 6.5 protection

This week Microsoft also released the second version (v2) of their Microsoft Azure Backup Server (MABS v2), which supports Windows Server 2016, vSphere 6.5 and the latest business critical applications such as SQL 2016, SharePoint 2016 and Exchange 2016. This new version is available for download from a Recovery Services vault in the Azure Portal or directly from here.

 

clip_image004

If you are interested to read more about MABS v2 you can do so over here

An important remark to make is that when you install MABS v2 on a Windows Server 2016 the VMware protection will be in preview mode, because VMware first needs to release support for VDDK 6.5.

In addition, the UserVoice I opened to address this issue to the Azure Team will be closed, so everyone who voted will get some votes back.

  • Introducing Modern Backup Storage with Azure Backup Server on Windows Server 2016

With the latest release of Azure Backup Server (MABS v2), which is based on System Center Data Protection Manager 2016 (SCDPM 2016), Modern Backup Storage can be used. This technology will improve performance and reduces consumption (50 % disk storage savings and 3x faster backups) by leveraging ReFS block cloning and deduplication.

 

clip_image006

You can read more about it here

 

Azure Site Recovery

  • Disaster recovery for Azure IaaS virtual machines with Azure Site Recovery is now in public preview

This will allow you to use Azure Site Recovery (ASR) to easily replicate and protect IaaS based applications running on Azure to a different Azure region of your choice without deploying any additional infrastructure components or software appliances in your subscription.

 

clip_image007

You can read more about it here

 

Enjoy reading about these nice new features and have fun testing them out.

Wim Matthyssen (@wmatthyssen)

Azure Security Center: Endpoint Protection installation failed with “Permission denied”

May 18, 2017 at 2:56 pm in Azure, Azure Security Center, Cloud, Endpoint Protection, Microsoft Antimalware by Wim Matthyssen

Most of you who are already familiar with Azure Security Center (ASC), know that it periodically analyzes the security state of your Azure resources. Whenever Security Center identifies a potential security vulnerability, it creates a recommendation. Last week when trying to apply the solution for such a Recommendation, namely Install Endpoint Protection, the Endpoint Protection installation failed with “Permission denied”.

clip_image002

The error showed that the installation failed because of an RBAC issue (permission error), However, the user used was a Subscription co-admin (Role Owner), so that could not cause the problem because he has all permissions needed.

Because Endpoint Protection is deployed as an extension and deployments of extensions are handled by the VM agent, my next troubleshoot step was to check the log of Azure VM agent on that particular VM.

The path to access this log is: “C:\WindowsAzure\Logs\WaAppAgent.log

clip_image004

clip_image006

But also no issue over here.

Therefore, after troubleshooting for some time, I finally opened a support request to Microsoft. As a response to this request, Microsoft confirmed that this error is under investigation of the product team and that there currently is a design change request in the making to get this problem fixed. For the moment, the problem only occurs in some Azure Regions. In the meantime as a temporary workaround in wait for the real fix, they suggest to install the Azure Antimalware extension from Compute or Azure PowerShell instead of with ASC.

To deploy the Azure Antimalware extension using the Azure Portal you can follow these steps:

Log in to the Azure portal

Select the VM, select Extensions and click Add on the Extensions blade

clip_image008

Select Microsoft Antimalware and click Create on the Microsoft Antimalware blade

clip_image010

To enable Antimalware with the default settings just click OK without putting in any configuration values. If you prefer you can also configure it with your own settings and values

clip_image012

Once the extension successfully installs, it reflects in ASC and the recommendation for that specific VM is gone. Hope this helps!

Wim Matthyssen (@wmatthyssen)

Azure PowerShell: Migrate an Azure ASM Virtual IP address (VIP) to an ARM Public IP address (PIP)

May 9, 2017 at 12:13 pm in ARM, ASM, Azure, Azure PowerShell, Cloud, PIP, Public Cloud, Public IP address, VIP, Virtual IP address by Wim Matthyssen

The last weeks, I am assisting some customers with the migration of their existing Azure Service Manager (ASM) VMs to the Azure Resource Manager (ARM) portal. Most of those workloads are migrated with the use of Azure Site Recovery (ASR). The only thing ASR cannot handle for the moment is the migration of the Cloud Services Virtual IP Address (VIP). This public IP address can for example used by an IIS website running on a specific IaaS virtual machine (VM) which is part of that Cloud Service. You can work around this problem, as in many of these cases, by using Azure PowerShell. Below I will wake you through this process with an example.

Overview used Azure VMs:

clip_image002
1) First, we need to login and prepare the ARM environment. To do so run following PowerShell commands (change variables as needed):

clip_image004

clip_image006

2) Next we need to login to the ASM environment

clip_image008

3) As the next step we need to reserve the public IP Address

clip_image010

4) Next we need to de-associate the Reserverd IP address from the Cloud Service. Press Yes when asked

clip_image012

clip_image014

5) When you now check the list of reserved IP addresses, it will show the reserved IP address 40.68.191.13 as unassigned. The attribute InUse is set to False and the ServiceName and DeploymentName attributes are empty

clip_image016

6) Also check if the Reserved IP address is valid for migration

clip_image018

7) Next we need to prepare the Reserved IP address for migration

clip_image020

8) Now run the following PowerShell command to finalize the migration of the Reserved IP address

clip_image022

9) You can verify the availability of the migrated Public IP address by login in to the Azure portal. Under Public IP address, you should see the resource with the correct IP address

clip_image024

clip_image026

10) Now, you can move this resource to the correct resource group. When you do so, and your asked to Confirm the move, click Yes

clip_image028

clip_image030

clip_image032

11) Afterwards you can assign the public IP address to whichever resource you would like

clip_image034

clip_image036

That concludes this blog post. Hope it comes to your use.

Wim Matthyssen (@wmatthyssen)

Azure IaaS: Build a VM from a Bring your Own License (BYOL) image with Azure PowerShell

April 24, 2017 at 9:16 am in ARM, Azure, Azure Hybrid Use Benefit, BYOL, Cloud, IaaS, PowerShell by Wim Matthyssen

For all people who do not yet know, with the Azure Hybrid Use Benefit you can use your on-premises Windows Server licenses that includes Software Assurance for Windows Server (Standard and Datacenter Editions) virtual machines (VM) in Azure. More recently also Azure Hybrid Use Benefits for Windows Client which includes Windows 10 (only Enterprise customers with Windows 10 Enterprise E3/E5 per user or Windows VDA per user – User Subscription Licenses or Add-on User Subscription Licenses – are eligible) came in Preview.

By using your existing licenses, you only pay for the base compute rate (equal to the Linux rate for VMs) without the Windows licenses cost, which can save you up to 40 %.

You can download the Azure Hybrid Use Benefit datasheet here

clip_image002

These days it’s even simpler to deploy a new Azure server VM whit your own on premise license via the Windows Server BYOL images available in the Azure Marketplace. There are images available for the following Server Oss (*be aware that not all Azure Subscriptions can use the BYOL images):

  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (not available in all regions)

You can search for the Windows Server images by running following PowerShell command:

clip_image004

In the above screenshot, you can see that some Skus now contain the BYOL suffix.

You can search for the Windows Client images by running following PowerShell command:

clip_image006

To build a VM with from a BYOL image you can run following Azure PowerShell script (adjust all variables for your own use):

clip_image008

The script is also available on Microsoft TechNet

When the script is completed and the VM is build, you can log into the VM via remote desktop. Like you can see the VM is not registered and you’ll able to use your own Windows product key.

clip_image010

Hope this comes in handy!

Wim Matthyssen (@wmatthyssen)

Azure IaaS: VM status Running (Installing Extensions)

March 29, 2017 at 6:13 am in ASM, Azure, Azure PowerShell, Cloud, IaaS, Installing Extension, Microsoft, Public Cloud by Wim Matthyssen

Last week while migrating Azure IaaS VMs from ASM to ARM, I noticed that one VM was showing the status “Running (Installing Extension)” in the Azure Classic portal. When I tried to connect to that specific VM with RDP no connection could be made. This status also prevented me from doing some automation activities, the VM however still responded to a ping.

clip_image002

When I opened the DASHBOARD page of the VM and looked at the extensions, I saw that the Microsoft.Compute.VMAccessAgent showed following error:

clip_image003

The simplest way I found to resolve this error was to delete the extension, and add it back. To do so login to the Azure portal with your Azure account. Go to Virtual Machines and click on the specific VM. On the opened blade select Extensions, right click the VMAccessAgent and click Delete. When asked to delete the extension select Yes

clip_image005

clip_image006

clip_image007

clip_image008

To reinstall the VMAccess extension open PowerShell ISE, connect to your Azure subscription with your Azure account and run the following command (replace cloud service name and VM name by your own)

clip_image010

To check the current status of the extension, run following command (replace cloud service name and VM name by your own):

clip_image012

Or you can also check trough both Azure portals

clip_image014

clip_image016

After the reinstallation of the VMAccessAgent, it ran with STATUS Success and I was able to reconnect to the VM with RDP. This concludes this blog post, hope it helps whenever you have this issue.

Wim Matthyssen (@wmatthyssen)

Microsoft Azure Backup Server: Anti-Virus Exclusions

March 3, 2017 at 1:05 pm in Anti-Virus Exclusions, Azure, Azure Backup, Cloud, hybrid cloud, MABS, Microsoft Azure Backup Server by Wim Matthyssen

Running a solid, constantly updated antivirus product on your servers is a necessity to keep a healthy and secure server environment. However, with installing an antivirus product, you also risk having issues with certain workloads and services on those severs. Just like System Center Data Protection Manager (SCDPM), the Microsoft Azure Backup Server (MABS) is compatible with most antivirus software products. Though, the implemented antivirus product can also affect MABS performance and, if not configured properly, can cause data corruption of replicas and recovery points.

clip_image002

So, to avoid file conflicts and to minimize performance degradation between your MABS server and the antivirus software running on top of it, you should disable real-time monitoring by the antivirus software for all of the following processes and directories, which are listed below.

MABS processes to exclude from antivirus real-time monitoring

For information about configuring real-time monitoring based on process name or folder name, check the documentation of your antivirus vendor.

  • DPMRA.exe (*full path: C:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\DPMRA.exe)
  • csc.exe  (*full path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -> you can also exclude csc.exe in all the other Microsoft.NET Framework folders)
  • cbengine.exe (*full path: C:\Program Files\Microsoft Azure Backup\DPM\MARS\Microsoft Azure Recovery Services Agent\bin\cbengine.exe)

 

clip_image004

clip_image006

clip_image008

 

MABS directories in the MABS Program Files folder to exclude from antivirus real-time monitoring

Be aware that when you installed MABS on another drive then “C:”, like in the example below, look under the correct drive for the folders to exclude.

  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\Temp\MTA\*
  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\XSD\*
  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\bin
  • C:\Program Files\Microsoft Azure Backup\DPM\MARS\Microsoft Azure Recovery Services Agent\bin
  • C:\Program Files\Microsoft Azure Backup\DPM\DPM\Cache (*MABS scratch folder)

 

clip_image010

clip_image012

clip_image014

clip_image016

clip_image018

 

Delete infected files on the MABS server

As a final remark, I would also advise to configure to delete infected files by default on the MABS server rather than automatically cleaning or quarantining them. Automatic cleaning and quarantining can result in data corruption because these processes cause the antivirus software to modify files, making changes MABS cannot detect.

 

In summary, there are a lot of antivirus settings you should keep track of when running MABS. I’ve tried to list all of the exclusions, so hopefully it will help you with getting the most out of your MABS setup. If you have any questions, feel free to contact me through my Twitter handle.

Wim Matthyssen (@wmatthyssen)

PowerShell: BgInfo Automation script

February 23, 2017 at 9:19 am in BgInfo, Client Hyper-V, Hyper-V, PowerShell, scvmm, VM Template, Windows Server 2016, Windows Sysinternals, WS2016 by Wim Matthyssen

Probably everyone knows the Windows Sysinternals tool BgInfo (currently version 4.21). For those who don’t, it’s a great free tool which captures system information from a workstation or server (probably where it is the most useful) and displays the catched data on the Desktop of that machine. It can show useful information like, DNS settings, used IP Addresses, computer name, domain name, OS version, memory, etc. If you want to read more about this tool you can do so via following link: https://technet.microsoft.com/en-us/sysinternals/bginfo.aspx

Whenever I create a new Windows Server 2016 Virtual Machine (VM) template for customers, I mostly add this tool in the base image (also called golden image) and set it so it starts up automatically whenever a user logs on to the server. To automate this process, I wrote a PowerShell script which does all of the following:

  • Download the latest BgInfo tool
  • Create the BgInfo folder on the C drive
  • Extract and cleanup the BgInfo.zip file
  • Download the logon.bgi file which holds the preferred settings
  • Extract and cleanup the LogonBgi.zip file
  • Create the registry key (regkey) to AutoStart the BgInfo tool in combination with the logon.bgi config file
  • Start the tool for the first time

Prerequisites

Windows PowerShell 5.0

PowerShell script:

To use the script copy and save the above as BGInfo_Automated_v1.0.ps1 or download it here. Afterwards run the script with Administrator privileges from the server you wish to use for your VM template. If you want to change configuration settings, just open the logon.bgi file and adjust the settings to your preferences.

image

image

image

image

Hope this script comes in handy for you. If you have and questions or recommendations about it, please contact me through my twitter handle.

Wim Matthyssen (@wmatthyssen)

Microsoft Azure Backup Server: Error when installing on Windows Server 2016 – The Single Instance Store (SIS) component is not installed

January 30, 2017 at 3:36 pm in Azure, Azure Backup, hybrid cloud, MABS, Microsoft Azure Backup, Microsoft Azure Backup Server, PowerShell, Public Cloud, SIS, SIS-Limited, Windows Server 2016, WS2016 by Wim Matthyssen

 
Hi All,

Last week I was contacted by a customer who tried to install Microsoft Azure Backup Server (MABS) on an on-premise Windows Server 2016. However, when he started the installation he always received an error because a prerequisite was not installed, namely the Single Instance Store (SIS) component.

 
clip_image002

When opening the DpmSetup.log with PowerShell (as Administrator), you could see the following error:

 

clip_image004

However, when you try to install this missing component through PowerShell it gives you an Error: 0x800f080cFeature name SIS-Limited is unknown.

clip_image006

The reason for this is that because from Windows Server 2016 the SIS-Limited component is replaced by Microsoft’s deduplication or data footprint reduction (DFR) technology, like you can read in the following article from MVP Greg Schulz: http://storageioblog.com/rip-windows-sis-single-instance-storage-or-at-least-in-server-2016/

Also, when you go to the Microsoft Azure Backup Server download page and you expand System Requirements you can see that Windows Server 2016 at the present time is not listed as a supported Operating System (OS) to deploy MABS, probably because it does not have this SIS component.

clip_image008

Conclusion

Currently you’re not able to use Windows Server 2016 as OS for you MABS server. Probably in the near future Microsoft will release a new version of MABS which will allow it, but until then you need to stick with Windows Server 2012 (R2) or Windows Server 2008 R2 to install your MABS on.

Hope this helps you with this error.

Wim Matthyssen (@wmatthyssen)

How to install and use the Microsoft Azure Virtual Machine Optimization Assessment tool

January 20, 2017 at 2:41 pm in AD Assessment, Azure, Microsoft Azure Virtual Machine Optimization Assessment, PowerShell, SharePoint, SQL Assessment, SQL Server by Wim Matthyssen

Hi all,

In my first blog post of this year, I will show you how you can install and use the free optimization tool, Microsoft’s Azure Virtual Machine Optimization Assessment. This tool (current version 2.0.61228.1 – released 1/16/2017) can help you optimize performance for your Azure virtual machines (VMs) running AD, SQL or SharePoint workloads. The tool focuses on 6 key areas, including security, compliance, availability, business continuity, performance and scalability. When the tool is first started, it will present a short questionnaire about your cloud deployment, followed by an automated data collection and inspection which will analyze the selected workload running on Azure. After finishing this assessment, which could take upon an hour, a custom report is generated which contains useful advice and key recommendations on how to secure and protect this workload following Microsoft best practices.

I myself mostly use the tool when migrating VMs from on premise to the cloud or after setting up a new Azure cloud environment for a customer.

The tool has the following requirements:

  • It can be installed on any workstation or server (on premise or Azure VM) running at least Windows 7 (or later) or Windows Server 2008 (or later)
  • The server or workstation running the tool should at least have 4GB RAM, a 2 GHz dual-core processor and 5 GB of free disk space
  • The server or workstation should be joined to one of the domains of the AD forest in which the target VMs are part of
  • Microsoft .NET Framework 4.0 should be installed
  • Windows PowerShell 2.0 is also needed
  • Full Administrative access to the Microsoft Azure target environment
  • Access to the Microsoft Azure target environment via WMI
  • Full network connectivity to the Microsoft Azure target environment

Installation of the Microsoft Azure Virtual Machine Optimization Assessment tool

To get started, first download the tool (total size 70,2 MB) from here

clip_image002

clip_image004

When downloaded run MAVMOA.exe (Run as administrator) on the computer you want to run the assessment from (setup requires around 110 MB)

clip_image006

When the UAC screen pops up, click Yes

clip_image007

Agree to the License Terms and select a folder to install (I always use the default folder). Click Install

clip_image008

When the installation is completed click Close. I’ve you leave the checkmark near to Launch Microsoft Azure Virtual Machine Optimization Assessment the tool should start.

clip_image009

If the tool doesn’t start up, you can use the following PowerShell command to start it:

clip_image011

Active Directory Assessment

The user running the tool to should have read access to the target domain. When I run the AD Assessment I always use a user with enterprise admin privileges.

Open the Microsoft Azure Virtual Machine Optimization Assessment tool and select Active Directory from the drop-down menu. Optionally you can agree to upload your data to help improve this product. Click Start Assessment

clip_image012

On the next screen, you are reminded to all requirements needed for the assessment. Click Next

clip_image013

In the next part of the assessment you need to answer a set of questions regarding your environment. Click Next to start the questionnaire and answer all the questions

clip_image014

clip_image015

Once you answered all the questions, the tool will proceed to the Collect & Analyze tab where the assessing of your environment will start

clip_image017

clip_image019

When the tool is finished with the assessing, click Save and view report, and choose a location to save the Microsoft Word document (.docx)

clip_image021

clip_image023

Click Close and Yes to close the tool. You can now open the document using Microsoft Word. In my case Word is not installed on my server so I copied the document to my workstation to review it

clip_image025

If you scroll through the document when opened, you will see that each recommendation is given a percentage weighting. For example, when you resolve the problem concerning “Change your password policy to enforce a minimum password age” your Security and Compliance will improve with 5.2 %

clip_image027

clip_image029

clip_image031

SQL Assessment

Running the SQL Assessment is quite similar as running the AD Assessment, the only difference is that you have to supply the SQL Server that you want to assess.

Open the Microsoft Azure Virtual Machine Optimization Assessment tool and select SQL Server from the drop-down menu. Like before you can optionally agree to upload your data to help improve this product. Click Start Assessment

clip_image032

Click Next on the Requirements page

clip_image033

To start the questionnaire, click Next and answer all questions

clip_image034

clip_image035

On the Environment page add the SQL Server you want to get assessed. Click Next

clip_image036

clip_image037

When the tool is finished with the assessing, click Save and view report, and choose a location to save the Microsoft Word document (.docx)

clip_image038

clip_image040

After saving the document to your preferred location, click Close. When you open the document with Word afterwards, you will also see that each recommendation is given a percentage weighting just like with the AD Assessment. For example, when you resolve the problem concerning “Ensure only essential users are added to the SQL Server sysadmin server role” your Security and Compliance will improve with 2.8 %

clip_image042

clip_image044

clip_image046

I hope this helps you to get started with this nice tool. If you have any issues or questions, feel free to contact me through my twitter handle

Wim Matthyssen (@wmatthyssen)