Makecert – Azure Management Certificates

I have created this article as a reference for myself when I need to create an Azure management certificate for various tasks such as setting up Azure automation for example.  I hope you find this useful too.

Tip:- if you regularly work with Azure then I would advise you install the SDK as soon as you can when you are on a good internet connection as it is ~300Mb. It’s worth having as part of your standard computer build.

 

Create and Upload an Azure Management Certificate

You will need a tool called Makecert and this is available as part of the Windows SDK available here.

You will need the Windows SDK so download the installer (less than 1Mb), run it and just select the top option.

image_thumb[19]

Once installed  create the certificate via the command line.

I have used the script found on this blog which is every useful.

http://blogs.technet.com/b/cbernier/archive/2014/01/17/create-a-self-signed-certificate-for-use-with-windows-azure-using-a-windows-script.aspx

@echo off
echo This script will create an Azure certificate and export for use in Windows Azure.
echo.
echo Computer Name
echo %computername%
echo.
echo creating folder: %SystemDrive%\certs
mkdir %SystemDrive%\certs
%SystemDrive%
cd certs
echo.
dir “C:\Program Files (x86)\Windows Kits\8.1\bin\x64” | findstr /i “makecert.exe”
IF ERRORLEVEL = 1 GOTO ERROR
IF ERRORLEVEL = 0 GOTO CreateCert
echo.
:CreateCert
echo creating cert and placing it in %SystemDrive%\certs
echo.
“C:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe” -r -pe -n CN=%computername%-AzureCert -ss my -sr localmachine -eku 1.3.6.1.5.5.7.3.2 -len 2048 -e 01/01/2016 automation-AzureCert.cer
echo.
echo.
goto end
:ERROR
echo makecert.exe file not found. Please check directory path above or download and install the Windows 8.1 SDK from http://www.microsoft.com/click/services/Redirect2.ashx?CR_EAC=300135395
goto end
:end

Create a .bat file with the above script or feel free to alter the dates etc.  Run it and the certificate is created.

image_thumb[23]

The certificate is created in the C:\certs folder and imported into the machines personal certificate store.

To export a PFX file for possible later use export the certificate from MMC, Details tab of the certificate, Copy to File.

image_thumb[30]

Click next on the first box,then select export private key.

image_thumb[32]

Leave defaults and press next.

image_thumb[34]

specify a password

image_thumb[36]

Enter the location to save the file and exit.

You can now upload this certificate in the Azure portal, under settings, management certificates, upload.

Upload The Azure Management Certificate

Return to the Azure Portal and upload the management certificate.

image_thumb[25]

 

I hope you found this useful.

Thanks for reading.

Advertisements

Using Azure Files (Preview)

The Azure File service enables the use of highly available and scalable Azure blob storage to be used as file shares for multiple virtual machines or PaaS roles.   Essentially one can create a cloud based file share on resilient storage subsystems and then access those file shares using the standard SMB 2.1 protocol.  The file shares appear as mapped drives on the virtual machines they are assigned to.

 

Why use Azure Files ?

Azure files is a great way to share persistent data between multiple servers or PaaS roles (such as websites) without having to set up file servers.  This can be to store configuration files, log files or any other data and make it independent to a virtual machine instance.  The storage is provided by highly resilient storage and so there is no need to worry about placement and accessibility of individual VHD files.

 

How much does it cost ?

Currently during the preview the costs are discounted at 50% and are £0.0255 per GB for locally redundant file shares or £0.0319 per GB for geo redundant file shares. Locally redundant means that the data is stored in triplicate in the same data centre and geo redundancy adds replication to another data centre.  This can be set during creation of the storage account and can also be changed if required after creation.  Full pricing for storage can be found here http://azure.microsoft.com/en-us/pricing/details/storage/.

 

Current Limitations and Requirements of Using Azure Files

  • Currently Azure files is in preview mode and so there will be no SLAs provided until it goes to General Availability.
    • This means you must also request access to the service which is available on the Azure preview page
  • Once activated (can take minutes) you must set up a new storage account which can be regional or assigned to an affinity group.
  • You can only create the file shares using PowerShell.
  • Read-Access Geographically Redundant Storage (RA-GRS) storage accounts are not supported, only local and geo redundant options are available at this time.
  • The file shares are only available to virtual machines or PaaS websites within the same datacentre as the file share storage account.
  • Access to the file shares is provided via Azure Storage Keys.  Currently there are is no AD integration.

 

Steps Required To Get Up And Running

  1. Activate Azure Files Preview from the preview page  (link above).
  2. Create new storage account and retrieve access key.
  3. Download the Azure file storage cmdlets, unblock, extract and import into your PowerShell session.
  4. Install Azure PowerShell Modules and connect to you Azure subscription.
    • Previous article on how to connect to Azure using PowerShell is here
  5. From PowerShell, setup the account credentials and create the file share.
  6. From another Azure VM attach the file share as a mapped drive.

 

1. Activate Azure Files Preview

  • From the Azure preview page locate the Azure Files feature and click “Try it”.  Microsoft will send an email shortly after (could be minutes).

image

 

2. Create Storage Account

  • Create a new storage account

image

  • Once created, open the storage account dashboard and you will see the Files preview service listed as shown here :-

image

  • Click on Manage Access Keys, copy one of the keys and keep it safe for the scripting section later in section 5 below.

image

3. Download The Azure Storage File PowerShell Modules

image

 

4. Connect To Your Azure Subscription In PowerShell and Import the Storage Module

If you have not setup PowerShell to connect to Azure yet please see here.

 

#Get-AzurePublishSettingsFile
#Import-AzurePublishSettingsFile ‘C:\Myfile.publishsettings’

#Set Subscription Name
$subscriptionname = ‘My Demos’

Set-AzureSubscription $subscriptionname -CurrentStorageAccountName ‘mcdemostore’
Select-AzureSubscription $subscriptionname

#Import downloaded storage module
import-module ‘C:\scripts\AzureStorageFile\AzureStorageFile.psd1’

5. Create a Context for Account and Key

  • From the same PowerShell session enter the storage context which is essentially the account name and password (storage key).

The format for this is $ctx=New=AzureStorageContext <account name> <account key>

The account name we have set up in this example is filesharestore which can be seen here to show you the context.

image

#Create a context for account and key

$ctx=New-AzureStorageContext filesharestoreStorage key

  • Create a New Share

This code will actually create a file share in Azure using the account and storage key used above.  We need to supply a share name.

# create a new share
$s = New-AzureStorageShare sqlbackupshare -Context $ctx

 

6. Attach The Share to Azure Virtual Machines

Log into an Azure virtual machine located in the same region as the storage account used above.  We will create a persistent share so it remains after a reboot.  To do this we need to store the credentials and map the drive using the stored credentials.

  • Open up an administrative PowerShell window and enter the following code and substitute your own account name and storage key.
cmdkey /add:filesharestore.file.core.windows.net /user:filesharestore /pass:’Yourkey
net use z: \\filesharestore.file.core.windows.net\sqlbackupshare

Voila!

image

 

Troubleshooting Azure Files

  • Trying to mount an Azure file share using net use fails with code 64.

net : System error 64 has occurred.

The specified network name is no longer available.

This occurs as the file share is only mountable from another Azure resource (virtual machine or website) in the same region as the storage account.

  • Importing the AzureStorageFile.psd1 gives errors

    import-module : The following error occurred while loading the extended type data file:
    , C:\scripts\AzureStorageFile\AzureStorageFile\Microsoft.WindowsAzure.Commands.Storage.File.types.ps1xml(5) : Error in type

This looks like a bug as the process continues to work regardless of these errors.  If anyone knows any more please feel free to post here.

 

 

Thank you for taking the time to read this article about Azure Files !

I hope this was useful for some of you.   Do let me know if it was as that’s the reason I make these tutorials 🙂

If there are things you can add or have some good ideas about the use of Azure files also let me know so we can all share some good ideas.  This maybe where Microsoft are heading towards better support for clustering in the future but we shall wait and see !  Thanks again.

 

Mitesh

How To Use Azure Internal Load Balancing

Hi thanks for visiting.  This post will show how to set up internal load balancing which is now available in Azure virtual machines.

Why do we need internal load balancing in Azure ?

Internal load balancing (ILB) in Azure is a really useful feature which can be used to load balance service inside an Azure virtual network without exposing the endpoints to the internet.   This is very important for back end services such as web services that are accessed by other web services but not directly by users over the internet.  An example of this could be the WAC / OWA (Office Web Apps) services for SharePoint 2013.   Previously endpoints needed to be opened up over the internet for other SharePoint services to access OWA if it was load balanced across servers.  Now those services can call OWA internally when needed using internal DNS A records without having to go out to the internet and back in.   This helps to secure your environments further as there are now less entry points into your services.

An example of ILB used by front end services to call back end application AND database roles is shown here.

 

Environment and Requirements

Currently Azure ILB will not work on networks that are assigned to affinity groups.

My environment is an Azure subscription which has a regional network defined with subnets for each VM.  It also has a storage account to store the virtual machine VHD files and an affinity group which tells Azure which region I want to store my computer and storage objects.  Scripts are provided below.

You will also need to download and install the latest Azure PowerShell Module from here :- https://azure.microsoft.com/en-us/downloads/

to connect to your Azure subscription you could follow the guide here :-

https://miteshc.wordpress.com/2014/03/04/getting-started-with-windows-azure-powershell/

Part one of this tutorial which includes building the domain controllers is also available here :- http://t.co/Ps1PQkJHTK

 

In our demo we install IIS remotely and the script to do this is here :-

Install-WindowsFeature -Name Web-Server –IncludeManagementTools

This must be placed in a file on your local machine and called from the script.

 

Video Tutorial for creating Azure ILB

How do you create and configure Azure Internal Load Balancing ?

The way to create an NLB service internally in Azure is to use PowerShell only as it is not currently configurable using the GUI via the Azure portal.  Some scripts are provided below as shown in the video tutorial.

# Created by Mitesh Chauhan – July 2014.# Purpose – Use this script to create new virtual machines with static IP Addresses# Note – Currently this only works on regional networks and not networks created within an affinity group# VMs and storage CAN be in affinity groups for static IP addressing to work, just not networks atm.# To UPDATE EXISTING VMS. Example# Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM# You must remove the static IP before replacing with a new static IP.# REMOVE STATIC IP – $Get-AzureVM -ServiceName StaticDemo -Name VM2 | Remove-AzureStaticVNetIP | Update-AzureVM

#Get-AzurePublishSettingsFile

#Import-AzurePublishSettingsFile “D:\mysettingsfile.publishsettings”

#Set Subscription Name

$subscriptionname = ‘My Demos’

#Set VM and Network Variables

$Adminusername = “DemoAdmin”

$Adminpassword = “Changeme9000”

$owa1name = “OWA1”

$owa2name = “OWA2”

$vmcloudservice = “owaCloudService”

$vnetname = “mcstaticvnet”

Set-AzureSubscription $subscriptionname -CurrentStorageAccountName “mcdemostore”

Select-AzureSubscription $subscriptionname

# If you have updated the Azure powershell modules or if there are connectivity issues

Import-Module Azure

# Set ImageName – Get latest Windows 2012 R2 Build.

$ws2012r2 = (Get-AzureVMImage | where ImageFamily -eq ‘Windows Server 2012 R2 Datacenter’ | select -last 1).ImageName

# Test for static IP registration

# Test-AzureStaticVNetIP –VNetName MCStaticVnet –IPAddress 10.0.0.6

# Configure VM Settings for a New Static IP VM server1 –

# We are using the second IP address in the available pool (10.0.0.4-10.0.0.6) for this subnet to prove the VM is getting the correct IP by choice not default.

$myVM = New-AzureVMConfig -Name $owa1name -ImageName $ws2012r2 –InstanceSize “Small” | Set-AzureSubnet –SubnetNames “OWA1” | Set-AzureStaticVNetIP -IPAddress 10.0.0.69 |

Add-AzureProvisioningConfig -adminusername $Adminusername -WindowsDomain -Password $Adminpassword -Domain “demo” -DomainUserName $Adminusername -DomainPassword $AdminPassword -JoinDomain “demo.local” |

Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

New-AzureVM –ServiceName $vmcloudservice -VMs $myvm –AffinityGroup “NEAffinityGroup” -VNetName $vnetname -WaitForBoot;

# Configure VM Settings for a New Static IP VM server2

$myVM2 = New-AzureVMConfig -Name $owa2name -ImageName $ws2012r2 –InstanceSize “Small” | Set-AzureSubnet –SubnetNames “OWA2” | Set-AzureStaticVNetIP -IPAddress 10.0.0.77 |

Add-AzureProvisioningConfig -adminusername $Adminusername -WindowsDomain -Password $Adminpassword -Domain “demo” -DomainUserName $Adminusername -DomainPassword $AdminPassword -JoinDomain “demo.local” |

Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

#Provision VM – Remove VNET Name for VM in an existing cloud service (created above in this example)

New-AzureVM –ServiceName $vmcloudservice -VMs $myvm2 -WaitForBoot;

################################

### Enable Remote PowerShell ###

################################

# Get Certificate OWA1

Set-ExecutionPolicy Unrestricted -force

C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $owa1name

### Install Scripts to run in the VMS ###

# Return back the correct URI for Remote PowerShell

$uri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $owa1name

# Credentials for the VM

$cred = Get-Credential

#Run this to install the Web-Server feature

invoke-command -connectionuri $uri -Credential $cred -filepath “c:\scripts\Install IIS.ps1”

# Get Certificate OWA2

Set-ExecutionPolicy Unrestricted -force

C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $owa2name

# Credentials for the VM

$cred = Get-Credential

#Run this to install the Web-Server feature

invoke-command -connectionuri $uri -Credential $cred -filepath “c:\scripts\Install IIS.ps1”

###############################

### INTERNAL LOAD BALANCER ###

###############################

# Add Internal Load Balancer to the service

Add-AzureInternalLoadBalancer -InternalLoadBalancerName OWAILB -SubnetName owa1 -ServiceName $vmcloudservice

# Add load balanced endpoints to ILB

Get-AzureVM -ServiceName $vmcloudservice -Name $owa1name | Add-AzureEndpoint -Name “intowalb” -LBSetName “intowalb” -Protocol tcp -LocalPort 80 -PublicPort 80 -ProbePort 80 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName OWAILB | Update-AzureVM

Get-AzureVM -ServiceName $vmcloudservice -Name $owa2name | Add-AzureEndpoint -Name “intowalb” -LBSetName “intowalb” -Protocol tcp -LocalPort 80 -PublicPort 80 -ProbePort 80 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName OWAILB | Update-AzureVM

Get-AzureService -ServiceName $vmcloudservice | Get-AzureInternalLoadBalancer

## check Load Balancers for the VMs

Get-AzureVM -ServiceName $vmcloudservice -Name $owa1name | Get-AzureEndpoint

Get-AzureVM -ServiceName $vmcloudservice -Name $owa2name | Get-AzureEndpoint

Other load balancing options for Azure

If the basic (I believe it is actually Round Robin) load balancing provided by Azure is suitable for your application check out the links provided before for more sophisticated third party Microsoft partner options.

Some applications may require session persistence, SSL offloading, compression and other more complex load balancing features so check out the appliances offered by Kemp and Barracuda. The Barracuda device also provides firewall protection.

 

See for yourself at :-

https://www.barracuda.comimage http://kemptechnologies.com/uk/solutions/microsoft-load-balancing/loadmaster-azure/
image

I may do a comparison at some point once I have properly evaluated the two options above.

Azure ILB Technet Reference

http://msdn.microsoft.com/library/dn690121.aspx

Building a Highly Available Active Directory Infrastructure in Azure Virtual Machines with Static Internal IP Addresses.

HI thanks for visiting and firstly apologies for the long title !

image

This post will show how to set up a two highly available domain controllers in Azure.   In order to make them highly available the machines within a cloud service (group of machines, usually each tier of an application) need to be put into an availability set.

Why Bother with Static IP Addresses in Azure at all ?

Microsoft now recommend that Domain Controllers have static IP Addresses and static IP addresses are also useful for other critical servers you may have in your environment.   Azure by default assigns IP Addresses using DHCP from a range of IP addresses you supply.  I always create my networks with a subnet for each machine and so I have some control over which IP addresses each machine received.  Once a machine is in a subnet it will receive the first available IP addresses in that subnet.   Although Microsoft provides no guarantees and they could change this algorithm.   So what happens if I have multiple machines within the same subnet and shut them all down (and de-allocate) and restart them in a different order ? They can and most probably WILL receive different IP addresses which can cause problems with your services.   So this is the main reason why having static IP addresses is a real bonus for us.

How do you create a virtual machine with a static IP Address in Azure and what are the requirements ?

Currently the only way you can create a virtual machine in Azure with a static IP address is via PowerShell and the only supported network type must be a regional network.  This means the network was assigned to a region such as “North Europe” rather than an affinity group.   Microsoft say they will allow this in the future.

What if I want to add static IP addresses to VMs in my existing network ?

If you try and create a VM with a static VM in a network that is assigned to an affinity group this will fail.  If you need to have this feature for an existing network the only way is to recreate the network , drop all the VMs (Do not delete the hard drives) then re-create the VMs using the existing hard drives within the new network.  You can still assign storage and virtual machines to an affinity group, just not the network at this time.

Environment and Requirements

My environment is an Azure subscription which has a regional network defined with subnets for each VM.  It also has a storage account to store the virtual machine VHD files and an affinity group which tells Azure which region I want to store my computer and storage objects.  Scripts are provided below.

You will also need to download and install the latest Azure PowerShell Module from here :- https://azure.microsoft.com/en-us/downloads/

to connect to your Azure subscription you could follow the guide here :

https://miteshc.wordpress.com/2014/03/04/getting-started-with-windows-azure-powershell/

 

Video Tutorial on Azure VM Static IP Addressing

I have created a 20 minute tutorial which takes you through the whole process to give you two domain controllers that are highly available and have static IP addresses.

Azure PowerShell Static IP highly available AD

 

Scripts

All three scripts provided below need to be copied individually and saved as .ps1 files.

The InstallWinRMCertAzureVM.ps1 file needs to be downloaded from the link here.  Save all ps1 files in c:\scripts for example and check locations in the scripts below if you change this.

http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe

Create the Static IP Domain Controller Virtual Machines

# Created by Mitesh Chauhan – July 2014.
# Purpose – Use this script to create new virtual machines with static IP Addresses
# Note – Currently this only works on regional networks and not networks created within an affinity group
# VMs and storage CAN be in affinity groups for static IP addressing to work, just not networks atm.# To UPDATE EXISTING VMS.  Example
# Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress 192.168.4.7 | Update-AzureVM

# You must remove the static IP before allocating a new static IP.
# REMOVE STATIC IP – $Get-AzureVM -ServiceName StaticDemo -Name VM2 | Remove-AzureStaticVNetIP | Update-AzureVM

#Get-AzurePublishSettingsFile
#Import-AzurePublishSettingsFile “D:\yoursettingsfilesdownloaded from above cmdlet”

#Set Subscription Name
$subscriptionname = ‘SharePoint BI Demos’

#Set VM and Network Variables
$Adminusername = “DemoAdmin”
$Adminpassword = “Changeme10000”
$dc1name = “StaticDC1”
$dc2name = “staticDC2”

# Choose a name that has not been used before you can check in GUI at vm creation time to check for existence.  As this is the internet routable name it gives your cloud service, it needs to be unique to the cloudapp.net domain.
$vmcloudservice = “MCDCCloudService”  $AvailabilitySetName  = ‘ADAVSet’

# Your virtual Network name
$vnetname = “mcstaticvnet”

# Set ImageName – Get latest Windows 2012 R2 Build.
$ws2012r2 = (Get-AzureVMImage | where ImageFamily -eq ‘Windows Server 2012 R2 Datacenter’ | select -last 1).ImageName

Set-AzureSubscription $subscriptionname -CurrentStorageAccountName “mcdemostore”
Select-AzureSubscription $subscriptionname

# Test for static IP registration
# Test-AzureStaticVNetIP –VNetName MCStaticVnet –IPAddress 10.0.0.5

# Configure VM Settings for a New Static IP VM DC1 –
# We are using the second IP address in the available pool (10.0.0.4-10.0.0.6) for this subnet to prove the VM is getting the correct IP by choice not default.
$myVM = New-AzureVMConfig -Name $dc1name -ImageName $ws2012r2 –InstanceSize “Small”  -AvailabilitySetName $AvailabilitySetName | Set-AzureSubnet –SubnetNames “DNS1” | Set-AzureStaticVNetIP -IPAddress 10.0.0.5 |
Add-AzureProvisioningConfig -adminusername $Adminusername -Windows -Password $Adminpassword |
Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

New-AzureVM –ServiceName $vmcloudservice -VMs $myvm –AffinityGroup “NEAffinityGroup” -VNetName $vnetname -WaitForBoot;

## SET RDP Endpoint Public Ports
################################
Get-AzureVM -ServiceName $vmcloudservice -Name $dc1name |
Set-AzureEndpoint -Name “RDP” -PublicPort 50000 -LocalPort 3389 -Protocol “tcp” |
Update-AzureVM

# Configure VM Settings for a New Static IP VM DC2
##################################################

$myVM2 = New-AzureVMConfig -Name $dc2name -ImageName $ws2012r2 –InstanceSize “Small”  -AvailabilitySetName $AvailabilitySetName | Set-AzureSubnet –SubnetNames “DNS2” | Set-AzureStaticVNetIP -IPAddress 10.0.0.13 |
Add-AzureProvisioningConfig -adminusername $Adminusername -Windows -Password $Adminpassword |
Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

#Provision VM – No VNET Name required for VM in an existing cloud service (created above in this example)
New-AzureVM –ServiceName $vmcloudservice -VMs $myvm2 -WaitForBoot;

# Set RDP Port for VM 2
Get-AzureVM -ServiceName $vmcloudservice -Name $dc2name |
Set-AzureEndpoint -Name “RDP” -PublicPort 50001 -LocalPort 3389 -Protocol “tcp” |
Update-AzureVM

#Remove static IP from VM1
## Get-AzureVM -ServiceName $vmcloudservice -Name $dc1name | Remove-AzureStaticVNetIP | Update-AzureVM

## Remote PowerShell connectivity

# Get Certificate. script source : http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe
Set-ExecutionPolicy Unrestricted -force
C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $dc1name

# Credentials for the VM
$cred = Get-Credential

$winRmUri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $dc1name
Invoke-Command -ConnectionUri $winRmUri.ToString() -Credential $cred -ScriptBlock {
Get-Disk |
Where-Object PartitionStyle -eq “RAW” |
Initialize-Disk -PartitionStyle MBR -PassThru |
New-Partition -UseMaximumSize -DriveLetter F |
Format-Volume -FileSystem NTFS -Confirm:$false
}

## Promote DC ##

#Run this to promote the server to the first DC
invoke-command -connectionuri $winRmUri -Credential $cred -filepath “c:\scripts\createdomaincontroller.ps1”

#########################
########Promote DC 2#####
#########################

# Get Certificate
Set-ExecutionPolicy Unrestricted -force
C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $dc2name

# Return back the correct URI for Remote PowerShell
$uri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $dc2name

# Credentials for the VM
$cred = Get-Credential

$winRmUri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $dc2name
Invoke-Command -ConnectionUri $winRmUri.ToString() -Credential $cred -ScriptBlock {
Get-Disk |
Where-Object PartitionStyle -eq “RAW” |
Initialize-Disk -PartitionStyle MBR -PassThru |
New-Partition -UseMaximumSize -DriveLetter F |
Format-Volume -FileSystem NTFS -Confirm:$false
}

## Add Second DC to Domain
invoke-command -connectionuri $uri -Credential $cred -filepath “c:\scripts\ADD_Domaincontroller.ps1”

 

New Forest Script

#
# Windows PowerShell script for AD DS Deployment
#Set-ExecutionPolicy RemoteSigned -Force

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “F:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “demo.local” `
-DomainNetbiosName “DEMO” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “F:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “F:\Windows\SYSVOL” `
-Force:$true   `

 

Add Domain Controller to Forest

#
# Windows PowerShell script for AD DS Deployment
#Set-ExecutionPolicy RemoteSigned -Force
install-windowsfeature windows-server-backup

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment

Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath “F:\Windows\NTDS” `
-DomainName “Demo.local” `
-InstallDns:$true `
-LogPath “F:\Windows\NTDS” `
-NoRebootOnCompletion:$true `
-ReplicationSourceDC “Demo.local” `
-SiteName “Azure” `
-SysvolPath “F:\Windows\SYSVOL” `
-Force:$true `
-Credential $using:cred `
-Confirm:$false `

In the next blog and video we will look at setting up servers with Internal Network Load Balancing.

 

Thank you for following this article, let me know below if it was useful for you !

The New Azure Portal – Virtual Machines

Microsoft has added support for Virtual Machines through the preview portal. First impressions are good, it looks great and has a lot of the information about your VMs. There is no Cloud Service view as yet unfortunately.

https://Portal.azure.com and log in. Select Browse, and Virtual Machines.

image

Browse your virtual machines and it will show you a list of the machine names, region and status.

Azure Preview Portal Status Caution

Note that the preview portal does not distinguish whether the VM is Stopped or Stopped (Deallocated). So it will not show stopped VMs that are still incurring charges.

See my VM status in old portal which shows both stopped statuses.  Note while a VM is Stopped (via shutdown from within the VM) charges are still applied.   If a VM is stopped and deallocated (Shut down from the portal) no charges are applied to the running of the VM.

image

The new Portal only shows “Stopped” for both VMs.

image

Please would you update this Microsoft? Thanks!

Azure Portal Pricing Tier Caution

Note that the pricing tier is based on VM size only and NOT VMs with licensing included such as SQL Server.

Click on the Pricing Tier link

image

If you selected a SQL Server gallery image which includes the SQL Server licensing the pricing is very different to that shown in the portal.

Look at the figures in the Azure pricing calculator which is available here.

http://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

Azure Calculator Pricing for A6 and A7 VMs.

If you selected a SQL Server gallery image which includes the SQL Server licensing the pricing is very different to that shown in the portal.

Look at the figures in the Azure pricing calculator which is available here.

http://azure.microsoft.com/en-us/pricing/calculator/?scenario=full

Azure Calculator Pricing for A6 and A7 Vms.

image

image

The figures here are PAYG prices which are close to the prices shown below in preview portal.

 

Azure Preview Portal Pricing Tier Window

image

Here is what the VM would actually cost as it is a SQL Server template VM.

image

 

Maybe in the future Microsoft may check if the VM is a SQL Server template or not and give proper pricing, or at least put a note on the screen that the pricing is based on standard VMs without additional software licensing.

The following note could possibly updated to reflect this.

image

I have not started using it in anger just yet as I normally prefer to do creation of objects in PowerShell.  I do think the preview portal is a good start and it has a good feel to it so it looks promising for a first release.   Let me know what you think of the portal and if you have tried the pricing tier recommendation feature as it is not clear where this is exactly !?

Thanks for reading !

Configure SharePoint 2013 Core Services

In this article which is number 2 in the series I will walk through how to configure the core SharePoint 2013 services.  The first article looked at the installation process.   The next article will focus on some of the BI services available in SharePoint which is more complex and also more interesting if you ask me.

Running PowerShell

If you have managed to avoid PowerShell for this long then congrats.  As you work with SharePoint 2013 and other products you will need to learn some of the basics.  In SharePoint 2013 there are many thanks that require PowerShell and the GUI simply is not an option.  So to set up our PowerShell console go to the start screen (if Windows 2012) or to the Programs menu and locate the SharePoint 2013 PowerShell module. Right click it and “pin” it on the task bar.

image

Once this is done, from the task bar, hold down SHIFT+ right click on the icon and select Properties. 

image

Select Advanced and click “Run as Administrator”, Press OK and OK.  This will ensure that when we run SharePoint PowerShell commands from this icon in the future the administrative context will be used to give us the the require access.

 

Configure the State Service

The state service is a temporary work area for SharePoint Services to store temporary data.  Note that the State and User Health Data Collection Services are two services that can not be installed from the GUI.

Click the icon to start PowerShell and type the following lines of code which will set up the state service with a chosen database name. 
New-SPStateServiceApplication -Name "State Service Application" 
Get-SPStateServiceApplication| New-SPStateServiceApplicationProxy –defaultproxygroup

Get-SPStateServiceApplication| New-SPStateServiceDatabase -Name "State_Service_DB"

Get-spdatabase | where-object {$_.type -eq "Microsoft.Office.Server.Administration.StateDatabase"} | initialize-spstateservicedatabase

The results should look similar to this.

image

Configure the Usage and Health Data Collection Service

This service should be created in order for SharePoint to log the health of the services in the logging database.  This service must be created via PowerShell. The Configuration Wizard will also configure this service but it is not recommended to use this method for production environments for any service.

From the PowerShell console run the following lines of PowerShell.

$usagename = “Usage and Health Data Collection”

$usagedbname = “UsageandHealth”

$serviceinstance = Get-SPUsageService

New-SPusageapplication –Name $usagename –DatabaseName $usageDBName –UsageService $serviceInstance

Results example

image

A useful option for this service is to set the log file location for example.

$us = Get-SPUsageService

$Logs = “C:\Logs\”

$us | set-SPUsageService –Loggingenabled $true –UsageLogLocation $logs

Once the service is provisioned you can see the log file location and all the other services that can be enabled for logging.  If there are specific events in this list you wish to log this can also be added by PowerShell. Here we look at an example of the “SQL Exception Usage” events.

set-SPUsageDefinition –Identity “SQL Exceptions Usage” –Enable

image

Here we can see our changes we made in PowerShell.

 image

 

Register Managed Accounts

It is recommended to add any service accounts that SharePoint will use for application pools and for certain SharePoint services.  It is recommended to use separate accounts for different services in order to help secure the service as well as make it easier to manage and maintain.  Remember that service accounts if they are standard AD accounts as they should be may expire depending on security policies in AD.  Therefore some implementations use accounts with non expiring passwords.  In some environments this may not be acceptable and could be seen as a security risk.  SharePoint can manage the password expiry and reset for us where it generates the passwords for the service accounts itself.  In our example we have gone with standard accounts.

 

As a rule of thumb I create a generic account for core roles such as secure store, metadata management etc, and a BI service account for BI services for example.

From Central Admin navigate to Security, configure managed accounts.

image

Click the configure managed accounts link and you should see farm account.

image

Click Register Managed Account and enter details for the BI account, application pool accounts and generic service accounts you wish to use.  Our generic service account example is shown here.

image

You should then see the service accounts listed here.

image

 

Create the Business Data Connectivity Services

This service is required for SharePoint to be able to use external data sources such as web services or databases for content within SharePoint sites.

To set up BDC services from the GUI open Central Admin, Application Management, Manage Service Applications.  Select New, Business Data Connectivity Service.

image

Enter the SQL Alias or server name and rename the database to remove the default GUID.

image

As this is out first core service we need an application pool and so I have selected to create a new application pool with out generic account registered earlier.  This application pool can then be used for other services we configure later.

image

Ensure the correct service account is selected and click ok. #

 

image

From Central Admin, Application Management, Manage Services on this Server, Start the BDC Service

image

The service should start ok.

image

 

Create the Managed Metadata Service

The managed metadata service is required for several other services and so should be one of the first services to be configured.  The services dependant on the metadata service are  Search, User Profiles, and Machine Translation Service.

From Application Management, Manage Service Applications, select New, Managed Metadata Service. Enter the service name, database server and database name.

image

Select use existing application pool and select the generic pool we created earlier.

image

The application pool selected will use the account specified when the pool was created. Ignore the configurable account in the screenshot above as this is not actually the selected option here.  Leave the last two checkboxes selected and click OK.

image

There is no progress screen here so wait a few seconds to be returned to the applications list.  Return to Central Admin, and start the Managed Metadata web Service.

image

This should now start after a few seconds.

image

To complete the setup of this service return to the application service and click the second metadata entry in the list and select Properties in the ribbon above.

image

If you see the Something Went Wrong error wait a few minutes while the service is provisioned properly in the background.

image

Don’t click on the blue text URL link, click elsewhere and select Properties and ensure the following check boxes are ticked and press OK.

image

Once done then click on one of the Managed Metadata Service links to show the screen below.

image

I always add the service account and farm account to Term Store Administrators as a precaution, from experience with SharePoint 2010.

image

This completes the metadata service configuration.

 

Create the Secure Store Service

The Secure Store Service is used to store credentials for applications such as Excel Services (if required) and Performance Point Services which depends on the Secure Store Service configuration.

from Manage Service Applications, Select New Service Application, Secure Store Service.

image

image

Select existing application pool and select the generic app pool created earlier.

image

leave the default for the audit Log or modify to your requirements.

image

image

Select the Secure Store and click Manager

image

The red error is to remind us to generate a new key so click Generate New Key

image

Enter phrase and make a note in a secure place.  It would be needed if the database needed to be restored.

image

Start the Service is not already started from Central Admin, System Settings, Services on this server.

image

Create Word Automation Services Application

This service is used to convert word documents into various formats and is an optional service.

From Central Admin, Application Management, Manage Service Applications, select New, Word Automation Service Application

image

Enter a name for the application and select the generic application pool created earlier and click OK.

image

Start the service, from Services on Server locate the service ..

image

and click start.

image

 

Configure Search Service Application

Ensure the search service accounts are registered as managed accounts.  Central Admin, Security, configure Managed Accounts.

There are several accounts required which I have listed here together with an example account name in AD.

Search Service Applies to all search service application, can be changed in configure service accounts in security (central Admin)
Search Admin App pool account. Can be same as Search Service.
Search Query App pool account. Can be same as Search Service.
Default Content Access Recommended to have a specific account for this account.

For this demo I will use the Search Service account SPSearch.

image

Create the Search Service Application

Note : Each search service has a separate content index and there can be multiple search applications to partition sensitive content.  It is also recommended to use a different server for each service application or assign more resources as required. 

From Application Management, Manage Service Applications, New Search Service Application.

image

Admin web service (can specify an admin web service app pool account here.)

image

image

Wait for the service to provision

image

image

Select the Search Service Application and click Manage.

image

You can change the default crawl content account here which is set to the application service.  use an account that has read permissions on as many of the content locations you with to crawl.  Where specific crawl accounts are required for specific locations create a content crawl rule and assign it the account.

Also specify the email for an administrator account.

image

Now lets configure a content source which will be a site created in SharePoint.  Click the Content Sources link on the bottom left as shown above. 

You will see a content source created by default.  This is created to crawl all content on local farm. You can also create additional content sources for other content such as file shares or other SharePoint farms or websites.   Click on this entry “Local SharePoint Sites”.

 image

If the farm was configured as a farm (not single server) and you did not select to auto configure the services.  This is the recommended approach for production.  You will see there is no incremental or full crawl running or scheduled to run.  So we must edit this content source to specify crawl schedules etc.

Also once into the edit screen ensure the correct URLs are in place for any sites you may have created.

image

I have set the incremental crawl to the default values (I did change 5 to 10 minutes)

image

Note I have not scheduled a full crawl.  Depending on the content size you may not want to schedule a full crawl.  Rather run it once and let the incremental crawl keep it up to date.  Press ok on this screen.

Use the drop down next to Local SharePoint Sites and trigger a full crawl now.

image

These are the basics to get you up and running with Search. I may cover this in more detail in the future but it is as vast subject on which many books have been written purely on this topic.

That’s it for now!

Ok now we have configured all core services for the SharePoint.

In the next post I will cover adding a SharePoint server to the farm we just created and configuring some of the services to run on this second server.  We will also look at how to create the user website.

Installing SharePoint 2013 SP1 on Windows Server 2012 R2

In this article we will look at the step by step process of installing SharePoint 2013 SP1 on Windows Server 2012 R2.  It’s actually the same as installing SharePoint 2013 on Windows 2012 !  I thought I would document it anyway as I was going through the process.

Note that SharePoint 2013 with SP1  will only install on Windows Server 2012 R2 using the slipstreamed media, you can not install SharePoint 2013 RTM and then apply SharePoint 2013 service pack 1 on Windows Server 2012 R2 at this time.

Ensure you are using a setup account which has Admin access on the SharePoint server. 

  • The setup account also needs SYSADMIN rights in the SQL Server instance as well as firewall access etc. to SQL Server.
  • Ensure the SharePoint server has internet access to download the pre-requisite installer files.
    SQL Server role mapping for setup account.

image

I have also created an A record alias for my SQL Server simply named SQLDB.

image

1. Run the Pre-Requisite Installer

    Run the prerequisiteinstaller,exe from the installation media.  Wait for this to complete after several reboots.

     

    2. Run the Setup file to install the binaries

    Enter license key and accept license agreement and select “Complete” to install the SharePoint binaries onto the server.

    Select Complete for server type  and change the binary install file location if required.

    3. Run The Configuration Wizard to setup the farm

    If you are ready to configure the farm leave the button checked and press Close.

    image

    Click Next on the first screen and Yes on the IIS notification

    image

    Select Create new server farm as this is the first server and click Next.

    image

    Configure Database and farm account. Enter Database server name / alias and farm admin account.

    image

    Enter Passphrase required when adding further servers to the farm in the future.

    image

    Specify a port number for the Central Admin site.

    image

    Check summary and click next to complete configuration of the farm.

    image

    Wait for the 10 steps to complete which may take about 10 minutes then click finish.

    image

    Wait for the Central Admin page to open and click Yes or No on the participation screen.

    image

    Click Cancel for the auto configuration screen. 

    image

     

    Many thanks for viewing this page, I hope you found something useful here, if so please let me know !