Windows Azure Pack – Active Directory Design Choices

Darryl van der Peijl wrote this great guest blog on design considerations for Active Directory in a Windows Azure Pack environment:

In this blog I will discuss different Active Directory designs, focusing on the use of Windows Azure Pack. Since Windows Azure Pack is nothing different from a regular web service, these designs can be used in a very generic way.

When talking Active Directory, we are actually talking security. The design decisions you make can have a huge impact on the vulnerability of your infrastructure.

Windows Azure Pack is offering a number of services that can be accessed from the Internet like the Tenant Portal and Tenant Public API, and don’t forget the “Remote Console” feature which will need a Remote Desktop Gateway server accessible from the Internet as well.

It is recommended to put servers in a DMZ/Perimeter network which can be accessed from the outside. Since they are reachable from the potentially ‘hostile’ external world, these servers can become subject to intrusion or hijacking by attackers. The DMZ/Perimeter network is a containment area so that a breached server does not gain immediate access to your internal infrastructure.

So, let’s get started!

I will discuss the following four different Active Directory designs and sum up the advantages and disadvantages.

  • No Active Directory in DMZ / Perimeter Network
  • Extended Forest
  • Forest with child domains
  • Isolated Forests

The following terms will be used:

ADDS Active Directory Domain Services
DMZ / Perimeter Network The zone for external facing services
Local Network The zone for internal services
Local infrastructure Infrastructure (servers) in the Local Network
Perimeter infrastructure Infrastructure (servers) in the Perimeter Network

 

No Active Directory in DMZ / Perimeter Network

You can implement Windows Azure Pack without the use of Active Directory, so you don’t have to create a separate domain for WAP in the perimeter. Windows Azure Pack will use the local server’s Security Accounts Manager (SAM) database to authenticate identities and will use SQL authentication for the databases.

The security risk of this design is medium.

Advantages:

  • No ADDS needed (Advantage?)
  • No VMs for ADDS

Disadvantages:

  • Managing of users and the servers need to be done locally on each server
  • You cannot setup Failover Clusters without ADDS (Hyper-V, SQL Always on, ..)
  • The Kerberos protocol or certificates are not available for local SAM authentication.
  • Centralized updates (WSUS) cannot be implemented
  • No ability to use ADFS

Note:
For Windows Azure Pack build-in functionality like “Console Connect” or “Network Virtualization” you will need to build a Hyper-V cluster. READ MORE »

Presentaties online; System Center Summer Night

Op 26 juni jl. vond de tweede editie van de System Center Summer Night plaats. Een event samen georganiseerd door de Hyper-V.nu en System Center User Groep NL. Een middag en avond boordevol met System Center en Hyper-V! Een geslaagde dag met +100 bezoekers, +10 nationale en internationale topsprekers en uitstekend BBQ weer!

Voor de geïnteresseerde staan de presentaties klaar om te downloaden via onderstaande link:

Alle sponsors – HP, Veeam, Savision en Secunia nogmaals bedankt voor het mogelijk maken van deze dag! En alle bezoekers; dank voor jullie komst! Hopelijk mogen wij jullie volgend jaar wederom  verwelkomen op de derde editie :-).

Windows Azure Pack: Infrastructure as a Service Jump Start

Date: July 16 & 17, 2014
Time: 9am–1pm PDT
CTA(s): Registration page: http://www.microsoftvirtualacademy.com/liveevents/windows-azure-pack-infrastructure-as-a-service-jump-start

Alternative link: http://aka.ms/WAPIaaS

IT Pros, you know that enterprises desire the flexibility and affordability of the cloud, and service providers want the ability to support more enterprise customers. Join us for an exploration of Windows Azure Pack’s (WAP’s) infrastructure services (IaaS), which bring Microsoft Azure technologies to your data center (on your hardware) and build on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multitenant cloud infrastructure and application services.

WAP

Join Microsoft’s leading experts as they focus on the infrastructure services from WAP, including self-service and automation of virtual machine roles, virtual networking, clouds, plans, and more. See helpful demos, and hear examples that will help speed up your journey to the cloud. Bring your questions for the live Q&A!

Course Outline
Day 1

  • Introduction to the Windows Azure Pack
  • Install and Configure WAP
  • Integrate the Fabric
  • Deliver Self-Service

Day 2

  • Automate Services
  • Extend Services with Third Parties
  • Create Tenant Experiences

Metadescription: Free online course for IT Pros: Windows Azure Pack IaaS, including VM roles. Build and manage modern apps, unlock insights

Keywords: Windows Azure Pack, Microsoft Azure, Windows Server, System Center, SQL Server

Instructors

Andrew Zeller | Microsoft Senior Technical Program Manager

Andrew Zeller is a Technical Program Manager at Microsoft, focusing on service delivery and automation with Windows Server, System Center, and the Windows Azure Pack.

Symon Perriman | Microsoft Senior Technical Evangelist |@SymonPerriman

​As Microsoft Senior Technical Evangelist and worldwide technical lead covering virtualization (Hyper-V), infrastructure (Windows Server), management (System Center), and cloud (Microsoft Azure), Symon Perriman is an internationally recognized industry expert, author, keynote presenter, executive briefing specialist, and technology personality. He started in the technology industry in 2002 and has been at Microsoft for seven years, working with multiple teams, including engineering, evangelism, and technical marketing. Symon holds several patents and more than two dozen industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). In 2013, he co-authored Introduction to System Center 2012 R2 for IT Professionals (Microsoft Press) and he has contributed to five other technical books. Symon co-hosts the weekly Edge Show for IT Professionals, and his technologies have been featured in PC Magazine, Reuters News, and The Wall Street Journal. He graduated from Duke University with degrees in Computer Science, Economics, and Film & Digital Studies, and he also serves as the technical lead for several startups and entertainment production companies.

Register today!

Additional Background on the VMQ Issue with Emulex and HP

Today I had a conference call with the people from Emulex responsible for the network adapters, firmware and drivers. As many of you know we’ve had a long lasting issue with HP/Emulex 554FLB CNAs in HP BL460c Gen 8 blade servers in c7000 blade enclosures. After we had replaced Windows Server 2012 with Hyper-V by Windows Server 2012 R2 with Hyper-V on the same hardware, we started to notice virtual machines losing connection. We have multiple guest clusters on top of the Hyper-V clusters and sometimes during Live Migration of one of the cluster nodes, we would see that connectivity was lost, even to the point that a cluster node would be forced to leave the cluster and come back later when the network connection was re-established. In fact that was our single best test to reproduce the problem.

Marc van Eijk en Peter Noorderijk wrote blogs about it and together they got over 200 comments from customers all over the world seeing the same problem, the majority of them having Emulex through an OEM like HP, Dell, IBM and Cisco. In fact we also read similar cases with HP rack servers, other NICs and different hardware combinations which led me to believe there could also be an issue in the networking/teaming stack in Windows Server 2012 R2.

During the months of November and December 2013 we collected a list of 10 registered support cases with either HP, Microsoft or both. At that time my primary contact was a senior escalation engineer at Microsoft who was able to collect several customer cases mostly from European customers. Unfortunately we could not register a support case with HP ourselves because we did not have a support contract with them. But the amount of customers that discovered they had the same problem, grew and grew. There must have been hundreds of open support calls with both HP and Microsoft and the storm of discontent was growing.

According to HP they were dependent on Emulex and HP did not get any feedback either. Also Microsoft was left in the dark for a long time.

READ MORE »

Emulex driver and firmware update

On this blog we’ve blogged about several issues with Emulex adapters on Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, for example blog 1 and blog 2.

Yesterday Emulex announced a driver and firmware update that should solve these issues: http://blogs.emulex.com/implementers/2014/06/19/microsoft-windows-20122012-r2-hyper-vms-losing-network-connectivity-workaround/

As we can read in this blog: Status on 6/19/2014:  Updated driver and firmware code that addresses the VMQ network connectivity issues is currently going through comprehensive validation and test and is estimated to be available for Emulex branded products by mid-July 2014. Driver releases of specific OEM configurations are being evaluated now. We will update this blog as soon as we confirm the timing and location of each OEM release.

That’s good news! Let’s hope that this update will be available as soon as possible and that this update will fix the VMQ issue!

You can help shape the future of Windows Azure Pack

Windows Azure Pack delivers Microsoft Azure technologies for you to run inside your datacenter. It offers rich, self-service, multi-tenant services and experiences that are consistent with Microsoft’s public cloud offering.

You can help shape the future of Windows Azure Pack. The Windows Azure Pack team has created a user voice site where you can post feature suggestions and vote on the suggestions of others.

You can find the Azure Pack user voice site here http://feedback.azure.com/forums/255259-azure-pack

01 General

Sign in to track your submitted ideas and comments.

When you would like to submit a new suggestion, type in one or more relevant keyword. This will automatically filter the already submitted items. If somebody else already submitted the same suggestion, it allows you to vote on that suggestion. As a signed in user you will have a total of 10 votes. With these votes you can submit new suggestions or vote on existing ones.

Vote for existing suggestions

When you vote for existing items, you can choose to give 1, 2, or 3 votes for more weight. You are able to change your assigned votes afterwards. When suggestions are closed, the votes you assigned to that suggestion are available again.

02 Vote for exisiting idea

Submit a new suggestion

To submit a new suggestion, provide the title for the suggestion and optionally enter a description and category. Select to attach a file if that helps to explain the suggestion and choose how many votes you would like to put on this suggestion.

03 Post new idea

Help shape Windows Azure Pack with the user voice site http://feedback.azure.com/forums/255259-azure-pack

System Center, Hyper-V, Azure and Meat

If you like System Center, Hyper-V, Azure as well as meat, don’t forget to register for System Center Summer Night “The MasterChef edition” which is rapidly approaching. In 10 days from today, nine experts, seven of them are MVPs, will present five interesting presentations.

Because we have plenty of space left we invite those who have registered to bring a friend without additional cost. If you haven’t registered yet, please do and have a great afternoon which is completed with a nice barbecue.

Date of event

June 26th

Program

15:00 – 16:15 How many System Center fits on one grill by Ronny de Jong / James van den Berg [MVP] / Helmer Zandbergen / Marc van Eijk [MVP] / Dieter Wijckmans [MVP]

16:15 – 17:30 How Service Manager can do everything you need – a best-of-the-best Swiss cheese selection by Marcel Zehner [MVP]

17:30 – 17:45 Break

17:45 – 19:00 Light up the fire on your Hyper-V by Hans Vredevoort [MVP] & Peter Noorderijk on Hyper-V Architecture

19:00 – 20:15 Become a Masterchef on Microsoft Azure Automation by Maarten Goet [MVP]

20.15 BBQ time

This event is organized by SCUG.nl and Hyper-V.nu

Registration

Please register at https://www.eventbrite.nl/e/tickets-system-center-summer-night-2014-9265847399

Location

Unieplaza
Multatulilaan
4103 NM Culemborg

Hyper-V Amigos Back in Quartet Formation

Back in 2011, four Hyper-V MVPs decided to take on a server virtualization master class series focusing on Hyper-V for which they adopted the Spanish sounding name “The Hyper-V Amigos”. In the previous months German Hyper-V MVP Carsten Rachfahl, well known for his Hyper-V podcasts and videos, had already made three episodes with Belgian Hyper-V MVP, Didier van Hoye aka @WorkingHardInIT which gave us a lot of background of both Carsten and Didier in Episode 1, as well as some great explanatory showcasts on Unmap and Live Migration in Windows Server 2012 R2 in Episodes 2 and 3.

This time Carsten also invited Aidan Finn, Hyper-V MVP out of Ireland and myself to what seemed like a reunion. Three of the MVPs had visited TechEd North America and in Episode 4 they look back on how they came to know as The Hyper-V Amigos and what their thoughts were on the TechEd 2014 event.

I invite you to watch the next episode of The Hyper-V Amigos:
http://www.youtube.com/watch?v=PFURtvxbFaU&feature=youtu.be

Windows Azure Pack Tenant Public API

Microsoft Azure and Windows Azure Pack are like two circles. These circles are moving towards each other and are already overlapping on certain parts. The CloudOS vision is those two circles completely merged into one.

Circles

So, when you work with Windows Azure Pack it is very interesting to keep an eye on Microsoft Azure, the public cloud solution from Microsoft. This gives a good idea of the features that are coming to Windows Azure Pack, but also gives more insight in the features that are already available in Windows Azure Pack today. In this blog we will cover a feature that is not very well known but can be very useful. The Windows Azure Pack Tenant Public API.

Most Windows Azure Pack deployments we see in production are in one way or another related to IaaS. Windows Azure Pack provides a powerful web portal that enables tenants to interact with their IaaS services. They can create, edit and delete Virtual Machines and Virtual Networks with just a few clicks.

The tenant portal experience is awesome, but there are scenarios where other methods are required. Take for example regression testing. A tenant want to schedule a deployment for a set of virtual machines with applications. When the virtual machines are deployed, an automated procedure runs tests against the applications, which logs the performed steps to a location for evaluation. After the tests are completed the virtual machines are decommissioned again. The regression tests are scheduled by the tenants and they make changes to the tests frequently.

The first thing that comes to mind with this example is a combination of the VM Role and Service Management Automation. The VM Role allows you to deploy a virtual machine with an application. Service Management Automation enables scheduling of PowerShell workflows that can deploy the VM Roles for the tenant and run the regression tests as well.

Unfortunately in this release of Windows Azure Pack you need access to the Windows Azure Pack Admin Site to edit or schedule an SMA runbook. This requires Admin interaction for each change in the runbook or each change in the schedule, which is not an option.

Microsoft Azure provides a powerful scripting environment with Azure PowerShell. It allows tenants to interact with the services in their Microsoft Azure subscription with PowerShell cmdlets. These cmdlets can be run from a remote client. The client authenticates to the services in the subscription by using certificates. As you expect from Microsoft Azure it works after some easy steps to get the certificates configured correctly.

WAPack

If you have a closer look at the cmdlets within the Azure PowerShell module you will notice that there are also cmdlets that contain WAPack in their name. This looks promising. READ MORE »

Update Rollup for June 2014

The update rollup for June 2014 fixes the issues that are documented in the following Microsoft Knowledge Base (KB) articles:

  • (http://support.microsoft.com/kb/2959146/ )

    Update for data deduplication to improve scalability in Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2960387/ )

    You are prompted for BitLocker recovery key when Windows enters the automatic repair process

  • (http://support.microsoft.com/kb/2961977/ )

    “Hyper-V Replica Cluster Broker is not installed” error when you replicate private clouds to Windows Azure

  • (http://support.microsoft.com/kb/2963523/ )

    DNS server crashes after you install update 2919355 for Windows Server 2012 R2.

  • (http://support.microsoft.com/kb/2964723/ )

    Connectivity lost between two nodes when a node reconnects to a Windows Server 2012 R2-based cluster

  • (http://support.microsoft.com/kb/2964724/ )

    CPrepSrv.exe process crashes or Failover Cluster Manager freezes when you validate storage in Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2964725/ )

    Removed nodes can access shared disk resources unexpectedly in Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2964729/ )

    You cannot stop the cluster service on a Windows Server 2012 R2-based failover cluster

  • (http://support.microsoft.com/kb/2964730/ )

    Storage spaces take a long time to move to another node after a node fails on a Windows Server 2012 R2 failover cluster

  • (http://support.microsoft.com/kb/2964732/ )

    STS passive sign-in fails when a sign-in request is sent to a Windows Server 2012 R2-based STS server through STS proxy

  • (http://support.microsoft.com/kb/2964733/ )

    AD FS device authentication is slow or fails in Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2964735/ )

    Authentication failures and event 422 when AD FS STS servers and AD FS proxy servers are in Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2964804/ )

    Long wait when you first open File Explorer in Windows RT 8.1 or Windows 8.1

  • (http://support.microsoft.com/kb/2964814/ )

    Virtual machine network fails when you start the second VM on a Windows Server 2012 R2-based Hyper-V server

  • (http://support.microsoft.com/kb/2964951/ )

    Windows Update does not download drivers for shared printers in Windows 8.1 or Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2965074/ )

    Error occurs when you run Get-VirtualDisk|Get-ClusterResource cmdlet in Windows 8.1 or Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2965174/ )

    OneDrive improvement update for Windows RT 8.1 and Windows 8.1: June 2014

  • (http://support.microsoft.com/kb/2965492/ )

    “0×80041013″ error on a WMI provider in Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2965699/ )

    “There was a problem” error when you redeem a promotional CSV token in Windows 8.1 or Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2965770/ )

    Cannot select Chinese suggestion words from on-screen keyboard in Windows 8.1 or Windows Server 2012 R2

  • (http://support.microsoft.com/kb/2966039/ )

    Settings are migrated incorrectly after you refresh the system by using PBR in Windows RT 8.1 or Windows 8.1

  • (http://support.microsoft.com/kb/2966055/ )

    Logon UI crashes when you connect to a remote server that is running a Windows Server 2012 R2 Core installation

  • (http://support.microsoft.com/kb/2968633/ )

    Update to improve the OneDrive experience in Windows RT 8.1 and Windows 8.1

  • (http://support.microsoft.com/kb/2960837/ )

    Excel freezes when you convert Japanese characters in Windows

  • (http://support.microsoft.com/kb/2956014/ )

    Audit event ID 4661 triggers an invalid XML error in a Windows Server 2012 R2 or Windows Server 2008 environment

  • (http://support.microsoft.com/kb/2950080/ )

    “The CA certificate could not be retrieved, element not found” error occurs when the CA server host name is longer than 52 characters

  • 2936341(http://support.microsoft.com/kb/2936341/ ) The WebClient service does not send cookies in Windows