3 - Azure Sign up options

In this video I explained about the Sign up options to Azure, little about dashboard and Azure Support Plans.

2 - Azure: Cloud Concepts (Part 2)

In this video I have explained Various cloud models and types of model.

Azure: Microsoft Exams update 2020

I have explained updates related to Microsoft Exams 2020.

Azure: Cloud Concepts

In this video I have explained basic cloud concepts. Basically this is the series of videos regarding Azure Fundamentals. Your suggestions and comments are welcome.

Azure: How to Create Recovery Services Vault (part 2)

This video is regarding Recovery Services Vault (Part 2).

Azure: How to Create Recovery Services Vault?

I this video I will explain how we can create Recovery Services Vault for backup purposes.

Azure: How to create a Fileshare in Stograge Account?

In this video I will show you how we can create FileShare in Storage Account.

Azure: How to Create VM1 and attach a hard disk after creating.

In this video I have told you that how you can attach a hard disk to existing VM.

How to Create a VM in Azure Portal

In this video I will create a VM in Azure Portal. Any comments and suggestions are welcome.

Custom Domain Name

QUESTION 9 : You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network. Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an account name that ends with onmicrosoft.com. You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign on (SSO) to access Azure resources. 

What should you do first? 

A. From on-premises network, deploy Active Directory Federation Services (AD FS). 

B. From Azure AD, add and verify a custom domain name. 

C. From on-premises network, request a new certificate that contains the Active Directory domain name. 

D. From the server that runs Azure AD Connect, modify the filtering options.

########################

Explanation:

Explanation: Every new Azure AD tenant comes with an initial domain name, domainname.onmicrosoft.com. You can't change or delete the initial domain name, but you can add your organization's names to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com. 

Only Global Administrator can create a tenant and additional Administrators. After creating your directory, you can add your custom domain name.

• Sign in to the Azure portal by using Global administrator credentials for the directory.Search for and select Azure Active Directory from any page. Then select Custom domain names > Add custom domain.
• In Custom domain name, enter your organization's new name, in this example, example.com. Select Add domain button and unverified domain for your company will be added.
• Your domain will be verified after adding txt record in your dns. After verifying your dns record you need to click button in example.com and your domain will be verified.

Courtesy: 

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

How to clean up Active Directory Metadata

Sometimes one of your domain controllers crashed or removed forcefully from the forest but its data still exists in forest. You must remove that metadata from the forest which is called clean up Active Directory metadata.

Metadata clean up removes DFS (Distributed File System) and FRS (File Replication Service) and transfer or seize  FSMO (Flexible Single Master Operations) roles from retired domain controller.

We can clean metadata from GUI tools and command line  as well as by using a script. You must make sure that computer object and NTDS settings for object for the domain controller are not protected against accidental deletion. You can also verify by right click on computer object or NTDS settings object, click Properties than Object, and clear the Protect object from accidental deletion check box. You must be member or Domain Admins to perform this task.

I will discuss here both GUI and Command line methods.

1) GUI Method

• Open Active Directory Users and Computers. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
   
• In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.
• 
  In the Active Directory Domain Services dialog box, confirm the name of the domain controller you wish to delete is shown, and click Yes to confirm the computer object deletion.
   
• In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
   
• If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
• 
  You need to move your FSMO roles If the domain controller currently holds one or more operations master roles,

2) Command line

• Open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. 
• At the command prompt, type the command ntdsutil, and press ENTER.
  At the ntdsutil: prompt, type the command metadata cleanup and press ENTER.
• At the metadata cleanup: prompt, type the remove selected server <ServerName> command, and press ENTER:
• In Dialog box, review the information and warning, and then click Yes to remove the server object and metadata. 
• At this point, Ntdsutil will confirm that the domain controller was removed successfully.  At the metadata cleanup: and ntdsutil: prompts type quit, and press ENTER.

Pre-Assessment Questionnaire

I have prepared this document for those who want to migrate their on prem servers to cloud. This questionnaire can be used before the assessment you have to do for your migration.

1. How about your current Network environment? Explain with the help of logical diagram.
2. How about your current Servers environment? Explain with the help of logical diagram.
3. What about your nature of business of your organization?
4. How many Active Directory domains running in your current Forest?
5. How many DCs, DNS etc running in in your Forest?
6. Please tell us about your Apps, Locations and Groups within your organization.
7. Have you compiled the inventory of your Physical and Virtual Servers?
8. Have you deployed Virtualization in your Data Center? i.e Hyper-V, VMWare.
9. Are you using currently any cloud service?
10. Do you want to work in Hybrid Environment or move everything to Cloud?
11. We need to Assess on-prem Apps to check its dependencies and get analysis of configuration.

How to Create a Storage Account in MS Azure

Objectives:

1. Create a Storage Account that must be able to host the virtual disk files for Azure virtual machines.
2. The cost of accessing the files must and Replication costs must be minimized.

For Account kind select: General-purpose v2 accounts is recommended for most scenarios. It delivers the lowest per-gigabyte capacity prices for Azure Storage,
For replication select: Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. It also provides read-only access to the data in the secondary location, in addition to geo-replication across two regions.

Courtesy:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal

How to Troubleshoot and Fix Active Directory Replication Issues

Repadmin was introduced in Server 2003 and from Server 2008 Microsoft started to include it in. It is a command line tool to check the replication between domain controllers. It is a diagnostic tool to check the health of the Active Directory, also it can force replication and find out the errors. Active Directory replication is a important service which synchronize with other domain controllers in a forest. If there is problem with this replication process it can cause the issues related to network resources like applications, printer and files as well.

Below I will show you how you can go ahead step by step and find out the exact issue.

First you must open your command prompt with administrator privileges as shown below;

repadmin ? 
The above command will show you the help menu with all the command line options.

repadmin /replsummary
The above command you can use to show the overall replication health in percentage attempt that has failed.

repadmin /showrepl
The above command is helpful to understand of each domain controller in replication process. It displays the GUID of each object that replicated.


 repadmin /showrepl "Server Name"
This command show you the replication of a particular domain controller you can use this command by mentioning the name of the server in "Server Name" after typing command.

repadmin /showrepl /errorsonly
 If you want to see errors only in output you can use the above command.


repadmin /syncall dc1 /AeD

 The above command is used if you want to force the replication between domain controllers. 

Azure AD Conditional Access - MFA

QUESTION 4: You have an Azure Active Directory (Azure AD) tenant. You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of the Global Administrators group authenticate to Azure AD from untrusted locations. You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating from untrusted locations. What should you do?
\
A. From the Azure portal, modify session control of Policy1.
B. From multi-factor authentication page, modify the user settings.
C. From multi-factor authentication page, modify the service settings.
D. From the Azure portal, modify grant control of Policy1.

##########################

For your cloud Apps you may give your users access by user name and password but sometimes like to login to email and HR apps, it is advisable to stronger form of account verification such as multi-factor authentication (MFA). Here comes Conditional Access policy in AAD. It is available in Azure AD Premium. You can refer the image below for details;

There are two types of controls as highlighted  above: Grant controls and and Session controls – To restrict access to a session Grant controls oversee whether a user can complete authentication and reach the resource that they’re attempting to sign-in to. If you have multiple controls selected, you can configure whether all of them are required when your policy is processed. 

Restore the Default Domain Policy GPO

Sometimes when we run command "gpupdate /force" we faces the following error;

The processing of Group Policy failed. Windows attempted to read the file \\example.com\sysvol\example.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).





When you search it in you will find Event ID: 1058.



For such kind of error you need to restore your default GPO with the help of following command

Syntax:
 DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?]


Command:
dcgpofix /ignoreschema /target:DC

The above command will recreate the GPO for the domain. You will loose all the settings you have already. It is recommended that always take backup of your GPO.

Courtey:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875588(v=ws.11)?redirectedfrom=MSDN

Creating Virtual Network Gateways between two Vnets in diffirent Subscriptions

QUESTION 3: You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant. Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16. Subscription2 contains a virtual network named VNet2. Vnet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24. You need to connect VNet1 to VNet2. What should you do first? 

A. Modify the IP address space of VNet2.
B. Move VM1 to Subscription2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2

################################### 

Explanation:

When you need to connect two Vnets in different Subscriptions  here comes the concept of Virtual Network Gateway between Vnets. This is similar to creating Site to Site IP Sec connection to an on prem location. Both connectivity types use VPN Gateway to provide secure tunnel.
You can also connect Vnets via Vnet peering but it does not have VPN Gateway. Azure has two types of peering; Virtual Network Peering (Same Region) and Global Virtual Network Peering (Across Azure Regions).
For details please refer the link below.
Courtesy:  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal

Export template from a resource group

QUESTION 2: You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table. Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment. From which blade can you view the template that was used for the deployment? 

A. Container1
B. VM1
C. Storage2
D. RG1

###################################################### 

 Explanation:

Being an Admin i often need to create templates for more than one deployment. These templates can be exported for future deployments again. There are two ways for template to export;

• Export from Resource Group

You need to select Resource Group that contains the resource you have to Export. Select one or more resources to select check box on left of Name and the Export template menu item will be enabled to right corner. The template will be exported.

 

• Export before deployment

We can export the template that was used to deploy existing resources as asked in above question. Select the Resource Group you want to export. Select the link under Deployments 

 

 

Moving Azure VM to different Vnet.

Question No. 1: You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table: 

VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An administrator named Admin1 creates an Azure virtual machine VM1 in RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1. You need to move the custom application to VNet2. The solution must minimize administrative effort. Which two actions should you perform? To answer, select the appropriate options in the answer area. 

NOTE: Each correct selection is worth one point.

A) First Action:

• Create a network interface in RG2
• Detach a network interface
• Delete VM1
• Move a network interface to RG2

 B) Second Action:

• Attach a network interface
• Create a network interface in RG2
• Create a new virtual machine
• Move VM1 to RG2
  

#############################

Explanation:

 

Being an Azure Administrator sometimes I need to move my VMs to different Vnet. Directly we cant migrate our VMs to other Vnets for that purpose we need to delete that particular VM and than recreate in other Vnet with existing virtual disks and configuration.  Although it is in three easy steps;

1. Shutdown your VM
2. Delete the VM (keep save its virtual Hard disks)
3. Create a new VM in target Vnet with original virtual Hard disks

But it is complex task as we need to keep track of virtual hard disk, vNics and IP configuration etc.  We can perform this task with help of Azure Recovery Services Vault. Following are the steps;

1. Create Recovery Services Vault in the same region as in VM.
2. After setting up Recovery Services Vault start manual backup of the VM.
3. Stop and de allocate the VM you need to migrate to other Vnet.
4. Ensure that target Vnet is ready to migrate your VM.
5. Restore the backed up VM to the target Vnet.