Kevin Remde's IT Pro Weblog

  • What’s New for Active Directory in Server 2012 R2?

    Active Directory.  You know it.  You love it.  You’ve loved it since it made its introduction back in Windows 2000 Server.  Over 90 percent of the world’s business IT relies on Active Directory for local user and machine management, authentication, policy application, and directory services.'s ADAnd with every new version of a Windows Server product, we make improvements and add new functionality that either directly impacts Active Directory, or indirectly impacts (read: enables) other new functionality on behalf of your users, applications, and managed resources.  So naturally we couldn’t do a series of “Why Windows Server 2012 R2” articles without discussing it.

    If there were an overall theme on top of the updates in Active Directory in Windows Server 2012 R2, I would have to say it’s the new capabilities to support the “Consumerization of IT” and “BYOD”. 

    From this TechNet Document:

    “One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace.  Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications.  IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”

    To support this notion of giving our employees the ability to get their work done from their personal devices, of course there has been new functionality added to Active Directory to support it.  But before I get ahead of myself, why don’t I list out the 4 key value propositions – the main things you get that are new, and enabled by new capabilities in Active Directory:

    1. Workplace Join – Allow a user to associate their personal device with the company directory
    2. Single Sign-On from those devices now associated with the directory, granting them access to corporate data and applications
    3. Securely authenticate for and connect to company applications and data from anywhere (with an Internet connection), and
    4. Manage the risk of those users who work from and access data from anywhere.

    NOTE: These each are very big topics in their own right.  So, rather than doing an exhaustive write-up on each one, I’ll summarize the capabilities and benefits here, point out what specifically has changed in Active Directory to support it, and then point you to more complete documentation and user guides for further study if you wish.

    Join the Workplace

    What is it?

    clip_image002As a company employee who has his/her own device, and with the blessing of the company I work for (who is really interested in allowing me to be mobile and productive on whatever device I have), I want to be able to get stuff done.  So I will “join” my device to the “workplace”.

    “Isn’t that like joining the domain?”

    Yes.  Well, sort of.  But more correctly, NO.  It’s not going to be a domain-joined device in the way that we’ve been managing devices since Windows NT.  In this case, we’re registering the device with the domain so that it (and its owner) will be trusted when requesting and running company-secured applications, accessing company-secured data, or otherwise accessing company-secured resources.  When you join a device to the workplace, it becomes “a known device and will provide seamless second factor authentication and single-sign-on to workplace resources and applications.”  And once the device is “known”, IT can leverage that knowledge to also apply additional configurations (example: pushing company VPN connection settings to the device).

    What changed in AD to support it?

    The main change here was the addition of the Device Registration Service.  The DRS, which is a new part of the Active Directory Federation (ADFS) role, creates a device object in Active Directory, and tracks the associated device’s certificate in order to represent the device’s identity.  

    For more information:

    The SSO (Single Sign-On)

    What is it?

    Here’s a simple scenario: You have a device that you’re using to connect to a company SharePoint server.  You’ve registered your device with the company (“workplace join”), so your device has a certificate that is known to the directory as being yours; an employee in good standing.  Without SSO, you would be prompted for a login with every application or company SharePoint server you try to access.  But with SSO, you will only be asked one time. 

    What changed in AD to support it?

    In addition to the Device Registration Service, the Active Directory Federation (ADFS) role allows claims-based authentication to occur based on trusted certificates.  Once the user is authenticated (username + password + trusted device + other factors as needed), the claim then is trusted and, while valid, can be used to launch company applications or access company data. 

    For more information:

    Authentication of users “Anywhere-and-on-Any-Device”

    What is it?

    Well.. it’s not just enough to be able to sign in once on my non-domain-joined, personal device.  I also want to be able to use it from anywhere.  With nothing more than an internet connection, I should be able to have authenticated, secured access to my company applications data; whether they’re hosted in public cloud locations or on the private corporate network.

    What changed in AD to support it?

    Web Application Proxy Topology

    The Web Application Proxy is a new role service; a new part of the Remote Access role.   Web Application Proxy “provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy preauthenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.“

    So, now armed with SSO (facilitated through ADFS), the authenticated user + device can access applications on the corporate network without having to use a VPN connection

    For more information:

    Trusting your “Anywhere-and-on-Any-Device” Users

    What is it?

    In the end, who are we really trusting?  We have users who have user accounts with passwords in Active Directory.  They also registered their device in Active Directory so that we know we can trust it, and the user.  Hmm.. that’s two things that we’re trusting.  Is this what we might call “second factor authentication”?


    What changed in AD to support it?

    ADFS in Windows Server 2012 R2 supports more than just the permitted (or denied) user in ADFS claims.  We’ve added “multiple factors”, including user, device, location, and authentication data.  Authorization claim rules have a greater variety of claim types. 

    ”in AD FS in Windows Server® 2012 R2, you can enforce multi-factor access control based on user identity or group membership, network location, and device (whether it is workplace joined)”

    For more information:


    The idea here is that Microsoft has expanded Active Directory in Windows Server 2012 R2 to support tracking devices that are “registered” (not joined) to the domain.  With those trusted devices we have further technology to grant authenticated access to our trusted users; even using multiple forms of information (multifactor authentication) to grant secured access to applications and data.  We allow users to sign-in one time and continue to have access to multiple apps and resources, from wherever they are (thank you ADFS).  And we even have a Web Application Proxy to allow that trusted access directly to internal resources as well.


    Here are some other topics relating to “What’s New” in Windows Server 2012 R2 and Active Directory:

    And of course, if you haven’t had a chance to try it out, you can download the evaluation of Windows Server 2012 R2 HERE.


    What do you think?  Is Microsoft doing the right thing to add support in Active Directory and supporting technologies to allow any user, any device, from anywhere to be able to get work done?  Please add to the comments if you have an opinion, a question, or any sort of off-the-wall comment.

  • How fast is fast? Virtual Machine Live Migration Improvements

    When you’re doing a Live Migration** of a virtual machine between hyper-v hosts, you want it to go quickly.  You may be doing the migration of one or several or dozens of virtual machines all at once, and the performance of the network and the network paths you choose are going to determine how quickly you can get the job done.  Yes, sure, in one sense it doesn’t matter how long it takes if the VMs will continue to run and provide service during the migration.  But if I’m doing, say, an automated update of all of the hosts in my cluster, and allowing it to drive the live migrations of machines among hosts, the speed with which those migrations complete will ultimately determine how long it takes to complete the updates of all of those hosts.  If I’m really maxing out the capabilities of Hyper-V in Server 2012 R2 or Hyper-V Server 2012 R2, that could mean as many as 8,000 virtual machines moving around and among 64 clustered hypervisor nodes.  So, speed is still important.

    In the past, memory of a running virtual machine was just sent over the wire (TCP/IP) as it was.  Nothing special was done to it.  But as hardware costs have improved to support larger and larger scale, and as we’re afforded the ability to run more virtual machines with more and more memory, we certainly want to do everything we can to make that transfer of memory and configuration data go as quickly as possible.  So to address this and improve things, we’ve added two new technologies to hyper-v in Windows Server 2012 R2 and Hyper-V Server 2012 R2:

    1. Live Migration Compression, and
    2. Live Migration via SMB Direct (RDMA)

    Let’s talk about those, shall we?

    Live Migration With Compression

    Did you know that your hypervisor host isn’t typically suffering much when it comes to processor capacity?

    “I didn’t know that.”

    It’s true.  So, what we’re going to is borrow some extra CPU cycles while we’re doing a live migration, and actually compress the migration data before it goes over the wire, and decompress at the destination. 

    If it sounds just that simple, well, it is.  And it’s just a simple choice in the Live Migrations –> Advanced Features settings on your Hyper-V hosts:


    And as if that wasn’t good enough…

    Live Migration via SMB Direct (RDMA)

    In Windows Server 2012 we introduced a new version of SMB – SMB 3.  Among other things, this version of the protocol greatly improves performance; even to the extent that we can trust a basic file share to be the location for live data such as a virtual machine’s hard disks and data disks, or a SQL Server database.  (Click here for a good summary of what SMB 3 provides.)

    SMB Direct (SMB over Remote Direct Memory Access, or RDMA) is technology that, given hardware (the NICs) supporting it, can establish an efficient memory-to-memory transfer of data.  In Server 2012 the main beneficiary of this was faster file services.  But in R2 we’re using this to send live migration data between the Hyper-V hosts. 


    So now instead of just sending the memory and configuration of a VM over the wire using TCP/IP, or compressing it first, we’ll use a direct memory-to-memory channel. 

    Can you say “FAST”?


    I knew you could. 

    “But, can you give me an example?  Can you show me how they compare?”

    The best example I can give you is Jeff Woolsey’s demonstration he did for the TechEd 2013 North America keynote this past June. 

    Click this link to watch his demo (at 1:56:15) : TechEd 2013 North America Keynote Video – Jeff Woolsey’s Live Migration Demo

    Click to watch Jeff Woolsey's demo.

    And for a more detailed description of Live Migration and the improvements made, check out this page: Virtual Machine Live Migration Overview

    Questions?  Comments?  Make sure you add them to the comments at the bottom of this post!  And try it out yourself by downloading the evaluations of either Windows Server 2012 R2 or Hyper-V Server 2012 R2


    **That’s a ‘vMotion’ for those of you who are more familiar with the VMware terminology.

  • How should I backup my Windows Azure VMs? (So many questions. So little time. Part 51.)

    This excellent question was asked by Ralph at our IT Camp in Saint Louis a few weeks ago:

    Sign up for the Azure trial“One of the questions asked by our VP relates to Azure backups protecting from user error rather than hardware failure or disaster recovery.  What is the Microsoft guidance on backing up VMs in the cloud?”

    How do you protect the data on your servers today?  The quick answer to this question is that you need to protect OS and application configuration and business data the same way on your physical virtual machines; no matter where they reside.  A benefit of putting any storage (which includes your virtual machines) in Windows Azure is that it is all kept highly-available and geo-redundantly replicated; and that’s just automatic.  But beyond that, you are responsible for any machine or data backups or archiving that you may feel is needed.

    “Okay.. but what about Azure storage BLOB snapshots?”

    Well.. yes, Windows Azure actually does have the ability to take and maintain BLOB snapshots through the REST APIs.  And a few vendors have created solutions to use this as a way to keep point-in-time copies of virtual machine disks, and then restore machines from those snapshots.  But using BLOB snapshots for Virtual Machines in Windows Azure is currently not supported by Microsoft.

    I repeat: As of October 11, 2013, using BLOB snapshots for VMs in Windows Azure is not supported by Microsoft

    That said, Chris Clayton has a script that you can use to backup and restore Azure VMs using BLOB snapshots.  But: “This is a demonstration and should not be used for production scenarios”…”This should not be used to replace your current backup and restore strategy.”

    Companies like Cerebrata (Cloud Storage Studio and Azure Management Cmdlets) and ClumsyLeaf (CloudXplorer) and others also have tools and operations for taking and restoring Azure storage BLOB snapshots, but the process of restoring a snapshot currently involves saving a copy of the VM configuration, deleting the VM, deleting the original disks, restoring the snapshots, and then re-restoring the machine configuration.  It’s still cumbersome, and prone to error. 

    And if you don’t do it right, you can end up with a corrupted VM. (Trust me.. I know from experience.)

    “Will we have a supported way to do this in the future?”

    I don’t know.  Personally, I hope so. 

    In the meantime, treat your machines the same as you would any other machine.  Backup their configuration and data according to your policies as required. 

    “Okay.. so what if I just want to make offline copies of my VMs?  Can I do that?”

    Absolutely.  For the backup, what you’ll want to do is:

    1. Shutdown the VM
    2. Save the VM configuration
    3. Make a copy of the VM’s disks (maybe with a date-stamped disk name for easy retrieval)
    4. Optionally download the disks to local storage and delete them from Azure storage

    And then for the restore:

    1. If not already in storage, copy the disks into Azure BLOB storage and designate them as “disks”
    2. Build an Azure VM from the saved configuration, but referring to the new disks
    3. Start the restored VM

    EXTRA CREDIT: Someone who has more time than I do today – build us two PowerShell scripts for doing this! 

  • Why doesn’t remote desktop to my Windows Azure VM work? (So many questions. So little time. Part 48.)

    Sign up for the Azure trialAn attendee at our IT Camp in Saint Louis a few weeks ago had an problem that is understandable:

    “Thanks for training session, I have a question.  Tried to RDP one of my VM’s at work and I can’t connect.  Possible firewall port issue?  I am going to try and connect from home tonight.”

    You're already onto the issue.  It’s important to remember that the port that you’re using for RDP is not the traditional 3389. 

    “It’s not?  How does that work?”

    Let’s step back for a second and consider what you see when you first create a virtual machine in Windows Azure and you get to the screen where “endpoints” are defined.  By default, it looks something like this…

    Virtual Machine Configuration

    …Notice that, even though the operating system is going to have Remote Desktop enabled and will be listening on the traditional port 3389, the external “public port” value that will be redirected to the “private port” 3389 is going to be something different.


    Security.  We take the extra precaution of randomizing this port so that tools that are scanning for open 3389 ports out there won’t find those machines and then start attempting to log in.

    So the answer to your question: Yes, it’s a firewall issue.  And I bet it worked from home later that night.


    Let’s go one step further here and propose a couple of solutions to this, in case you also run into this problem.

    Solution #1: Open up the proper outbound firewall ports

    In the properties of your virtual machine, you can find what “public port” was assigned to the VM under the endpoints tab…

    VM Properties - Endpoints tab

    So this web server of mine is answering to my RDP requests via my ability to connect to it’s service URL and port 56537.  Since I am not restricting outbound ports, this isn’t a problem for me.  But knowing what this port is can help you understand what needs to be opened for a particular machine.

    “Is there a range of ports that I need to have open outbound?”

    The port that will be assigned automatically is going to come from the “ephemeral port range” for dynamic or private ports (as defined by the Internet Assigned Numbers Authority) of 49152 to 65535.  So if you simply enable outbound connections through that range, the defaults should work well for you.

    Solution #2: Modify the VM End Points

    You’ll note on the above picture that there is an “edit” option.  You have the ability to edit and assign whatever port you want for the public port value.  For example, I could do this…


    …and just use port 3389 directly.  Of course, this would defeat the purpose for using a random, non-standard port for remote desktop connections.  But it could be done. 

    Solution #3: Use some other remote desktop-esque tool over some other port.

    The server you’re running as a VM in Windows Azure is your machine, so there’s no reason you couldn’t install some other tool of choice for doing management or connecting to a remote desktop type of connection.  Understand the application, what port needs to be enabled on the firewall of the server, and then add that port as an endpoint; either directly mapped with the same public/private port or using some other public port.  It  is entirely configurable and flexible.  And as long as you’ve enabled the public port value as a port you’re allowing outbound from your workplace, you’re golden.

    Solution #4: Use a Remote Desktop Gateway

    How about instead of connecting to machines directly, you do something more secured, manageable, and along the same lines of what you would consider for allowing secured access into your own datacenter remote desktop session hosts: Configure one server as the gateway for access to the others.  In this way you have the added benefits of just one open port; and that port is SSL (443).  You’re very likely already allowing out port 443 for anyone doing secured browsing (HTTPS://…), so the firewall won’t get in the way.


    I hope you found this useful!  Don’t hesitate to ask questions in the comments if you’d like me to clarify anything, or share your ideas if you have other solutions I haven’t yet considered.


    Still haven’t tried Windows Azure yet?  We’ll give you $200-worth of Azure in a one-month free trial.

  • The “Replica Replica” in Hyper-V

    In today’s article in the “Why Windows Server 2012 R2” series, I’d like to show off a new feature in Hyper-V; something I like to call the “Replica Replica”.


    ReplicationAs many of you know, Microsoft introduced a new, powerful tool for your disaster recover (DR) tool belt called Hyper-V Replica back in Windows Server 2012 Hyper-V and Hyper-V Server 2012.  For those of you who are not yet familiar with it, a Hyper-V Replica is an easily created and up-to-date offline copy of a virtual machine.  On some other host – either in your local or in some remote datacenter – you have a copy of a virtual machine that can be available in case of disaster.  If something bad happens to the production machine, you can failover to the replica virtual machine very quickly. 

    For a most-excellent description of Hyper-V Replica is and how to set it up in Hyper-V in Windows Server 2012 Hyper-V, check out this blog post from the series “31 Days of our Favorite Things” -

    Windows Server 2012 and Hyper-V Replica (Part 5 of 31) 

    “So, what’s new in R2?  What’s this ‘Replica Replica’ you talk about?”

    We’ve added the ability to create yet another replica.  It’s a replica of the replica.  It’s an additional offline copy of a virtual machine and its configuration, made available, synchronized and automatically kept up-to-date on yet another Hyper-V host.  Interestingly the request was from our many hosting providers, and it makes a great deal of sense in their scenario, where they are the ones hosting a replica on behalf of their customers.  It only makes sense that they would love to have a backup of the replica they’re hosting.. so why not make it a replica of the replica?


    Yeah, I thought so, too.

    “How does it work?”

    It’s very simple.  After you’ve created the first replica, you right-click on the replica machine and select “Extend Replication…”.  In my example, I have already set up a replica of my domain controller, and I’m going to extend the replication and put a replica of the replica on my Hyper-V Server named HVSR2-1


    The wizard looks and works very much like setting up the initial replication does.  Once you get past the Before You Begin screen…


    …you choose or browse to the server you want to put the replica on (the Replica server)…


    You pick the type of authentication you want to use (based on what has been enabled in the Replication Settings on the Hyper-V Host settings)…


    You pick a replication frequency. 


    NOTICE that I have two choices here, because I had selected the primary replica as sending changes every 5 minutes.  Your choices will depend upon what you selected for the first replica frequency. 

    You may not know this (yet), but Hyper-V Replica in Server 2012 R2 allows for more than just the 5 minute intervals that were in the original Hyper-V Replica in Server 2012.  You can have replication send changes every 30 seconds, 5 minutes, or 15 minutes for the first replica.  For the extended replica, you must replicate at an interval that is less-or-equally-frequent to the first replica; with the exception being that you cannot replicate the to the extended replica at the 30 second interval. 

    Here’s a quick chart that shows the extended replication interval options available based on the first replica interval selected:

    Primary Replica interval selected Extended Replica intervals available
    30 seconds 5 minutes
    15 minutes
    5 minutes 5 minutes
    15 minutes
    15 minutes 15 minutes

    Getting back to our wizard; now we select how many recovery points we want to maintain of the extended replica…


    We select an initial replication method, plus when to launch the initial replication if requested…


    Check the summary…


    And Finish.  We’re done.  And the first extended replication is now going over the wire.


    Pretty cool, huh?

    “Pretty cool.  So now I can failover to either of my two replicas?”

    That’s right!

    Now, if I right-click on the first replica…


    I see that I have similar options to what I had back in Hyper-V 2012.  But now I have an additional “Pause Extended Replication” option as well. 

    Here’s a failover scenario for you…

    Let’s say I have a virtual machine “DukeN” running on Host A, with replica on Host B and extended replica on Host C.

    Host A goes down.  So I right-click on the “DukeN” machine and select Failover…, and DukeN fires up and is now running on Host B.

    If I right click the newly running VM and look at the Replication options I have now on the failover machine, it’s pretty interesting…


    I can “Reverse Replication”, which means I can now treat this running (but still considered a replica) machine as the primary machine, and begin replication back to what was the primary location.  Note: if you do this, it essential "orphans” the old extended replica.  You’ll have to re-extend the replication if you want to.

    I can “Remove Recovery Points..”, which does cleanup of this replica of any other points still saved.

    I can “Cancel Failover”, which will shut this replica down and assumes that the original machine is now available and can be started.

    I can “Resume Extended Replication”.  This one is interesting to me.  It assumes that Host C (containing the extended replica) is still available.  When selected from Host B, then Host B becomes the main VM and the copy on Host C becomes the first replica.  Once a synchronization process is completed, you can then go to the VM on Host C and Extend Replication to another host (Host D?). 


    Good stuff?  Try it out yourself by downloading the evaluations of either Windows Server 2012 R2 or Hyper-V Server 2012 R2.  And let me know if you have any comments or questions by posting them in the comments section.

  • Windows Azure IaaS and File Security (So many questions. So little time. Part 53.)

    In the context of Windows Azure Infrastructure Services and our IT Camp in Saint Louis a few weeks ago, Lettie asked this question:

    Sign up for the Azure trial“If we had one large storage pool and added individual user folders, do we have the ability to setup file security access to each individual user folder? Is there the ability to limit a user’s folder size? We need a better backup solution for our 800+ remote users.”

    In order to answer this one, I have to make an assumption about the specific topic it relates to.  So I’ll answer this question in two ways.

    If you’re wondering (and I think you are) about whether or not ACLs can be assigned to or sizes restricted for containers within Windows Azure storage accounts, the answer is no. 

    But another thing to remember is that a network of virtual machines in Windows Azure can be treated as just another subnet in your corporate network.  And if your users connect via VPN or Direct Access to your network, they’ll have access to the servers “in the cloud”.  Those servers “in the cloud” can be hosting file services, with Storage Spaces storage pools and virtual disks containing user documents.  As long as those file servers are domain joined, you can easily add ACLs to those folders. 

    I’m only giving you one of what could likely be dozens of solutions out there.  If you’re reading this and have other recommendations for Lettie and her company, please share them in the comments.

  • TechNet Radio: Building Clouds - SQL Server Self-Service Kit - Deploying SQL Server as a Service with System Center 2012

    imageIn this episode I welcomes Bruno Saille to the show.  We discuss the SQL Server Self-Service Kit and how it works with System Center 2012 to help automate SQL Server deployments.
    Tune in as we discuss how the self-service kits works, which System Center components are required as well as what plans are in store for the next release.



    If you're interested in learning more about the products or solutions discussed in this episode, click on any of the below links for free, in-depth information:

    Experience Microsoft's latest products with these FREE downloads!
    clip_image002Build Your Lab! Download  Windows Server 2012 R2System Center 2012 R2and  Hyper-V Server 2012 R2 and get the best virtualization platform and private cloud management solution on the market. Try it FREE now!

    clip_image004Don't Have a Lab? Build Your Lab in the Cloud with Windows Azure Virtual Machines. Try Windows Azure for free with no cost or obligations, and use any OS, language, database or tool. FREE Trial

    Websites & Blogs:



    clip_image005Follow the conversation @MS_ITPro
    clip_image006Become a Fan @

    clip_image005Connect with Kevin @KevinRemde
    clip_image006Become a Fan @

    clip_image008Subscribe to our podcasts via iTunes, Stitcher, or RSS

  • TechNet Radio: Building Clouds - An Inside Look at Virtual Machine Migration Tools

    In this episode I welcome “Migration Mark” from the Building Clouds blog series on TechNet to discuss best practices for migrating your virtual machines to Microsoft Hyper-V as well as some free virtual machine migration tools that are available. Check out this great discussion on MAP 8.5, MVMC and the Migration Automation Toolkit (MAT) .


    Experience Microsoft's latest products with these FREE downloads!
    clip_image002Build Your Lab! Download  Windows Server 2012System Center 2012 and  Hyper-V Server 2012 and get the best virtualization platform and private cloud management solution on the market. Try it FREE now!

    clip_image004Don't Have a Lab? Build Your Lab in the Cloud with Windows Azure Virtual Machines. Try Windows Azure for free with no cost or obligations, and use any OS, language, database or tool. FREE Trial


    If you're interested in learning more about the products or solutions discussed in this episode, click on any of the below links for free, in-depth information:

    Websites & Blogs:



    clip_image005Follow the conversation @MS_ITPro
    clip_image006Become a Fan @

     Follow @KevinRemde
     Become a Fan @

    clip_image008Subscribe to our podcast via iTunes, Stitcher, or RSS


  • FREE Virtualization IT Camps coming to a town near you

  • Can Windows Azure Backup support a bare-metal restore? (So many questions. So little time. Part 52.)

    Recently we’ve been showing off a capability (currently in preview) called “Windows Azure Backup”, which is a simple file system backup and restore to/from Windows Azure storage. 

    At our IT Camp in Saint Louis a few weeks back, David asked:

    Sign up for the Azure trial“Can Windows Azure Backup do a bare metal restore in the event of total failure of a physical server?”

    Short answer: no.

    Longer answer: Not directly, no.  But consider this…

    You have other tools such as Windows Server Backup and System Center 2012 SP1 Data Protection Manager that can do a full system, system state, or even bare-metal image restore of a backed up machine. 

    With Window Server Backup, you could use a two-step process of additionally saving the WSB-created image up to Windows Azure storage using Windows Azure Backup.  And the restore would be to retrieve the image using WAB and then recover it.

    With Data Protection Manager, the new functionality to store your backup data into Windows Azure already exists as of System Center 2012.

    “So I can just put my image backup into Azure, right?”

    No.  DPM only supports Volume, SQL DB, and Hyper-V Guest backups to Azure.  So, in the same two-step process we discussed for Windows Server Backup, you could do your bare metal backup to a file share and then use DPM to protect that share to Windows Azure.

  • Can I use an ACL to protect my Azure SQL Server VM? (So many question. So little time. Part 49.)

    Sign up for the Azure trialAt our IT Camp in Saint Louis a few weeks ago, Todd had a great question on protecting his cloud-based SQL Server:


    Not sure this question was asked at the Azure IT boot camp but is there any future plans to segregate or ACL off the subnets in Azure?  Most of our web front ends are in our DMZ, in a lower security zone, and our SQL servers are in a higher protected zone.  The ACL allows communication between the two but I did not see that in the Azure portal.  So as it stands I could stand up a WFE and it could be talking directly to the SQL server and get compromised? 

    Is it the position of Microsoft to use Windows firewall between the servers? 

    I didn’t cover it in too much detail in our event, and it’s not something that is (yet) exposed in the Windows Azure Portal, but you do have the ability through PowerShell to assign complex network ACLs to a Windows Azure virtual machine. 

    From the article “About Network Access Control Lists (ACLs)”:

    Using Network ACLs, you can do the following:

    • Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint.
    • Blacklist IP addresses
    • Create multiple rules per virtual machine endpoint
    • Specify up to 50 ACL rules per virtual machine endpoint
    • Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
    • Specify an ACL for a specific remote subnet IPv4 address.

    The most simple example of an ACL is the fact that a VM created running Windows likely has a public endpoint that maps to a private 3389 endpoint for the sake of remote desktop connections.  Without that endpoint definition, the default is to just block everything.  As you see from the previous list, we can be even more selective than just opening or closing ports. 

    For the complete description of what ACLs are, read “About Network Access Control Lists (ACLs)”

    To learn how to manage and use them in Windows Azure, read “Managing Access Control Lists (ACLs) for Endpoints”

    $200 worth of Windows Azure for a free month!

  • How safe is my Windows Azure virtual machine? (So many questions. So little time. Part 50.)

    In Saint Louis a couple of weeks ago at our Windows Azure IT Camp, Joe asked me this question:

    Sign up for the Azure trial“When dealing with virtual machines and cloud for R&D. If during the process of researching you happen to download a contaminated file, can that file do harm to the actual machine that you are running? Wouldn't that file be saved on the parent machine in order to be accessed on the virtual machine?”

    What Joe was concerned about was whether or not the virtualization host is vulnerable from something bad happening in the virtual machine.  If a virtual machine gets compromised and some harmful or malicious (likely both) files get saved on the virtual machine’s hard disk, isn’t that file also a threat to the virtualization host on which it’s running?

    The short answer: No.

    The longer answer: Not really, no

    Remember that, when using virtualization, whether it’s vSphere, Hyper-V, or some other solution, typically a virtual machine’s operating system disk is really just a file as far as the host hypervisor and operating system is concerned.  That .vmdk or .vhd file is sitting in storage, and its contents are only being used by the virtual machine.  So even if that VM installs something bad, the host on which it is running won’t ordinarily know or care about it.

    Can the host operating system get at the files within the VM’s disk?  Yes, there are ways to do that when you’re running your own virtualization.  But you have to go out of your way to do that, and only when the virtual machine isn’t currently using the disk. 

    The same holds true for any interactions between the VM and other computers; virtual or physical.  You treat the VM as just another machine that needs to be networked and protected. 

    If the malicious file gets saved on an SMB file share, or some other networked storage that is shared, then of course other machines may be exposed to it.  Here is where Windows Azure actually gives you better protection of the platform.  While a local virtualization host might also share access to that same compromised storage, in Windows Azure there is no way for the virtualization hosts to interact with a virtual machine’s data in any way.  Period.

    For the security minded among us, I highly recommend you bookmark this page: The Windows Azure Trust Center.  This is where you’ll find our documented security practices, privacy rules, compliance standards, and so on.

  • Windows Azure and SmartCards? (So many questions. So little time. Part 47)

    It’s been over a year now since I posted my last in the series “So many questions. So little time.”

    August 20, 2012 to be exact.”

    Yes indeed.  And now that I’m again giving my IT Camp attendees the ability to submit their questions to me in writing, their questions become a really good source of content for the blog.

    For example, at our Saint Louis IT Camp a couple of weeks ago, Ron asked:

    “Azure can be locked down with certificates.  Can that be incorporated with smart cards to further secure access?”

    The short answer: Yes.

    The longer answer.  Absolutely, yes.

    First, and quite simply, I know this to be true because this is how I authenticate every day into my Microsoft Full-time Employee-granted Windows Azure subscription.  It’s the difference between a typical LiveID/Microsoft Account login and what is known as an “Organizational Account” login, similar to what businesses are enabling for single-signon in products such as Office 365.  When I attempt to get into the Azure portal and I enter my Microsoft e-mail address, I’m redirected to a page that has this on it:

    My Microsoft Organizational Account Login

    Notice that I can use my Smart Card (which is my employee badge) to authenticate.

    Making this work requires using Active Directory and ADFS, where ADFS acts as the Security Token Service (STS), and Windows Azure is the Relying Party (RP).

    Remote Access by Devices testing as health

    “The RP requests a collection of claims routed by an application (for example, the Web browser) on the user device to one or more STSes. The user authenticates to the STS with whatever credential has been provided: password, smart card and so on.”

    That drawing and quote come from an excellent explanation of how the parts relate to one another, written by Dan Griffin and Tom Jones.  Read the full article here: Windows Azure: Authenticate Windows Azure with ADFS

  • NEW: Virtualization IT Camps!

    No cost, hands-on, expert training designed for VMware IT Professionals

    Yes!  We’re coming back to a classroom near you (I hope) for an intense, full-day of training and hands-on with Windows Server 2012, Hyper-V, and System Center

    If you’re using virtualization

    “What do you mean, ‘if’?”

    Yeah, good point.  The modern datacenter is already virtualizing, and likely virtualizing using VMware vSphere, vCenter, and so on.  That’s why we think it’s time to help you – the VMware IT Professional – learn about and get familiar with all that Hyper-V in Windows Server 2012 can do; and in terms that you’ll understand.

    Here’s the full class description from the registration page:

    Want to gain an edge in your technical career? Industry insiders suggest that over 70% of businesses now run at least two virtualization platforms in their IT environment. That’s why IT pros who understand multiple platforms are invaluable to their companies and clients.

    Here’s your chance to upgrade your Microsoft Virtualization skills for FREE! We’re hosting an interactive, one-day technical workshop specifically for VMware IT professionals. Seasoned experts will demonstrate key scenarios and technologies from Microsoft and VMware. You’ll also complete hands-on labs and leave ready to build your own test and evaluation environment.

    You’ll learn:

    • The basics (and beyond) in Microsoft virtualization technology
    • How your current VMware skills apply to a Microsoft environment
    • The differences between key Microsoft and VMware technologies
    • How to use Microsoft tools to help manage a VMware environment
    • The latest on upcoming Windows Server 2012 R2 and System Center 2012 R2 releases

    At a high level, as part of this course, you’ll learn about the following topics:

    • Hyper-V Configuration, Clustering & Resiliency
    • Virtual Machine Mobility, Backup & Replication
    • Managing Hyper-V with Virtual Machine Manager
    • A look at System Center 2012 R2 Preview
    • VMware: Management, Integration, and Migration

    Session Requirements:
    In order to participate in the labs, please bring a modern laptop that can run the following technical prerequisites.
    Click HERE for more detailed system specs.

    • Supported Operating Systems include all editions of Windows Vista, Windows 7, Windows 8, Windows Server 2008, 2008 R2 and 2012.
    • Browsers supported include Microsoft Internet Explorer 7.0 or later. Other browsers are supported conditionally.
    • Microsoft .NET 3.5 will be required to complete the labs.

    All participants registering for the event should download Microsoft Hyper-V 2012 R2 Preview.


    “Looks good, Kevin!  Where are you going to be?”

    I’ll be covering the events in my usual main locations: Minneapolis, Omaha, Kansas City, and Saint Louis. 
    Click below to register for them.  See you there!

  • A New Blog Series: Why Windows Server 2012 R2

    Why Windows Server 2012 R2

    Yes, it’s been a few weeks since our last series wrapped up (“VMware or Microsoft?”), so it’s about time we started a brand new series of blog articles.

    “Who’s ‘we’?”

    A fair question.  The ‘we’ I’m talking about is the 11 Microsoft US DPE IT Pro Evangelists in these here 48 contiguous United States.  The series runs to the end of November (just before Thanksgiving here in the U.S.), and is all about answering in as many useful ways as possible, the magical question: Why?

    • Why should I care about Windows Server 2012 R2?
    • What does it do that I can’t already do with older versions of Windows Server or other operating systems?
    • What do I need to do to take advantage of it?
    • Where can I go to get more detailed information on a particular subject?

    …and so on.

    My friend Dan Stolts is the organizer of the series, and owner of the official landing page: “Why Windows Server 2012 R2

    Keep watching his landing page and the complete list of articles and their anticipated dates of publication. 

    RECOMMENDED: To follow along with the dozens of examples we’re going to be writing about, we highly recommend that you download and install the following newly-available R2-version evaluation software: