Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management


Leave a comment

MVPLAB Serie Installing SQL Server 2022 CTP on Windows Server Insider Cluster #SQLServer #WIMVP

SQL Server 2022 CTP2.1

In this blogpost of MVPLAB Serie, we are going to install Microsoft SQL Server 2022 CTP2.1 on my Windows Server Insider Preview Cluster in mvplab.local domain. Before this blogpost I installed the following basics in mvplab.local domain :

Now we are going to install the Backend of the datacenter, and that is SQL Server 2022 CTP2.1 on a Cluster resource with the first SQL Instance for databases which is High Available (HA).

First we download SQL Server 2022 CTP2.1

SQL Server 2022 Preview is the most Azure-enabled release of SQL Server yet, with continued innovation in security, availability, and performance.

  • Integration with Azure Synapse Link and Azure Purview enables customers to drive deeper insights, predictions, and governance from their data at scale.
  • Cloud integration is enhanced with disaster recovery (DR) to Azure SQL Managed Instance, along with no-ETL (extract, transform, and load) connections to cloud analytics, which allow database administrators to manage their data estates with greater flexibility and minimal impact to the end-user.
  • Performance and scalability are automatically enhanced via built-in query intelligence.
  • There is choice and flexibility across languages and platforms, including Linux, Windows, and Kubernetes.

Mount the ISO file and Copy the files to a local disk location, then run Setup as Administrator with your personal Domain Administrator Account to install SQL Server 2022 CTP2.1. Before the installation read Configure Cluster accounts in Active Directory (AD)

Click on Yes.

Click on the left on Installation
Then Click on New SQL Server Failover Cluster Installation

Here I choose for the Developer edition.
Click on Next

Accept the License terms
Click on Next

Check for Updates (recommended)
Click on Next

Check the Warnings and solve issues.
Click on Next

I Installed only the default for SQL Database.
(You can install later Shared SQL Features if you need them.)
Click on Next

Specify a network name for the New SQL Server Failover Cluster.
mvpsql01
Click on Named Instance and type INSTANCE01
Click on Next

Click on Next

Select your Cluster disk
Click on Next

Select IPv4 and type the IP-Address of your Cluster Resource
mvpsql01
Then Click on Next

Select your domain Service accounts and type the passwords.
Select if you want Maintenance Tasks privilege to your SQL Server Database Engine Service.
Click Next

Here you can add the SQL Admin Group from Active Directory (AD)
Click on top tab Data Directories

I Changed the User Database Log Directory.
Here you can set your directories.
Have a look at the Other TAB fields, I set Memory later.
When you finished all the Tabs then click Next

Check the Summary and click on Install

SQL Server 2022 CTP2.1 Installed Successfully Click on Close.

This was on the first mvpfs01.mvplab.local, now you have to do the installation on the other node mvpfs02.mvplab.local.
Here we will add a SQL Node to the Cluster.

 

Click on the left on Installation
Then Click on Add Node to a SQL Server Failover Cluster

Add Node in Progress

Add Node to SQL Server 2022 CTP2.1 Failover Cluster is Successful
Click on Close

Here you see your SQL Server 2022 CTP2.1 Cluster Instance Running in Failover Cluster Manager.

Here I installed the new Microsoft SQL Server Management Studio (SSMS) version 19 preview 2

Connecting the High Available SQL 2022 CTP2.1 Cluster Resource Instance01.

And you can connect the SQL Instance with Azure Data Studio 😉

With Azure Data Studio you can install marketplace extensions working with your SQL Instance.
Here you find more information about Microsoft Azure Data Studio

+


Leave a comment

MVPLAB Serie Cluster Aware Updating – CAU for Windows Server Insider #WindowsServerInsider #MVPBuzz #Winserv

Cluster Aware Updating (CAU)

In my last MVPLAB Serie blogpost, I wrote about setting-up a Microsoft Domain mvplab.local and making a Windows Server Insider Cluster with an iSCSI Target Host Server for Shared iSCSI Storage provisioning. First thing I did was Installing Windows Admin Center for Hybrid IT Management. With WAC we can Manage the Cluster Nodes but also the Cluster, Installing new features via Windows Admin Center like Kubernetes for running Containers and microservices. But first we start with Microsoft Cluster Aware Updating to keep your Cluster up-to-date.

Windows Admin Center Cluster Manager

Installing Cluster Aware Updating

In the following steps you can see how easy it is to install Cluster Aware Updating with Windows Admin Center on your Windows Server Cluster, in my case mvpcl01.mvplab.local

Go to your Windows Server Insider Cluster

In Cluster Manager, go to Updates.
Click on Add Cluster Aware Updating Role

Successfully configured Cluster Aware Updating (CAU)

On both Cluster Nodes is the Update Available.
Click on Install

Click on Install

Look at the status to see what is happening on the Cluster Nodes.

First Cluster Node is done

Both Cluster Nodes are updated successfully.

Here you can read more about Microsoft Cluster Aware Updating

Conclusion

Microsoft Windows Admin Center is the Administrator Management tool to use in your hybrid datacenter. You see how easy it is to configure Cluster Aware Updating (CAU) on your Cluster. When you use Windows Server Core or Azure Stack HCI then Windows Admin Center is really handy instead of command-line tools or PowerShell scripting.  here you can find more information about
Cluster Aware Updating requirements and Best Practices

Here you can JOIN the Windows Admin Center Community Group on LinkedIn


Leave a comment

Download Windows 11 Security E-book #Windows11 #WIMVP #WindowsInsiders

This Microsoft E-Book gives you an overview about security in Windows 11 with in different layers of security.

  • Hardware Security
  • Operating System Security
  • Application Security
  • Identity and Privacy
  • Cloud Services
  • Security Foundation
  • Upcoming Features

Different Security Layers in Windows 11

Be aware of all the Microsoft security features in Windows 11 and download the free Microsoft Windows 11 Security Book here


Leave a comment

#Microsoft Windows Server and SMB Protocol #Winserv #WindowsServer2022

Server Message Block (SMB)

The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems.
Here you can see the versions of MS-CIFS and download free white papers

Today SMBv1 is a not save protocol and will be used by hackers for man in the middle attacks to compromise your data and systems. SMBv1 is a weak protocol and should not be used in your environment. There are still a lot of Windows Servers 2012 R2 in the world running in datacenters with SMBv1 by Default enabled. To make your Windows Server more secure, you can disable SMBv1 protocol via a Group Policy Object (GPO).

In the following steps we will disable SMBv1 on Windows Servers via GPO.

Open Group Policy Management in your Domain.

Click on Group Policy Object with your right mouse button.
Click on New.

Give your policy a Name.

I made also an temporary Exception policy.

Right click on your new Policy Object.
Click on Edit.

Go to Computer Configuration => Preferences => Windows Settings
Click on Registry.

Click on New and then on Registry Item.

Here you have to add the following Registry Properties:

Set these settings.

Set Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Click on Apply for these Registry settings.

SMBv1 Disable setting is set in the Policy Object.

This is the path where we push the policy via GPO.

Here we Link the Existing GPO to the OU with the Windows Server 2012 R2
to disable SMBv1 Protocol.

Select your new Policy to disable SMBv1 Protocol.

We have now Linked the new GPO to Disable SMBv1

GPUpdate /force on your Server to disable SMBv1
To get the new GPO active on your Server.

Policy Update successfully.

GPResult /r to see the results.

Get-SmbServerConfiguration | Select EnableSMB1Protocol

or

Get-SmbServerConfiguration

You can still as a administrator enable SMBv1 on your Server with :

Set-SmbServerConfiguration -EnableSMB1Protocol $true

When the Server gets a reboot, SMBv1 will be disabled by GPO again.

When you have maintenance window for updates for example, you can un-install the SMBv1 Feature in Server Manager. This procedure needs a restart of the Windows Server.

Go to Server Manager remove features.

Click on Remove Roles and Features.

Remove the mark at SMB 1.0/CIFS File Sharing Support Feature.

Click on Remove.

Click on Close and Reboot the Server

Now SMBv1 protocol on the Windows Server is disabled and will use a higher version of SMB like version 2.x or 3.x.

More Microsoft information can be found here on Docs.

SMB over QUIC on Windows Server 2022

SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:

  • All packets are always encrypted and handshake is authenticated with TLS 1.3
  • Parallel streams of reliable and unreliable application data
  • Exchanges application data in the first round trip (0-RTT)
  • Improved congestion control and loss recovery
  • Survives a change in the clients IP address or port

SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.

Client Server Handshake and Data transfer differences.

Here you find a Great blogpost of Ned Pyle

SMB over QUIC: Files Without the VPN

Conclusion

When you still have Windows Servers running with SMBv1 by default enabled, for security you should disable SMBv1 protocol as soon as possible! Otherwise you make it easy for hackers to compromise your data with man in the middle attacks. In Windows Server 2019 and higher SMBv1 is disabled by default. Have a look at SMB over QUIC in your test environment and learn how secure it is and how it works for your security and data.


Leave a comment

#WindowsInsiders 11 Preview Enterprise Build in #Azure Cloud

Windows 11 Enterprise Preview in Azure

When you joined the Microsoft Windows Insider Program you can use the Windows 11 preview build images from the Azure Marketplace.
Here you can see the Windows 11 Preview plans in the Microsoft Azure Market place.

As a Windows Insider it’s great to have your machine in the Microsoft Azure Cloud to test new features of Windows 11 Preview. You don’t have to buy compatible hardware for Windows 11 Preview, and you only pay for the machine when you use it in the Cloud.
Here you find the Windows 11 Preview minimal requirements.

In the following steps I deploy Windows 11 Preview Enterprise in Azure Cloud.

Create your Windows 11 Preview Machine in Azure Cloud.

For this you need a Microsoft Azure Subscription to create a Windows 11 Preview Virtual Machine in the Cloud. In the Azure template for deployment you can select the right size Virtual Machine, Storage, networks, and Management extensions like security and Azure Monitor.

Before you Connect your Windows 11 Preview VM, make sure the security for RDP is set in the Network Security Group (NSG)

Set security for your RDP session in the NSG.

Go to Settings => Windows Update => Windows Insider Program.
Click on Get Started.
First step link an account to join the program.
(This must be your Windows Insiders account)

Sign in selection and continue.

IMPORTANT

Here you select your Windows Insider Channel, read the information and choose your
Windows Insider Build Channel. As a Windows Insider MVP I choose for the Dev Channel to give feedback to the product Team and get the first new features of Windows 11 Preview.

Read the recommendations and click on Continue.

Review the Agreements for your Device.
Click on Continue if you agree.

Restart the Virtual Machine into the Dev Channel for
the latest updates.

Set your Windows Update Advanced options.

Here we have Windows 11 Preview Insider Build 22000.160 on Azure Cloud 😉

After this I went to the Windows Insider Feedback Hub to do my settings :

At Settings of the Feedback Hub you can update the software.
and of course your personal settings.

I Like the Windows Insider Feedback Hub in Dark mode.

IMPORTANT

When you are ready with testing and sending feedback to Microsoft don’t forget to Stop the Virtual Machine! This save you money.

Conclusion

Microsoft Azure Cloud Services and Windows 11 Preview Insider Builds working together gives you flexibility and as a Windows Insider you can test every Windows 11 Preview Build from any place with a Internet connection. I like to give Microsoft feedback to make Windows Awesome for everyone on the planet 🙂

Follow Windows Insiders on Twitter :

@WindowsInsider

Jason Howard

Amanda Langowski

Brandon LeBlanc

Eddie Leonard

Jen Gentleman

Windows 11

 

 


Leave a comment

Azure Monitor Insights for Arc enabled Kubernetes Clusters anywhere #Azure #Kubernetes

Azure Monitor Insights for Monitoring your Containers.

In the last blogpost I wrote about Microsoft Azure Arc Services and how to connect a Docker for Desktop Kubernetes Cluster for testing your DevOps solution like Container Apps, Functions, App Services in a test environment. Here you find the Link to the Installation.

One of the Microsoft Azure Arc features is Azure Monitor Insights for monitoring your Kubernetes Cluster and the Containers.

Azure Arc Insights for Kubernetes Cluster anywhere

In the following step-by-step guide we will configure Azure Monitor Insights for your Kubernetes Cluster.

I Connected my Analytics Workspace CloudMVPLab.
Click on Configure.

Onboarding your Kubernetes Cluster will take some minutes.

After a while your Kubernetes Cluster Analytics data will show in Insights.

Here you see a navigation bar with the following topics

  • What’s New
  • Cluster
  • Reports
  • Nodes
  • Controllers
  • Containers.

Insights reports of the Kubernetes Cluster

Here you can Click on default reports of your Kubernetes Cluster.

Storage Capacity and Health Status report of your Kubernetes Cluster.

Storage Capacity more in Details.

Deployments Report of your Kubernetes Cluster.

Workload details Report of your Kubernetes Cluster.

Kubelet report of your Kubernetes Cluster

Data Usage of your Kubernetes Cluster

Data Usage

Insights the Nodes of the Kubernetes Cluster

Insights of the Nodes and on the right you can view Analytics.

Here you can work with Log Analytics on your Cluster.

Insights in Controllers of your Kubernetes Cluster

Insights of your Controllers

Insights Containers of your Kubernetes Cluster

Container Insights of your Kubernetes Cluster

Container Insights with Azure Log Analytics.

So with Azure Arc Enabled Kubernetes Clusters you can monitoring your Cluster and running Containers to keep you in Control on what is happening on the Cluster but also with your Container Apps and microservices. After this you can set Alerts and notifications when something is going wrong or offline. With this running you can start running your own App services, Containers or Azure functions on your Kubernetes Cluster.

Microsoft Senior Cloud Advocate Thomas Maurer explains in this awesome video how to add Azure App Services to your Kubernetes Cluster

Conclusion

This configuration with Docker for Desktop Kubernetes Cluster is for testing purpose only and can be used for your own DevOps solutions before you deploy on Production Ready Clusters. With Azure Arc Enabled Kubernetes Clusters you get the powerful Microsoft Azure Features and solutions in a secure way on your Kubernetes Cluster. I wish you lot of success with Azure Arc Enabled Kubernetes Clusters to make Awesome Apps and IT solutions for the Business 😉


Leave a comment

Security by Design with #Azure Security Center and Azure Defender #ASC #Security #SecOps

Azure Architecture

Security by Design is increasingly becoming the mainstream development approach to ensure security of software systems. Security architectural design decisions are based on well-known security tactics, and patterns defined as reusable techniques for achieving specific quality concerns. In the following steps we will make a security baseline for Windows Servers with different tools.

1.Microsoft Security Compliance Toolkit

The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs).  Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects. A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. A lot of hacks are based on registry settings, so that’s why Windows Server Security Baseline is important.
You can download the Microsoft Security Compliance Toolkit here

2. Windows Defender Firewall with Advanced Security

Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. So set only the firewall ports you need end to end.

Windows Security Setting Firewall & Network Protection
Select Advanced settings

Windows Defender Firewall Advanced settings
Set only active what you need!

3. Windows Defender Security Virus & Threat Protection

Schedule a Full Scan in the Night for Threats
and Set the Windows Security options.
Keep your Defender and Virus definition files up-to-date.

4. Windows Updates

When your Windows Server is ready for production, you have to keep it Up-to-Date with Windows Updates. It’s not only the Windows Security patches, but all the software that’s running on your Server. One software leak is enough for a hacker to compromise your Server.

Windows Updates

Have a look at the Microsoft Update Catalog

Lot of Companies are using Microsoft WSUS Services or Microsoft Endpoint Configuration Manager to deploy the software Life cycle Management Security updates to Servers to keep them secure as possible. These are not only Microsoft Security Updates but also from third party Software vendors, like adobe, Google, etc.

5. Security Monitoring and Remediation

This Cycle is important for Security!

IT departments have multiple teams with different disciplines, so when the Windows Server is ready
for the Administrator it goes to the Application Admin in a different IT Team. They will install the Application software and maybe
some software connections with other Servers by a third IT Team. To get in control of those security steps is important, because when a IT Consultant of a third party vendor is installing old legacy software you will have hacker leaks again and that’s making your Server vulnerable. Here is where Azure Security Center and Azure Defender will support you in monitoring and remediation of security issues.

It doesn’t matter where your Windows Server is installed, in Azure Cloud or On-premises in your datacenter, it can connect securely via internet for monitoring the Server. When it’s on-premises you can install the Microsoft Arc agent

Microsoft Azure Arc Connected Machine Agent.

Azure Arc enabled Server from On-premises

When the Microsoft Azure Arc Agent is installed on the Server, you can use these Azure Services for example :

  • Azure Update Management
  • Azure Monitoring
  • Azure Security Center with Azure Defender
  • Azure Policies for Compliance
  • Change Tracking and Inventory
  • Insights
  • Automation of Tasks

These Microsoft Azure features are supporting you to keep your Server as safe as possible and your security Up-to-Date.

From here you can add the Windows Server to Microsoft Azure Security Center with the right log analytics workspace.

Microsoft Azure Security Center Recommendations

Remediate Security Configurations on the Arc enabled Server

Remediation of Vulnerabilities on your Windows Server (Arc Enabled)

Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on premises, and in other clouds. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services, and servers and integrates with your existing security workflows, such as SIEM solutions and vast Microsoft threat intelligence, to streamline threat mitigation.

Workflow of Azure Defender for Vulnerability Scanning.

When Azure Security Center and Azure Defender are installed, you can do a Vulnerability Assessment on your Azure Arc enabled Server which is on-premises datacenter before your Windows Server is going in Production.

Vulnerabilities after Assessment on Windows Server with Arc enabled with remediation
This happens a lot when there is third party software installed on the Server.

To get a list of your high security vulnerabilities, you can use the Azure Resource Graph explorer.

Azure Resource Graph Explorer
Here you can download your high risks into a CSV or Pin to a Dashboard.

6. Compliance and Security Policies

Learn how Microsoft products and services help your organization meet regulatory compliance standards.
When you have to manage a lot of Windows Servers or Linux Servers, you want them compliant with the right security policies.

Here you find all the Microsoft Compliance Offerings

Regulatory Compliance of your environment.

With Azure Security Policy you can configure your Compliance.

in the following steps you will see an Sample alert :

Sample Alerts with Mitre ATT&CK Tactics

Take Action on the Security Alert.

Related entities

Mitigate the Threat
Prevent future attacks
Trigger automated response
or
Suppress similar Alerts.

Security by Design Conclusion

Before you begin with deploying Windows Servers in your datacenter or in the Azure Cloud, it’s good to make a High Level design with your security set for the right compliance of your new Windows Server. You can use all the security On-Premises for Windows Server but with Azure Security Center, Azure Monitor, Azure Arc Services, Azure Defender you get all the security Insights and remediation options when a vulnerability is discovered. Windows Server and Azure Security Center is better together for Security Management.

Microsoft Security

If you want to keep your Windows Servers secure as possible, you need to keep doing these steps above. Continuous Monitoring and remediate vulnerabilities is a on-going process for SecOps and Administrators. Make it hackers difficult to add ransomware on your Servers.  One more important IT Service, is your Backup / Disaster Recovery solution. This should be secure from hackers and from ransomware encryption. I always say think of this rule :

More information

Microsoft Azure Security Center on GitHub

Overview of the Azure Security Benchmark (V2)

Become an Azure Security Center Ninja

Azure Security Center in the Field by Yuri Diogenes

Introduction to Azure Defender

Join the Microsoft Azure Monitor & Security for Hybrid IT Community Group on LinkedIn

 


Leave a comment

Windows Admin Center v2103 Available! What’s New #Winserv #Azure #Management #WindowsAdminCenter #MVPBuzz

Windows Admin Center v2103

With Windows Admin Center you can remotely manage Windows Server running anywhere—physical, virtual, on-premises, in Azure, or in a hosted environment.
The tool, available with your Windows Server license at no additional charge, consolidates and reimagines Windows OS tools in a single, browser-based, graphical user interface.
At Microsoft Ignite 2021 Global Virtual Event they launched Windows Admin Center version 2103. Here you find the download.

What’s New in Windows Admin Center v2103

WAC Updates Automatically

Events Tool ReDesign (Preview)

Great Overview of the Server Events 😉

Azure IoT Edge for Linux on Windows

Windows Admin Center in The Azure Portal 

Set Proxy Server in Windows Admin Center Settings.

Open in a Separate Window

This is a Separate Window on my Second Screen, this works Awesome!

Windows Admin Center Virtual Tool improvements 🙂

Conclusion

Microsoft is working hard to make Hybrid IT Management better for Administrators to manage Hybrid Cloud datacenters. Windows Admin Center is a must have for managing
Windows Server Core, AzureStack HCI, and Cluster Services. I can say: I love to work with Windows Admin Center 🙂

 

When you have feedback for the Product Team please do that here at User Voice


Leave a comment

Today is Microsoft Ignite 2021 Event of the Year #MSIgnite #Azure #Cloud #AzureStackHCI #Winserv and More

JOIN Microsoft Ignite 2021 Event

You don’t want to miss this Live Awesome Virtual Global Event of Microsoft 😉


Leave a comment

Windows Server 2022 Insider Preview Build 10.0.20298 Available! #Winserv #WindowsServer2022 #WIMVP #WindowsInsiders #MSIgnite

Windows Server 2022 Insider Preview Build 10.0.20298

Microsoft Windows Server Insider Team Released Windows Server 2022 Insider Preview Build 10.0.20298, here you find more information on Tech Community

This Build is Available with :

  • Windows Server 2022 Standard (Core)
  • Windows Server 2022 Standard ( Desktop Experience)
  • Windows Server 2022 Datacenter ( Core)
  • Windows Server 2022 Datacenter ( Desktop Experience)

I Installed Windows Server 2022 Insider Preview with Windows Admin Center.

Windows Server 2022 Insider Preview Build 10.0.20298 is Running 😉

And in Control of Windows Admin Center.

Download Windows Server 2022 Insider Preview here

Don’t forget this Awesome session at MSIgnite 2021 Event!