[Valid RSS] This is a valid RSS feed.


This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.


  1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
  2. xmlns:content=""
  3. xmlns:wfw=""
  4. xmlns:dc=""
  5. xmlns:atom=""
  6. xmlns:sy=""
  7. xmlns:slash=""
  8. >
  10. <channel>
  11. <title>The Soldier of Fortune</title>
  12. <atom:link href="" rel="self" type="application/rss+xml" />
  13. <link></link>
  14. <description>Musing on Microsoft Digital Transformation</description>
  15. <lastBuildDate>Tue, 16 Jan 2018 04:49:21 +0000</lastBuildDate>
  16. <language>en-US</language>
  17. <sy:updatePeriod>hourly</sy:updatePeriod>
  18. <sy:updateFrequency>1</sy:updateFrequency>
  19. <generator></generator>
  20. <site xmlns="com-wordpress:feed-additions:1">21061349</site> <item>
  21. <title>Building a mixed cloud model for SharePoint &#8211; Part 2</title>
  22. <link></link>
  23. <comments></comments>
  24. <pubDate>Sun, 14 Jan 2018 12:40:20 +0000</pubDate>
  25. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  26. <category><![CDATA[Microsoft Azure]]></category>
  27. <category><![CDATA[azure sql db]]></category>
  28. <category><![CDATA[mixed cloud]]></category>
  29. <category><![CDATA[sharepoint azure]]></category>
  31. <guid isPermaLink="false"></guid>
  32. <description><![CDATA[In previous article, you created a SharePoint 2016 virtual machine by given built-in template. You were also introduced about Azure...]]></description>
  33. <content:encoded><![CDATA[<p>In <a href="" target="_blank" rel="noopener">previous article</a>, you created a SharePoint 2016 virtual machine by given built-in template. You were also introduced about Azure AD DS and joined the virtual machine to your Azure AD DS. Everything you have done so far by only PowerShell. Of course, you can create all resources via Azure Portal. However, such a way takes time and hard to control and organize parameters.</p>
  34. <p>In this article, let&#8217;s dig into another part of the series which is deploying database system for your SharePoint farm. Basically, it is just a virtual machine running Microsoft SQL Server. However, that is not my intention. I&#8217;d like to take advantages of Azure SQL Database to achieve more high availability and scalability with less administration effort and compute resources.</p>
  35. <h3><span style="color: #3366ff;"><strong>Deploying Azure SQL Logical Server</strong></span></h3>
  36. <p>Azure SQL logical server is not a virtual machine running Microsoft SQL Server. By Microsoft definition, the term &#8220;logical server&#8221; is like a control panel which provides administration capabilities to help you manage your SQL databases. From logical server, you can not only create single or elastic pool of databases but also configure security features including firewall rules, auditing rule, threat detection policies.</p>
  37. <p>First, let&#8217;s create a logical server with the following PowerShell</p><pre class="crayon-plain-tag"># Basics
  38. $rgName = "sp16-rg"
  39. $location = "southeastasia"
  40. $dbInstanceName = "sp16db"
  41. $version = "12.0"
  43. New-AzureRmSqlServer -ResourceGroupName $rgName -Location $location -ServerName $dbInstanceName -ServerVersion $version -SqlAdministratorCredentials (Get-Credential)</pre><p>You will be asked to provide credential when the script reads to <pre class="crayon-plain-tag">Get-Credential</pre> . Next step is to add an account to act as admin.</p><pre class="crayon-plain-tag">$rgName = "sp16-rg"
  44. $dbInstanceName = "sp16db"
  45. Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName $rgName -ServerName sp16db -DisplayName "Jimmy Nguyen"</pre><p></p>
  46. <h3><span style="color: #3366ff;"><strong>Creating a blank database</strong></span></h3>
  47. <p>Creating a blank database can be done by using the following PowerShell script. This step is to create a slot for SharePoint configuration database. Note that I specify supported collation name <strong>Latin1_General_CI_AS_KS_WS</strong> for SharePoint.</p><pre class="crayon-plain-tag">$rgName = "sp16-rg"
  48. $location = "southeastasia"
  49. $dbInstanceName = "sp16db"
  50. $admin = Get-AzureRmSqlServerActiveDirectoryAdministrator -ServerName $dbInstanceName -ResourceGroupName $rgName
  51. $dbName = "SP_Config"
  52. $collation = "Latin1_General_CI_AS_KS_WS"
  53. $ipS = ""
  54. $ipE = ""
  56. New-AzureRmSqlDatabase -ResourceGroupName $rgName -DatabaseName $dbName -CollationName $collation -ServerName $dbInstanceName -Edition Premium</pre><p></p>
  57. <h3><span style="color: #3366ff;">Network configuration for SQL logical server</span></h3>
  58. <p>There are a few things to do. First, you need to create a new subnet for the logical server and set Microsoft SQL endpoint for it. Secondly, create a new virtual network rule and associate the newly created subnet into it. The two steps can be done via the following PowerShell:</p><pre class="crayon-plain-tag">$rgName = "sp16-rg"
  59. $location = "southeastasia"
  61. $vNetName = "myVnet"
  62. $subnetDbName =  "db-subnet"
  63. $subnetDbAddPrefix = ""
  64. $serviceEndpoint = "Microsoft.Sql"
  65. $dbInstanceName = "s16db"
  66. $vnetDbRuleName = "DbRule"
  68. $subnetDb = New-AzureRmVirtualNetworkSubnetConfig -Name $subnetDbName -AddressPrefix $subnetDbAddPrefix -ServiceEndpoint $serviceEndpoint
  69. $vNet = Get-AzureRmVirtualNetwork -Name $vNetName -ResourceGroupName $rgName
  70. Add-AzureRmVirtualNetworkSubnetConfig -Name $subnetAdName -VirtualNetwork $vNet -AddressPrefix $subnetAdAddPrefix
  71. Set-AzureRmVirtualNetwork -VirtualNetwork $vNet
  73. $subnetId = (Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vNet -Name $subnetDbName).Id
  75. New-AzureRmSqlServerVirtualNetworkRule -ResourceGroupName $rgName -ServerName $dbInstanceName -VirtualNetworkRuleName $vnetDbRuleName -VirtualNetworkSubnetId $subnetId</pre><p>Go to the logical server and find <strong>Firewall/Virtual Networks</strong> setting under the blade. Under <strong>Allow access to Azure</strong> services select <strong>ON</strong>. This is just a temporary option to let network traffic through. You can also check whether the virtual network rule is successfully created.</p>
  76. <p><img data-attachment-id="6624" data-permalink="" data-orig-file="" data-orig-size="852,583" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="rule" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter wp-image-6624 " src="" alt="" width="818" height="563" /></p>
  77. <p>After the logical server is added into the same virtual network with the SharePoint virtual machine, use PortQuery UI to verify.</p>
  78. <h3><span style="color: #3366ff;"><strong>SQL Management Studio configuration</strong></span></h3>
  79. <p>The network part is sorted out. Now let&#8217;s focus on some final configuration before creating a SharePoint farm. Download <a href="" target="_blank" rel="noopener">SQL Server Management Studio</a> to your personal computer and connect to the logical server at the address <strong>&lt;your_db_server_name&gt; </strong>. Connecting from a public network needs further logon asked by Microsoft. If you connect from your SharePoint virtual machine, it&#8217;s completely smooth.</p>
  80. <p><img data-attachment-id="6627" data-permalink="" data-orig-file="" data-orig-size="472,290" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="sqldb" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6627" src="" alt="" width="472" height="290" srcset=" 472w, 300w" sizes="(max-width: 472px) 100vw, 472px" /></p>
  81. <p>I tried two approaches of creating a SharePoint farm:</p>
  82. <ul>
  83. <li><strong>Approach #1</strong>: Running SharePoint Product Configuration Wizards.</li>
  84. </ul>
  85. <p><img data-attachment-id="6628" data-permalink="" data-orig-file="" data-orig-size="544,380" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuresql" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6628" src="" alt="" width="544" height="380" srcset=" 544w, 300w" sizes="(max-width: 544px) 100vw, 544px" /></p>
  86. <ul>
  87. <li><strong>Approach #2</strong>: Use  <pre class="crayon-plain-tag">New-SPConfigurationDatabase</pre>  to create a new configuration database.</li>
  88. </ul>
  89. <p></p><pre class="crayon-plain-tag">New-SPConfigurationDatabase –DatabaseName SharePoint_Config –DatabaseServer –AdministrationContentDatabaseName SharePoint_Content –Passphrase (ConvertTo-SecureString [email protected] –AsPlaintext –Force) –FarmCredentials (Get-Credential) -localserverrole SingleServerFarm</pre><p><img data-attachment-id="6629" data-permalink="" data-orig-file="" data-orig-size="646,84" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuresql01" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6629" src="" alt="" width="646" height="84" srcset=" 646w, 300w, 552w" sizes="(max-width: 646px) 100vw, 646px" /></p>
  90. <p>Both approaches resulted to the fact that old-fashioned integrated authentication is not supported in Azure SQL as of this article. Right now I&#8217;d confirm that connecting your SharePoint farm with integrated authentication to Azure SQL Database is not possible. There could be another approach to achieve the seamless authentication but I&#8217;ve figured yet.</p>
  91. <h3><strong><span style="color: #3366ff;">What about SQL Server running on Azure VM?</span></strong></h3>
  92. <p>To dig into a little more about the mixed cloud model, I want to provision a virtual machine running Microsoft SQL Server to see how possible my goal is achieved. The following PowerShell can be used to quickly provision a virtual machine with SQL Server 2014 SP 2 with Windows Server 2012 R2. All resource information is referenced to the previous article, including resource group, virtual network, subnet</p><pre class="crayon-plain-tag"># Basics
  93. $supscription = "Enterprise Subscription"
  94. $rgName = "sp16-rg"
  95. $location = "southeastasia"
  96. # Storage Info
  97. $strName = "s15digitalstr0002"
  98. $strType = "Standard_LRS"
  99. # Network settings
  100. $vNetName = "myVnet"
  101. $nicName = "db-nic"
  102. $subnetName = "db-subnet"
  103. # VM Info
  104. $vmName = "sql14db"
  105. $computerName = "sqldb"
  106. $vmSize = "Standard_D4s_v3"
  107. $osDisk = $vmName + "OSDisk"
  108. # OS and SKU
  109. $publisherName = "MicrosoftSQLServer"
  110. $offer = "SQL2014SP2-WS2012R2"
  111. $sku = "Enterprise"
  112. $skuVersion = "latest"
  113. # If you have more than one subscription, set context first
  114. #Set-AzureRmContext -SubscriptionName "Enterprise Subscription"
  115. # Creating a new storage account
  116. $strAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $strName -Type $strType -Location $location
  117. Write-Host "Completed creating a new storage account"  -BackgroundColor DarkYellow
  118. # Creating network resources
  119. $pip = New-AzureRmPublicIpAddress -Name $nicName -ResourceGroupName $rgName -Location $location -AllocationMethod Static
  120. $vnet = Get-AzureRmVirtualNetwork -Name $vNetName -ResourceGroupName $rgName
  121. $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $rgName -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id
  122. Write-Host "Completed creating network resources"  -BackgroundColor DarkYellow
  123. # Setting VM network and storage
  124. $cred = Get-Credential -Message "Enter your VM's admin password"
  125. $vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
  126. $vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
  127. $vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName $publisherName -Offer $offer -Skus $sku -Version $skuVersion
  128. $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
  129. $osDiskUri = $strAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $osDisk + ".vhd"
  130. $vm = Set-AzureRmVMOSDisk -VM $vm -Name $osDisk -VhdUri $osDiskUri -CreateOption FromImage
  131. Write-Host "Completed setting your VM"  -BackgroundColor DarkYellow
  132. # Creating VM
  133. New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vm
  134. Write-Host "Completed creating a new SharePoint VM"  -BackgroundColor DarkYellow</pre><p>Once the SQL Server virtual machine is successfully provisioned, connect to it to join to the Azure AD DS</p><pre class="crayon-plain-tag">Add-Computer -DomainName "" -Credential "[email protected]"
  135. Restart-Computer</pre><p>Now you have two virtual machines already joined to the existing Azure AD DS.</p>
  136. <h3><span style="color: #3366ff;"><strong>SharePoint Farm Configuration</strong></span></h3>
  137. <p>The last step is to run the SharePoint Product Configuration Wizard or PowerShell and complete configuration steps. I&#8217;m not going to write down here every step. Make sure your account has appropriate permission (e.g <strong>dbcreator</strong> and <strong>securityadmin</strong>) and <strong>MAXDOP</strong> setting in SQL Server is set to <strong>1</strong> (by default it is <strong>0</strong> with the given template). Fortunately, the setup and farm configuration is done without any error.</p>
  138. <p><img data-attachment-id="6638" data-permalink="" data-orig-file="" data-orig-size="641,611" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="sql" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter wp-image-6638 size-full" src="" alt="" width="641" height="611" srcset=" 641w, 300w, 552w" sizes="(max-width: 641px) 100vw, 641px" /></p>
  139. <p>You have done setting up SharePoint farm whose database server is a hosted Azure virtual machine running SQL Server 2014 SP 2.</p>
  140. <h3><strong><span style="color: #3366ff;">Hosting Content database on Azure SQL Database</span></strong></h3>
  141. <p>If hosting content databases on SQL Server virtual machine, I&#8217;d need a very powerful virtual machine and premium storage to optimize performance because all business data is stored in SharePoint content database. The configuration database is only to store farm configuration which is not an intensive-workload database. That comes to me an idea to test web application whose content database is stored in a pre-created blank database. (The one you created in Creating a blank database section)</p><pre class="crayon-plain-tag">#Variables
  142. $appPoolAcc = "S-15\SPServiceAccount"
  143. $appPoolName ="webAppPool"
  144. $contentDb = "SP_ContentDb"
  145. $dbServer = ""
  146. $webApp = "http://sp16"
  147. $hostHeader = ""
  148. $Url = $webApp
  149. $webName = "Digital Web"
  150. $dbCred = "thuansoldier"
  152. New-SPWebApplication -ApplicationPool $appPoolName -ApplicationPoolAccount $appPoolAcc -Name $webName -AuthenticationProvider (New-SPAuthenticationProvider -UseBasicAuthentication) -DatabaseName $contentDb -DatabaseServer $dbServer -Port 80 -URL $Url -DatabaseCredentials (Get-Credential)</pre><p>There are a few things to note:</p>
  153. <ul>
  154. <li><strong>$contentDb</strong>: must be the exact name of the database you created</li>
  155. <li><strong>$dbServer</strong>: this is the connection string of your PaaS database</li>
  156. <li><strong>$dbCred</strong>: it is just an SQL account. You need to use T-SQL to create a login and add <strong>db_owner</strong> role for it.</li>
  157. </ul>
  158. <p>It should not take long since the Azure SQL database is put on the same virtual network with SharePoint so it doesn&#8217;t have to route to Azure SQL database service endpoint.</p>
  159. <p>You can run the following command to verify whether the target content database is Azure SQL database</p><pre class="crayon-plain-tag">$dbName = "SP_ContentDb"
  160. (Get-SPContentDatabase $dbName).IsSqlAzure</pre><p>Note that there is not any trick here. <pre class="crayon-plain-tag">Get-SPContentDatabase</pre>  is a SharePoint cmdlet and it is able to recognize Azure SQL database.<img data-attachment-id="6641" data-permalink="" data-orig-file="" data-orig-size="523,112" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="sqldb-azure" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6641" src="" alt="" width="523" height="112" srcset=" 523w, 300w" sizes="(max-width: 523px) 100vw, 523px" /></p>
  161. <p>Now I&#8217;m going to create a new site collection under the newly created web application.</p>
  162. <p><img data-attachment-id="6640" data-permalink="" data-orig-file="" data-orig-size="769,403" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuresp" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter  wp-image-6640" src="" alt="" width="682" height="362" /></p>
  163. <p>Finally, hosting SharePoint content database gets done. There is a key difference from the common setup is the database authentication method. Because Windows integrated authentication is not supported, the only mode support is SQL database authentication. Of course, this account to do the job is not maintained by Azure AD.</p>
  164. <h3><span style="color: #3366ff;"><strong>Conclusion</strong></span></h3>
  165. <p>In this article, I just walked you through steps to create an Azure SQL logical server and a blank database. My purpose was to see whether SharePoint could connect to Azure SQL database with integrated authentication. Unfortunately,  the mode is not supported. This kind of old-fashioned should be deprecated in the future. In other words, the next SharePoint version should allow us to use identity cloud service for the initial setup. Next article, let&#8217;s go through more on pros and cons on every scenario of mixed cloud model.</p>
  166. ]]></content:encoded>
  167. <wfw:commentRss>;p=6610</wfw:commentRss>
  168. <slash:comments>1</slash:comments>
  169. <post-id xmlns="com-wordpress:feed-additions:1">6610</post-id> </item>
  170. <item>
  171. <title>Building a mixed cloud model for SharePoint &#8211; Part 1</title>
  172. <link></link>
  173. <comments></comments>
  174. <pubDate>Sat, 13 Jan 2018 14:41:07 +0000</pubDate>
  175. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  176. <category><![CDATA[Microsoft Azure]]></category>
  177. <category><![CDATA[azure sql db. sharepoint azure]]></category>
  178. <category><![CDATA[mixed cloud]]></category>
  180. <guid isPermaLink="false"></guid>
  181. <description><![CDATA[If you follow my community activities and my blog, you surely know about my advocate of deploying a SharePoint farm...]]></description>
  182. <content:encoded><![CDATA[<p>If you follow my <a href="" target="_blank" rel="noopener">community activities</a> and my blog, you surely know about my advocate of deploying a SharePoint farm with Azure IaaS. I wrote number of related articles about this in my blog.</p>
  183. <ul>
  184. <li><a href="" target="_blank" rel="noopener">Why is SharePoint on Azure IaaS still a good consideration?</a></li>
  185. <li><a href="" target="_blank" rel="noopener">Keys to SharePoint Server 2016 Planning on Microsoft Azure</a></li>
  186. <li><a href="" target="_blank" rel="noopener">Deploying a single SharePoint Server 2016 Farm on Azure IaaS</a></li>
  187. <li><a href="" target="_blank" rel="noopener">SharePoint in Azure IaaS</a></li>
  188. </ul>
  189. <p>Besides blogging, I came to a few annual regional conferences such as <a href="" target="_blank" rel="noopener">Azure Global Bootcamp</a> and <a href="" target="_blank" rel="noopener">ExpertsLive Asia Pacific</a> (aka System Center Universe) to share my experiences around SharePoint hosted on Azure IaaS. &#8220;<a href="" target="_blank" rel="noopener">Azure IaaS Defense In Depth</a>&#8221; book also provided a comprehensive lab to deploy a protected SharePoint farm on Azure. These stuffs are all about provisioning virtual machines, installing and configuring SharePoint farm.</p>
  190. <p>Inspired by a few customers recently asking me if they could deploy a SharePoint workload in Azure virtual machines while taking advantages of non-workload services for Active Directory and SQL Server database. Such a question is super interesting honestly, which drives me to again get my hands dirty to experiment before giving those customers an acceptable answer.</p>
  191. <blockquote><p>As a consultant, I wouldn&#8217;t like to answer Yes/No without a reasonable answer. When getting asked for possibility, answering Yes/No makes you look like an amateur. Perhaps if you don&#8217;t have experience, go test if possible. Otherwise, give your <a href="" target="_blank" rel="noopener">honesty</a>.</p></blockquote>
  192. <p>This blog series would answer the following questions:</p>
  193. <ul>
  194. <li>Can I host my SharePoint database in Azure SQL Database which is non-IaaS service?</li>
  195. <li>Can I use Azure Active Directory Domain Services (ADDS) for my SharePoint farm?</li>
  196. <li>Can both Azure SQL Database and Azure ADDS be used?</li>
  197. </ul>
  198. <h3><span style="color: #3366ff;"><strong>Mixed Cloud Model</strong></span></h3>
  199. <p>Mixed cloud model might be thought of a hybrid cloud model. However, personally to my definition, I tend to think about a mix between IaaS and PaaS in some ways. This is not a new model of course. In real-world deployment, you may see a case in which your workload is run under Azure virtual machines while the database management system is a PaaS service (e.g CosmosDb or Azure SQL Database). Another case is a system whose application layer uses Azure App Service while its database is hosted on an SQL Server virtual machine.</p>
  200. <p><img data-attachment-id="6566" data-permalink="" data-orig-file="" data-orig-size="863,552" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="blog" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter wp-image-6566" src="" alt="" width="659" height="425" /></p>
  201. <p>The illustration above shows you example of reference architecture of the mixed cloud model:</p>
  202. <ul>
  203. <li>Two Azure VMs are responsible for application hosting</li>
  204. <li>Azure Load Balancer is positioned as an Internet facing web proxy.</li>
  205. <li>Azure SQL Database is used mainly to store database whose endpoint is exposed to the application.</li>
  206. <li>All resources are inside a virtual network (note that Azure SQL Database can be put inside a virtual network as of this article).</li>
  207. </ul>
  208. <p>Reasons may vary. In one of most recent cases, a customer needed to use Azure SQL Database but the virtual network capability was still under the preview phase which didn&#8217;t meet go-live deadline so they decided to go with running SQL Server on an Azure virtual machine. The application was run under Azure App Service. Another reason is the chosen platform that Microsoft is not strong, e.g. Node.js. In fact, <a href="" target="_blank" rel="noopener">Azure App Service supports Node.js</a> but due to unconfident feeling, running Linux virtual machine is preferred.</p>
  209. <p>Mixed Cloud model can be good for temporary deployment when something is still under Preview phase in Azure. It is also one of the strategies of cloud transformation when you are in the middle of Lift-and-Shift and Cloud Optimization. Money, Transition and Adoption are always used to explain.</p>
  210. <p><img data-attachment-id="6569" data-permalink="" data-orig-file="" data-orig-size="750,403" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="msConnect_modernization_maturityModel" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter wp-image-6569" src="" alt="" width="562" height="306" /></p>
  211. <h3><span style="color: #3366ff;"><strong>Build a SharePoint base virtual machine</strong></span></h3>
  212. <p>Building a SharePoint base virtual machine can be done with a SharePoint template that is available in Azure marketplace. In this article, I&#8217;m going to use SharePoint Server 2016 Trial template. This template already has prerequisites of SharePoint Server 2016 so you don&#8217;t have to necessarily run Preparation tool to install. Creating a SharePoint 2016 trial template can be done via Azure Portal, PowerShell, CLI or Visual Studio with Azure ARM template. In this article, I&#8217;m going to use PowerShell to get things done quickly.</p><pre class="crayon-plain-tag"># Basics
  213. $supscription = "Enterprise Subscription"
  214. $rgName = "sp16-rg"
  215. $location = "southeastasia"
  218. # Storage Info
  219. $strName = "s15digitalstr0001"
  220. $strType = "Standard_LRS"
  222. # Network settings
  223. $vNetName = "myVnet"
  224. $nicName = "spNic"
  225. $subnetName = "sp-subnet"
  226. $vnetAddressPrefix = ""
  227. $vnetSubnetPrexix = ""
  229. # VM Info
  230. $vmName = "SP16VM"
  231. $computerName = "SP16"
  232. $vmSize = "Standard_D12_v2"
  233. $osDisk = $vmName + "OSDisk"
  235. # OS and SKU
  236. $publisherName = "MicrosoftSharepoint"
  237. $offer = "MicrosoftSharePointServer"
  238. $sku = "2016"
  239. $skuVersion = "latest"
  242. # If you have more than one subscription, set context first
  243. Set-AzureRmContext -SubscriptionName "Enterprise Subscription"
  245. # Creating a new resource group
  246. New-AzureRmResourceGroup -Name $rgName -Location $location
  247. Write-Host "Completed creating a new resource group"  -BackgroundColor DarkYellow
  249. # Creating a new storage account
  250. $strAcc = New-AzureRmStorageAccount -ResourceGroupName $rgName -Name $strName -Type $strType -Location $location
  251. Write-Host "Completed creating a new storage account"  -BackgroundColor DarkYellow
  253. # Creating network resources
  254. $pip = New-AzureRmPublicIpAddress -Name $nicName -ResourceGroupName $rgName -Location $location -AllocationMethod Static
  255. $subnetCfg = New-AzureRmVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $vnetSubnetPrexix
  256. $vnet = New-AzureRmVirtualNetwork -Name $vNetName -ResourceGroupName $rgName -Location $location -AddressPrefix $vnetAddressPrefix -Subnet $subnetCfg
  257. $nic = New-AzureRmNetworkInterface -Name $nicName -ResourceGroupName $rgName -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id
  258. Write-Host "Completed creating network resources"  -BackgroundColor DarkYellow
  260. # Setting VM network and storage
  261. $cred = Get-Credential -Message "Enter your VM's admin password"
  262. $vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
  263. $vm = Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent -EnableAutoUpdate
  264. $vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName $publisherName -Offer $offer -Skus $sku -Version $skuVersion
  265. $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id
  266. $osDiskUri = $strAcc.PrimaryEndpoints.Blob.ToString() + "vhds/" + $osDisk + ".vhd"
  267. $vm = Set-AzureRmVMOSDisk -VM $vm -Name $osDisk -VhdUri $osDiskUri -CreateOption FromImage
  268. Write-Host "Completed setting your VM"  -BackgroundColor DarkYellow
  270. # Creating VM
  271. New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vm
  272. Write-Host "Completed creating a new SharePoint VM"  -BackgroundColor DarkYellow</pre><p>Note that this script doesn&#8217;t create any network security group with the purpose of allowing network traffic through. After the script gets done, go remote your newly provisioned virtual machine to verify.</p>
  273. <h3><span style="color: #3366ff;"><strong>Deploying Azure AD DS</strong></span></h3>
  274. <p>If you are an Azure geek, having worked with Azure long enough, you would be familiar with Azure AD, at least you know what it is. Azure AD is a core cloud-based identity management service which is used by almost Microsoft cloud services such as Office 365, Dynamic 365. Azure AD is also a main identity of Microsoft Cloud platform. It offers developers number of capabilities to build an authentication engine, or integrate with almost SaaS cloud services. Some of capabilities I&#8217;ve been engaged to work include Azure AD, Application Proxy, Single Sign On, Multi-factor.</p>
  275. <p><img data-attachment-id="6579" data-permalink="" data-orig-file="" data-orig-size="709,295" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azure_active_directory" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6579" src="" alt="" width="709" height="295" srcset=" 709w, 300w, 552w" sizes="(max-width: 709px) 100vw, 709px" /></p>
  276. <blockquote><p>This page gives more details on Azure AD <a href="" target="_blank" rel="noopener"></a></p></blockquote>
  277. <p>However, its name does not mean you can do everything you want like the on-premises Windows Server Active Directory. You could still create a &#8216;domain controller like&#8217; in Azure AD and join a virtual machine to that managed domain controller via a pre-configured FQDN. However, it was not something you wished due to many limitations. At that time, Azure AD was not designed for corporate centralized directory and identity management. Fortunately, based on the core of Azure AD, plus, perhaps from Microsoft&#8217;s customer voice, Azure AD DS was invested to bring to you a real domain controller deployment. Unlike Azure AD supporting for application-aware identity and <strong>authZ/auth0</strong> integration, Azure AD DS offers you domain join, group policy, LDAP, Kerberos &amp; NTLM authentication that let you feel like you fully control your domain controller. Moreover, Azure AD DS can deploy directly into a specific Azure virtual network.</p>
  278. <p>In this article, I&#8217;m not going to go deeper into Azure AD DS. The purpose is to help you quickly deploy a mixed cloud model and to give more experiment on new stuffs introduced right here. Deploying Azure AD DS can be done via Azure Portal, PowerShell or Azure CLI. In this post, let&#8217;s focus on PowerShell. Azure AD DS is part of Azure AD so you need to install Azure AD module in PowerShell. Simply run on your computer <pre class="crayon-plain-tag">Install-Module AzureAD</pre> and <pre class="crayon-plain-tag">Install-Module AzureADPreview -AllowClobber</pre> . After module installation, connect to Azure AD with command line <pre class="crayon-plain-tag">Connect-AzureAD</pre>  like you do with <pre class="crayon-plain-tag">Login-AzureRmAccount</pre> .  The Connect-AzureAD without TenantId specified is only used to connect to Azure AD where your account belongs to. Azure doesn&#8217;t know which specific Azure AD tenant you need. Run the following command line to connect to the tenant of the target subscription:</p><pre class="crayon-plain-tag">$tenantID = (Get-AzureRmSubscription -SubscriptionName "Enterprise Subscription").TenantId
  279. Connect-AzureAD -TenantId $tenantID</pre><p></p>
  280. <blockquote><p>If you use Microsoft account (e.g. [email protected]) refer to this <a href="" target="_blank" rel="noopener">article</a>  to connect to correct Azure AD.</p></blockquote>
  281. <p>If the output returns a value in Tenant Domain you configured before, you&#8217;re done.</p><pre class="crayon-plain-tag">Account          Environment TenantId                             TenantDomain AccountType
  282. -------          ----------- --------                             ------------ -----------
  283. [email protected] AzureCloud  03987603-0fc0-4103-bd94-cdffbefb2226    User</pre><p>For every access request to an Azure service, you firstly need to authenticate with Azure AD because Azure AD is also the identity management system of all Azure services hosted in Microsoft Azure. In my case, because I want to use create a new object (considered kind of identity application) in Azure AD, I have to create a new service principal. This service principal is to allow Azure AD to be able to give my Azure AD DS access to needed resources.</p><pre class="crayon-plain-tag">New-AzureRmADServicePrincipal -ApplicationId "2565bd9d-da50-47d4-8b85-4c97f669dc36"</pre><p>If you&#8217;ve worked with Azure AD before, you may not know where to get the application ID  &#8220;<strong>2565bd9d-da50-47d4-8b85-4c97f669dc3</strong>6&#8243; because you may think that you do need to create and register a new application before grabbing its ID. In fact, this App ID is the Domain Controller Services application which is given by Microsoft. The command above does the job of adding this enterprise application.</p>
  284. <p><img data-attachment-id="6583" data-permalink="" data-orig-file="" data-orig-size="1332,231" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azure-app" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6583" src="" alt="" width="1332" height="231" srcset=" 1332w, 300w, 768w, 1140w, 552w" sizes="(max-width: 1332px) 100vw, 1332px" /></p>
  285. <blockquote><p>There might be some obsolete articles out of the Internet using <strong>AppID</strong> instead of <strong>ApplicationID</strong>. If your Azure AD module&#8217;s version is then ApplicationID is the correct one.</p></blockquote>
  286. <p>Now let&#8217;s define the whole script to make the deployment done quickly.</p><pre class="crayon-plain-tag"># Set up your subscription
  287. $rgName = "sp16-rg"
  288. $location = "southeastasia"
  289. $subscriptionName = "Enterprise Subscription"
  291. # Set up your domain info
  292. $adAdmin = "[email protected]"
  293. $domain = ""
  294. $adAdminGroup = "AAD DC Administrators"
  296. # Set up network for Azure AD DS
  297. $vNetName = "myVnet"
  298. $subnetAdName =  "adds-subnet"
  299. $subnetAdAddPrefix = ""
  301. #Connect to your Azure AD
  302. $tenantID = (Get-AzureRmSubscription -SubscriptionName $subscriptionName).TenantId
  303. Connect-AzureAD -TenantId $tenantID
  305. #Creating a new Azure AD group for administrators
  306. New-AzureADGroup -DisplayName $adAdminGroup -Description "Groups of AD Admin" -SecurityEnabled $true -MailEnabled $false -MailNickName "ADDSAdmin"
  307. Write-Host "Completed creating a new Azure AD group"  -BackgroundColor DarkYellow
  309. #Creating a new specified admin account
  310. $pw = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
  311. $pw.Password = "[email protected]"
  312. New-AzureADUser -DisplayName "Jimmy Nguyen" -PasswordProfile $pw -UserPrincipalName $adAdmin -AccountEnabled $true -MailNickName "Jimmy"
  313. Write-Host "Completed creating a new Azure AD admin user account"  -BackgroundColor DarkYellow
  316. # Retrieve group and ad admin group
  317. $groupObjId = Get-AzureADGroup -Filter "DisplayName eq '$adAdminGroup'" | Select-Object ObjectId
  318. $userObjId = Get-AzureADUser -Filter "UserPrincipalName eq '$adAdmin'" | Select-Object ObjectId
  320. # Add to AD admin group
  321. Add-AzureADGroupMember -ObjectId $groupObjId.ObjectId -RefObjectId $userObjId.ObjectId
  322. Write-Host "Completed adding $adAdmin to $adAdminGroup"  -BackgroundColor DarkYellow
  324. # Register the resource provider for Azure AD DS
  325. Register-AzureRmResourceProvider -ProviderNamespace Microsoft.AAD
  327. # Configure subnet for Azure AD DS
  328. $subnetADDS = New-AzureRmVirtualNetworkSubnetConfig -Name $subnetAdName -AddressPrefix $subnetAdAddPrefix
  329. $vNet = Get-AzureRmVirtualNetwork -Name $vNetName -ResourceGroupName $rgName
  330. Add-AzureRmVirtualNetworkSubnetConfig -Name $subnetAdName -VirtualNetwork $vNet -AddressPrefix $subnetAdAddPrefix
  331. Set-AzureRmVirtualNetwork -VirtualNetwork $vNet
  332. Write-Host "Completed creating and adding a subnet to existing virtual network"  -BackgroundColor DarkYellow
  334. # Creating Azure AD DS resource with pre-defined subnet and vnet
  335. New-AzureRmResource -ResourceId "/subscriptions/$subscription/resourceGroups/$rgName/providers/Microsoft.AAD/DomainServices/$domain" -Location $location -Properties @{"DomainName"=$domain; "SubnetId"="/subscriptions/$subscription/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vNetName/subnets/$subnetAdName"} -ApiVersion 2017-06-01 -Force -Verbose
  336. Write-Host "Completed creating Azure AD DS"  -BackgroundColor DarkYellow</pre><p>The creation of Azure AD takes around 15-20 minutes. Go to Azure Portal at this <a href="" target="_blank" rel="noopener">link</a> to check the status. You can also go to the resource group to check all resources related being provisioned.</p>
  337. <h3><span style="color: #3366ff;"><strong>Joining SharePoint to Azure AD DS</strong></span></h3>
  338. <p>Once Azure AD DS is completely provisioned, it it considered a domain controller. It is not like the one in on-premises which you have to promote to domain controller after installing Active Directory Domain Services role. There are a couple of steps to configure DNS server before joining. From Azure AD DS, you are given two DNS server addresses</p>
  339. <p><img data-attachment-id="6613" data-permalink="" data-orig-file="" data-orig-size="617,416" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="dns-azureadds" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6613" src="" alt="" width="617" height="416" srcset=" 617w, 300w, 552w" sizes="(max-width: 617px) 100vw, 617px" /></p>
  340. <p>Click <strong>Configure DNS</strong> servers to update custom DNS servers. You will be redirected to the corresponding virtual network. You can run the following script</p><pre class="crayon-plain-tag">$rgName = "sp16-rg"
  341. $location = "southeastasia"
  342. $vnetName = "myVnet"
  343. $dns01 = ""
  344. $dns02 = ""
  346. $vNet = Get-AzureRmVirtualNetwork -ResourceGroupName $rgName -name $vnetName
  347. $vNet.DhcpOptions.DnsServers = $dns01
  348. $vNet.DhcpOptions.DnsServers += $dns02
  349. Set-AzureRmVirtualNetwork -VirtualNetwork $vNet</pre><p>Your virtual machine would need to be restarted to update DNS. After that, use RDP to connect and check with <pre class="crayon-plain-tag">ipconfig /all</pre>  or <pre class="crayon-plain-tag">ping </pre> . Resolvable domain name is not enough right now. What you need to do is synchronize the AD account&#8217;s password from Azure AD to Azure AD DS. Steps to enable password synchronization are all straightforward. Log into <a href="" target="_blank" rel="noopener"></a> with your Azure AD DS admin account you created previously (in my case it is [email protected]). Once this account password gets updated, wait 3-5 minutes and then RDP to the SharePoint virtual machine.</p><pre class="crayon-plain-tag">Add-Computer -DomainName "" -Credential "[email protected]"</pre><p>Enter the newly updated password and pray for the successful result. Restart computer to get thing done!</p>
  350. <p>Managing Azure AD DS via Azure Portal looks completely crazy because you don&#8217;t see many things to do. The best way is to install AD DS tool in the virtual machine to manage. It can be the SharePoint virtual machine you created, or a new virtual machine.<img data-attachment-id="6618" data-permalink="" data-orig-file="" data-orig-size="688,413" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="addscenter" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6618" src="" alt="" width="688" height="413" srcset=" 688w, 300w, 552w" sizes="(max-width: 688px) 100vw, 688px" /></p>
  351. <p>Not all the features can be done via AD Administrative Center. For example, you cannot create a new user from this tool because in reality user identity is stored and managed via Azure AD.</p>
  352. <h3><span style="color: #3366ff;"><strong>Conclusion</strong></span></h3>
  353. <p>I do hope the first part of the series is helpful for you, at least the portion of Azure AD DS deployment using PowerShell and some notes to consider. From the article, we must know that Azure AD DS can play as a domain controller in the SharePoint farm. In the next part, let&#8217;s have a look around Azure SQL Database to see if it can be involved.</p>
  354. <hr />
  355. <p>Go to <a href="" target="_blank" rel="noopener">Building a mixed cloud model for SharePoint – Part 2</a></p>
  356. ]]></content:encoded>
  357. <wfw:commentRss>;p=6560</wfw:commentRss>
  358. <slash:comments>1</slash:comments>
  359. <post-id xmlns="com-wordpress:feed-additions:1">6560</post-id> </item>
  360. <item>
  361. <title>Connect to Azure AD using Microsoft Account with PowerShell</title>
  362. <link></link>
  363. <comments></comments>
  364. <pubDate>Sat, 13 Jan 2018 14:00:04 +0000</pubDate>
  365. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  366. <category><![CDATA[Microsoft Azure]]></category>
  367. <category><![CDATA[azure ad]]></category>
  368. <category><![CDATA[azure ad authentication]]></category>
  369. <category><![CDATA[azure ad powershell]]></category>
  371. <guid isPermaLink="false"></guid>
  372. <description><![CDATA[Microsoft Account is considered not an internal account given to Microsoft employee. Microsoft account is associated to external services such...]]></description>
  373. <content:encoded><![CDATA[<p>Microsoft Account is considered not an internal account given to Microsoft employee. Microsoft account is <a href="" target="_blank" rel="noopener">associated to external services</a> such as Live Mail, Skype, Xbox or so on. When connecting to Azure AD with Microsoft Account (e.g. LiveID) , you might be get started with <pre class="crayon-plain-tag">Connect-AzureAD</pre>  to get the tenant ID. Below screen is what you might get..</p>
  374. <p><img data-attachment-id="6594" data-permalink="" data-orig-file="" data-orig-size="852,100" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="tenantid" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6594" src="" alt="" width="852" height="100" srcset=" 852w, 300w, 768w, 552w" sizes="(max-width: 852px) 100vw, 852px" /></p>
  375. <p>You are happy to do more with some cmdlets of Azure AD module, e.g <pre class="crayon-plain-tag">Get-AzureAdUser</pre> but you always get error message &#8220;<strong>Error occured while executing GetUsers</strong>&#8221; along with the return code &#8220;<strong>Authenticated_Unauthorized</strong>&#8220;.</p>
  376. <p><img data-attachment-id="6595" data-permalink="" data-orig-file="" data-orig-size="765,203" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="aduser" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6595" src="" alt="" width="765" height="203" srcset=" 765w, 300w, 552w" sizes="(max-width: 765px) 100vw, 765px" /></p>
  377. <p>Like anyone, you start searching the similar error on Google and find the answer that you need to specify the tenant ID. You then pass the tenant ID to another <pre class="crayon-plain-tag">Connect-AzureAD</pre>  with the command line below</p><pre class="crayon-plain-tag">Connect-AzureAD -TenantId "your_tenant_ID_you've_got"</pre><p>After executing the command line, you get successful output like this</p><pre class="crayon-plain-tag">Account          Environment TenantId                             TenantDomain AccountType
  378. -------          ----------- --------                             ------------ -----------
  379. [email protected] AzureCloud  f8cdef31-a31e-4b4a-93e4-5f571e91255a              User</pre><p>You again do some cmdlets to get some Azure AD information from your AD subscription. Well, if you still follow above steps, I assure 100% you never reach to the target Azure AD.  Why? In fact, when you use <pre class="crayon-plain-tag">Connect-AzureAD</pre>  and type your Microsoft Account, Azure understands by default you try to retrieve the directory where your Microsoft account belongs to. It is not the target Azure AD you need because the user principal name of the required account must be <strong>&lt;account&gt;@&lt;tenant_name&gt; </strong>instead of the Live ID account you enter when being asked.</p>
  380. <p>If you need to connect to the target Azure AD, you must specify the correct directory ID of your AD subscription, not the Microsoft Account&#8217;s directory. The directory ID can be found via Azure Portal or use PowerShell. For those you are lazy, below script does the job.</p><pre class="crayon-plain-tag">$tenantID = (Get-AzureRmSubscription -SubscriptionName "Enterprise Subscription").TenantId
  381. Connect-AzureAD -TenantId $tenantID</pre><p>When executing this script, you are asked to give Azure your credential. Right here Microsoft account can be used. I use <strong>SubscriptionName</strong> because my account is associated to multiple subscriptions.</p>
  382. <p>This article is just a small tip to help you save time. Once again, if you connect to wrong directory, you will never be authenticated to execute Azure AD cmdlet against that directory.</p>
  383. ]]></content:encoded>
  384. <wfw:commentRss>;p=6591</wfw:commentRss>
  385. <slash:comments>1</slash:comments>
  386. <post-id xmlns="com-wordpress:feed-additions:1">6591</post-id> </item>
  387. <item>
  388. <title>Notes on changing Azure VM size</title>
  389. <link></link>
  390. <comments></comments>
  391. <pubDate>Tue, 09 Jan 2018 07:14:11 +0000</pubDate>
  392. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  393. <category><![CDATA[Microsoft Azure]]></category>
  394. <category><![CDATA[azure devops]]></category>
  395. <category><![CDATA[azure virtual machine]]></category>
  396. <category><![CDATA[azure vm resize]]></category>
  398. <guid isPermaLink="false"></guid>
  399. <description><![CDATA[One of the characteristics of cloud computing is agility. Agility means how rapidly you can provision cloud resources and how...]]></description>
  400. <content:encoded><![CDATA[<p>One of the characteristics of cloud computing is agility. Agility means how rapidly you can provision cloud resources and how quickly you can change to meet a scale need. In the context of infrastructure provisioning, you sometimes choose a wrong VM size for your application. Another case when the changing need exists is to scale down the infrastructure when you want to release resources. Saying your e-commerce only needs to be boosted during a specific marketing campaign. After the campaign ends, you need to change the size back to origin to save cost.</p>
  401. <p>Fortunately in Azure, you can change your VM size when you realize the existing one does not meet your need. There are some ways to do so. You can go to Azure portal to change a VM size or use PowerShell to do so.</p>
  402. <p>With Azure Portal, just go to the VM you need to change its size. Under the blade, click <strong>Size</strong>.</p>
  403. <p><img data-attachment-id="6518" data-permalink="" data-orig-file="" data-orig-size="283,527" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="vm-size" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6518" src="" alt="" width="283" height="527" srcset=" 283w, 161w" sizes="(max-width: 283px) 100vw, 283px" /></p>
  404. <p>From the list of available sizes, pick your choice. You can change VM size when your VM is running. After you save the change, your VM is automatically rebooted.  Once the VM is running, you can only pick a size which is supported in the same hardware cluster. It basically means not all VM sizes are listed when it is running. Because moving VM to another hardware cluster would be complicated. The rule of stopping VM is also applicable to your VM in availability set.</p>
  405. <p>The image below shows you the PowerShell to change VM size from Standard_A0 to Standard_B1s (which provides burstability). However, as the target size is not supported, you receive the error message.</p>
  406. <div id="attachment_6521" style="max-width: 1863px" class="wp-caption aligncenter"><img data-attachment-id="6521" data-permalink="" data-orig-file="" data-orig-size="1853,299" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="ps-azure-vm-size" data-image-description="" data-medium-file="" data-large-file="" class="size-full wp-image-6521" src="" alt="" width="1853" height="299" srcset=" 1853w, 300w, 768w, 1500w, 1140w, 552w" sizes="(max-width: 1853px) 100vw, 1853px" /><p class="wp-caption-text">Cannot change if VM is running</p></div>
  407. <p>To choose a different cluster, saying from A0 to F series, you first must stop your VM. When it is fully stopped and <strong>deallocated, </strong>the VM is not actually hosted on the cluster it was. It is much easier for you to &#8216;allocate&#8221; it to a different group of hardware cluster.</p>
  408. <p>Some notes for size changing:</p>
  409. <ol>
  410. <li>You can change your VM size even when it is running.</li>
  411. <li>Not all sizes are listed if your VM is running, stop it before changing.</li>
  412. <li>Number of disks supported would prevent you from resizing.</li>
  413. <li>Regional availability is also a key.</li>
  414. </ol>
  415. <p>VM in production needs a careful plan before stopping. Stopping VM could erase some configurations (e.g. dynamic IP address).</p>
  416. <h3><strong>PowerShell Command</strong></h3>
  417. <p>For those who are lazy at using Azure Portal to configure, PowerShell is a cool friend. The following command line can be used to check all available virtual machines that are supported for resizing. This command line does not only check hardware cluster but also disk, region availability to make sure you can resize your VM.</p><pre class="crayon-plain-tag">$rg = "azuredev-rg"
  418. $vmName = "A0VM"
  419. Get-AzureRmVMSize -ResourceGroupName $rg -VMName $vmName</pre><p>Note that the output is dependent on the VM status running. You can use the following one to check whether your VM is supported or not (if you are lazy of checking a long list)</p><pre class="crayon-plain-tag">$rg = "azuredev-rg"
  420. $vmName = "A0VM"
  421. $newSize = "Standard_B1s"
  423. $vmS = Get-AzureRmVMSize -ResourceGroupName $rg -VMName $vmName
  424. if ($vmS.Name -contains $newSize)
  425. {
  426.  Write-Output "This size is supported"
  427. }
  428. else
  429. {
  430.  Write-Output "This size is not supported"
  431. }</pre><p>If you want to retrieve running status, you need to get the VM status first by using the code below</p><pre class="crayon-plain-tag">$vm = Get-AzureRmVM -ResourceGroupName $rg -Name $vmName -Status</pre><p>Then you can retrieve <strong>DisplayStatus</strong> property with below</p><pre class="crayon-plain-tag">$vm = (Get-AzureRmVM -ResourceGroupName $rg -Name $vmName -Status).Statuses
  432. $vm.DisplayStatus</pre><p>The output shows you two things:</p><pre class="crayon-plain-tag">Provisioning succeeded
  433. VM running</pre><p>Based on this output, you can write a PowerShell to fully check whether the size is supported and perform automated resizing.</p>
  434. <p>To update the size, you need to read to <strong>VmSize</strong> property in <a href="" target="_blank" rel="noopener">HardwareProfile</a> class</p><pre class="crayon-plain-tag">$vm = Get-AzureRmVM -ResourceGroupName $rg -Name $vmName
  435. $vm.HardwareProfile.VmSize = $newSize
  436. Update-AzureRmVM -VM $vm -ResourceGroupName $rg</pre><p>Below is the full code snippet to stop Azure VM, including checking if it can be stopped in Running mode. Otherwise it is stopped before resizing.</p><pre class="crayon-plain-tag">$rg = "azuredev-rg"
  437. $vmName = "A0VM"
  438. $newSize = "Standard_B1s"
  440. $vm = Get-AzureRmVM -ResourceGroupName $rg -Name $vmName
  441. $vmS = Get-AzureRmVMSize -ResourceGroupName $rg -VMName $vmName
  443. if ($vmS.Name -contains $newSize)
  444. {
  445.    Write-Output "This size is supported"
  446.    $vm.HardwareProfile.VmSize = $newSize
  447.    Update-AzureRmVM -VM $vm -ResourceGroupName $rg
  448.    Write-Output "The VM size is being updated"
  449. }
  451. else
  452. {
  453.    while($vmStatus.DisplayStatus -contains "VM running")
  454.    {
  455.        $vmStatus = (Get-AzureRmVM -ResourceGroupName $rg -Name $vmName -Status).Statuses
  456.        Write-Output $vmStatus
  457.        Write-Output "VM is being stopped"
  458.        Start-Sleep -Seconds 3
  459.    }
  460.    Stop-AzureRmVM -Name $vmName -ResourceGroupName $rg -Force
  461.    $vm.HardwareProfile.VmSize = $newSize
  462.    Update-AzureRmVM -VM $vm -ResourceGroupName $rg
  463. }</pre><p>You can learn more about Azure VM resizing <a href="" target="_blank" rel="noopener">here</a>.</p>
  464. ]]></content:encoded>
  465. <wfw:commentRss>;p=6515</wfw:commentRss>
  466. <slash:comments>0</slash:comments>
  467. <post-id xmlns="com-wordpress:feed-additions:1">6515</post-id> </item>
  468. <item>
  469. <title>A quick review of 2017</title>
  470. <link></link>
  471. <comments></comments>
  472. <pubDate>Mon, 01 Jan 2018 03:32:04 +0000</pubDate>
  473. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  474. <category><![CDATA[Miscellaneous]]></category>
  475. <category><![CDATA[year review]]></category>
  477. <guid isPermaLink="false"></guid>
  478. <description><![CDATA[2017 to me was another year of personal and professional growth, and surely an exciting year. From exploring my personal...]]></description>
  479. <content:encoded><![CDATA[<p>2017 to me was another year of personal and professional growth, and surely an exciting year. From exploring my personal preferences to acquiring new skills so stepping out of my comfort zone, this was another year of learning.</p>
  480. <p>Writing the review lets me remember both the good and bad parts of 2017. It also referents over my choices and analyze outcomes. The review also sort of answers some questions people have asked me.</p>
  481. <h3><strong><span style="color: #ff6600;">Community engagement</span></strong></h3>
  482. <p>Like any of previous year, 2017 was also a year I engaged to the technology community focused on Microsoft. Community engagement gave me great opportunities to meet and learn from international experts which is hard to gain over the Internet. Not only networking and learning, the engagement is the approach to improving personal skills namely speaking and communication. When I speak at a conference, it is not only the thing I share but also the way I attract people and receive more attentions from them. The more you speak, the better your communication skill. Here is the list of events I joined as a guest speaker in 2017</p>
  483. <ul>
  484. <li><a href="" target="_blank" rel="noopener">Vietnam Japan Cloud Developer 2017</a></li>
  485. <li><a href="" target="_blank" rel="noopener">SharePoint Saturday Paris 2017</a></li>
  486. <li><a href="" target="_blank" rel="noopener">Azure Global Bootcamp 2017</a></li>
  487. <li><a href="" target="_blank" rel="noopener">ExpertsLive Asia Pacific 20167</a></li>
  488. </ul>
  489. <p>The passport of mine got more stamps and the world map is more lighten with some great countries. I wish I could write my experience for every trip but the change passed by time and somehow I could not seem to have time to write.</p>
  490. <p><img class="size-full aligncenter" src="" width="538" height="538" /></p>
  491. <p>With my effort contributed to the community, I <a href="" target="_blank" rel="noopener">got MVP award for another year</a>. 2017 is the 7th consecutive year.</p>
  492. <p>Besides, I created and ran a Vietnamese website called Vietnam Azure Expert Corner at where I gather Azure engineers and experts to share experiences. The articles are all written in Vietnamese. The purpose is to help Vietnam market get through Microsoft Azure by online content. Offline events will be surely organized.</p>
  493. <p><img data-attachment-id="6512" data-permalink="" data-orig-file="" data-orig-size="820,973" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azurevn" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6512" src="" alt="" width="820" height="973" srcset=" 820w, 253w, 768w, 552w" sizes="(max-width: 820px) 100vw, 820px" /></p>
  494. <p>In 2018 I will plan to come to some big conferences again such as European SharePoint conference, and will try to look into new countries I have never been.</p>
  495. <h3><strong><span style="color: #ff6600;">Book Publishing</span></strong></h3>
  496. <p>There were several times in the past I planned to <a href="" target="_blank" rel="noopener">write a technical book</a> and published it over an online market. Perhaps I had no time for every that plan. However, I finally managed to write and publish my first <a href="" target="_blank" rel="noopener">commercial e-books on Amazon</a>. I spent my free time every day both day and night to write some paragraphs. The book is about building a defensive infrastructure on Azure using defense in depth strategy. This book contains my experience with government cloud during the last 3 years in Singapore. The book was published in my 27th birthday. It is been 6 months and the total number of sold copies is 60. I received many positive feedback on how useful the book is, especially what I shared. Some of them even asked if I would write a new version with new updates.</p>
  497. <p><img data-attachment-id="6496" data-permalink="" data-orig-file="" data-orig-size="1171,252" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="kdp" data-image-description="" data-medium-file="" data-large-file="" class="size-full wp-image-6496 aligncenter" src="" alt="" width="1171" height="252" srcset=" 1171w, 300w, 768w, 1140w, 552w" sizes="(max-width: 1171px) 100vw, 1171px" /></p>
  498. <p>I contacted a few international experts and authors who have published books over some famous publishers to co-author a book. My plan in 2018 will also have book authoring. I will publicly reveal it in future blog article.</p>
  499. <h3><strong><span style="color: #ff6600;">Blog Writing</span></strong></h3>
  500. <p>Writing is also my hobby. I like to write about my experience, thought or technical articles to help the community, especially my friends and colleagues who encountered something I had related experience. Moreover, online readers sent me emails asking to explain or write about something. These things inspired me pretty much so I spent my time for such a request. Below is the list of 38 helpful articles I wrote in 2017:</p>
  501. <ul>
  502. <li><a href="" target="_blank" rel="noopener">Migrate a large file share to SharePoint within a short duration</a></li>
  503. <li><a href="" target="_blank" rel="noopener">Conversational Bot would let your business go down</a></li>
  504. <li><a href="" target="_blank" rel="noopener">Pay-As-You-Go on Azure is no longer available as of Feb 1, 2017</a></li>
  505. <li><a href="" target="_blank" rel="noopener">Checklist to securing your SharePoint Online</a></li>
  506. <li><a href="" target="_blank" rel="noopener">Application role in MinRole is also acting like front-end role</a></li>
  507. <li><a href="" target="_blank" rel="noopener">Deploying a single SharePoint Server 2016 Farm on Azure IaaS</a></li>
  508. <li><a href="" target="_blank" rel="noopener">Been with SharePoint for 5 years as a developer, what to do next?</a></li>
  509. <li><a href="" target="_blank" rel="noopener">Take care of your node.ini in SharePoint Server 2013 Search</a></li>
  510. <li><a href="" target="_blank" rel="noopener">An unexpected error has occurred when opening User Profile Service Application</a></li>
  511. <li><a href="" target="_blank" rel="noopener">Quick thought on the UX/UI perspective in Azure Resource Management</a></li>
  512. <li><a href="" target="_blank" rel="noopener">Guideline to hardening your SharePoint 2013 against HPE WebInspect</a></li>
  513. <li><a title="What is securitydata resource group in Microsoft Azure?" href="" rel="bookmark">What is securitydata resource group in Microsoft Azure?</a></li>
  514. <li><a title="Enable Multi-factor authentication on the Azure Management Portal" href="" rel="bookmark">Enable Multi-factor authentication on the Azure Management Portal</a></li>
  515. <li><a title="3 obstacles in building a learning organization" href="" rel="bookmark">3 obstacles in building a learning organization</a></li>
  516. <li><a title="My own three letters to be successful in IT managed services" href="" rel="bookmark">My own three letters to be successful in IT managed services</a></li>
  517. <li><a title="Four security principles I believe myself" href="" rel="bookmark">Four security principles I believe myself</a></li>
  518. <li><a title="Microsoft Invitation makes my browser look hijacked?" href="" rel="bookmark">Microsoft Invitation makes my browser look hijacked?</a></li>
  519. <li><a title="Security shared responsibility in Azure IaaS" href="" rel="bookmark">Security shared responsibility in Azure IaaS</a></li>
  520. <li><a title="Protecting your Azure Virtual Machine with Microsoft Antimalware" href="" rel="bookmark">Protecting your Azure Virtual Machine with Microsoft Antimalware</a></li>
  521. <li><a title="Quick notes about self-signed certificate with Point-to-Site Azure VPN" href="" rel="bookmark">Quick notes about self-signed certificate with Point-to-Site Azure VPN</a></li>
  522. <li><a title="How much would you trust Microsoft Azure?" href="" rel="bookmark">How much would you trust Microsoft Azure?</a></li>
  523. <li><a title="Why is SharePoint on Azure IaaS still a good consideration?" href="" rel="bookmark">Why is SharePoint on Azure IaaS still a good consideration?</a></li>
  524. <li><a title="Brute-force attack mitigation on Microsoft Azure" href="" rel="bookmark">Brute-force attack mitigation on Microsoft Azure</a></li>
  525. <li><a title="DMZ Implementation on Microsoft Azure" href="" rel="bookmark">DMZ Implementation on Microsoft Azure</a></li>
  526. <li><a title="SharePoint Online missing Search template" href="" rel="bookmark">SharePoint Online missing Search template</a></li>
  527. <li><a title="Protecting your Azure virtual machine with Disk Encryption" href="" rel="bookmark">Protecting your Azure virtual machine with Disk Encryption</a></li>
  528. <li><a title="Four levels of customer frustration" href="" rel="bookmark">Four levels of customer frustration</a></li>
  529. <li><a title="A little experience writing for Amazon KDP" href="" rel="bookmark">A little experience writing for Amazon KDP</a></li>
  530. <li><a title="Involve security consulting partner for vulnerability assessment on Azure" href="" rel="bookmark">Involve security consulting partner for vulnerability assessment on Azure</a></li>
  531. <li><a title="Quick look at Microsoft Azure nested virtualization" href="" rel="bookmark">Quick look at Microsoft Azure nested virtualization</a></li>
  532. <li><a title="Security Monitoring In Azure IaaS Resources" href="" rel="bookmark">Security Monitoring In Azure IaaS Resources</a></li>
  533. <li><a title="Search Paused for External Request due to FIPS" href="" rel="bookmark">Search Paused for External Request due to FIPS</a></li>
  534. <li><a title="My slide deck at SharePoint Saturday Paris 2017" href="" rel="bookmark">My slide deck at SharePoint Saturday Paris 2017</a></li>
  535. <li><a title="Hardened Azure Virtual Machine Deployment" href="" rel="bookmark">Hardened Azure Virtual Machine Deployment</a></li>
  536. <li><a title="Keys to SharePoint Server 2016 Planning on Microsoft Azure" href="" rel="bookmark">Keys to SharePoint Server 2016 Planning on Microsoft Azure</a></li>
  537. <li><a title="Comprehensive checklist for SharePoint 2016 offline setup" href="" rel="bookmark">Comprehensive checklist for SharePoint 2016 offline setup</a></li>
  538. <li><a title="My recorded presentation talking about digital transformation with Azure Cognitive" href="" rel="bookmark">My recorded presentation talking about digital transformation with Azure Cognitive</a></li>
  539. <li><a title="A little more about hardened Azure VM deployment" href="" rel="bookmark">A little more about hardened Azure VM deployment</a></li>
  540. </ul>
  541. <p>My articles have been shared not only by the community but also by customer&#8217;s staffs. They are helpful to explaining some technical aspects. I&#8217;m humbly excited to hear about that.</p>
  542. <p>There is no reason stopping me to write. Hence, I will of course keep my hobby along in 2018.</p>
  543. <h3><strong><span style="color: #ff6600;">My focus</span></strong></h3>
  544. <p>Some people interviewed me around what I will plan to focus in 2018. Will SharePoint still be a topic? I think it&#8217;s not easy to have a concrete answer here. I will still love to work with SharePoint platform on both on-premises and cloud version. SharePoint is mature enough and the community is really big now. SharePoint adoption is not challenging today even since Office 365 went general availability. Implementing SharePoint is not just to write server-side code and package it into a WSP solution. <a href="" target="_blank" rel="noopener">Writing app on SharePoint today has many approaches</a>. PHP developers can even write an app and have it function to business users on SharePoint. Hence, my focus shall be integration, maintenance and perhaps consulting work only. It means I will try to involve in any kind of cloud integration with SharePoint (e.g. Azure Function, Office 365&#8230;)</p>
  545. <p>The main focus I considerably see is Microsoft Azure. If you follow my blog, you would see how many Azure related articles in 2017, especially <a href="" target="_blank" rel="noopener">Azure Security</a>. I will plan to focus on cloud engineering with Microsoft Azure in 2018. The focus includes DevOps, Automation, App Architecture and Security on Azure. If time does not matter, I&#8217;d also try data stuffs on Azure.</p>
  546. <h3><strong><span style="color: #ff6600;">Social Networking</span></strong></h3>
  547. <p>I consider myself fortunate to have successfully stayed away Facebook. I don&#8217;t remember exactly when I deactivated Facebook. Facebook to me personally is a waste of time. I used to seem to be addicted to Facebook. I realized that I gave Facebook my time without gaining any value. People have their own reasons for Facebook but I have no one. Since I deactivated Facebook, I felt happier and had much more time for my focus whether family, career or new skill development. People ask me as to why I no longer use Facebook. The answer from me always is that I don&#8217;t know what I should do on Facebook. By the way, I&#8217;d recommend you to consider stopping using Facebook. If you find a reason to give Facebook your time without real benefits, you should leave it. Consider the case you use Facebook, you work for them and they pay you nothing. You are part of Facebook social network growth.</p>
  548. <p><img data-attachment-id="6500" data-permalink="" data-orig-file="" data-orig-size="1280,720" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;Free to use.&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="leaving-facebook" data-image-description="" data-medium-file="" data-large-file="" class="wp-image-6500 size-full" src="" alt="" width="1280" height="720" srcset=" 1280w, 300w, 768w, 1140w, 552w" sizes="(max-width: 1280px) 100vw, 1280px" /></p>
  549. <p>I have only two online networks right now. One is <a href="" target="_blank" rel="noopener">Twitter</a> where I can tweet useful articles or read shared articles by people or companies I follow. One is <a href="" target="_blank" rel="noopener">LinkedIn</a> where I develop professional connections to learn from them. I also have <a href="" target="_blank" rel="noopener">Quora</a> account and answered a lot in 2017 but I didn&#8217;t often use it.</p>
  550. <p>In 2018, the main social channel I join will be still Twitter and LinkedIn. I have no plan to coming back using Facebook. Here are some articles explaining why you should leave Facebook:</p>
  551. <ul>
  552. <li><a href="" target="_blank" rel="noopener">I Quit Facebook—and You Should, Too</a></li>
  553. <li><a href="" target="_blank" rel="noopener">7 Reasons You Should Quit Facebook</a></li>
  554. <li><a href="" target="_blank" rel="noopener">10 Reasons why you should quit Facebook now…</a></li>
  555. </ul>
  556. <h3><strong><span style="color: #ff6600;">Lesson Learnt</span></strong></h3>
  557. <p>Successes come from failures. I did have failures in 2017 in work or other businesses I involved. The lesson I learnt include communication skill, leadership, culture at work and other things in life. I&#8217;ve been changing to be more professional. You might not find me the one you used to know. Of course I&#8217;m still open to sharing and talking about crazy ideas and cool technology stuffs.</p>
  558. <p>Lastly, wish you a <strong>Great</strong>, <strong>Prosperous</strong>, <strong>Blissful</strong>, <strong>Healthy</strong>, <strong>Bright</strong>, <strong>Delightful</strong>, <strong>Energetic</strong> and <strong>ExtremelyHappy</strong>. Happy New Year 2018.</p>
  559. ]]></content:encoded>
  560. <wfw:commentRss>;p=6484</wfw:commentRss>
  561. <slash:comments>1</slash:comments>
  562. <post-id xmlns="com-wordpress:feed-additions:1">6484</post-id> </item>
  563. <item>
  564. <title>A little more about hardened Azure VM deployment</title>
  565. <link></link>
  566. <comments></comments>
  567. <pubDate>Wed, 27 Dec 2017 09:44:01 +0000</pubDate>
  568. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  569. <category><![CDATA[Microsoft Azure]]></category>
  570. <category><![CDATA[azure automation dsc]]></category>
  571. <category><![CDATA[azure security]]></category>
  572. <category><![CDATA[powershell dsc]]></category>
  574. <guid isPermaLink="false"></guid>
  575. <description><![CDATA[One of my Azure security related articles provided step-by-step guidance on how to use Azure Automation with Desired State Configuration...]]></description>
  576. <content:encoded><![CDATA[<p>One of my Azure security related articles provided step-by-step guidance on how to use Azure Automation with Desired State Configuration (DSC) to deploy security policy on multiple Azure VMs. Instead of clear explanation, the article was just written in a format of step-by-step. Hence, I&#8217;ve received some requests to elaborate more about this article so it is fully useful to readers. If you haven&#8217;t had a chance to read the article, here you <a href="" target="_blank" rel="noopener">go</a>.</p>
  577. <blockquote><p>If you want to learn advanced Azure IaaS Defense in Depth with lot of hands-on labs to practice, go order my book <a href="" target="_blank" rel="noopener noreferrer">here</a></p></blockquote>
  578. <p>This article is to explain more about why to do instead of what to do for each steps. The sample deployment targets to Account Policy in Local Security Policy.</p>
  579. <h3><strong>Why Azure Automation DSC?</strong></h3>
  580. <p>Azure Automation is a SaaS (Software-as-a-service) based cloud service providing you the ability to automate Azure resource deployment and configuration. Azure Automation uses a term called runbook work with Azure resources. There are five runbooks currently available in Azure automation. Four of them support PowerShell and the rest is Python which is in preview as of this article.</p>
  581. <blockquote><p>A <b>runbook</b> is a compilation of routine procedures and operations that the system administrator or operator carries out.</p></blockquote>
  582. <p>Besides runbook, Azure Automation also supports Desired State Configuration to allow you to maintain configuration deployment and change across Azure virtual machines and even on-premises machine. Virtual machine state is pretty much like a snapshot if you work with virtualization technologies such as Hyper-V. Desired state configuration by its name is to let a system administrator to deploy the same state he wishes on every virtual machine. The configuration can be pre-defined before the deployment. Virtual machine state in the article&#8217;s context contains virtual machine configuration such as Security Policy, local firewall configuration, local administrator group or so on.</p>
  583. <p>In fact, Azure Automation DSC is not the only tool supporting configuration deployment on Azure virtual machine. With the beginner level, you can use Custom Script Extension to run a scripted deployment on a virtual machine. However,  with Custom Script Extension, you cannot deploy your configuration on multiple virtual machines. Moreover, every time you need to deploy a new version of your script, you must repeat the extension installation and uploading script again, on every virtual machine.</p>
  584. <p>Upper level is Azure Automation DSC which is not hard to use. Azure Automation uses methodology of CICD. The more advanced level would be using enterprise-grade 3rd party product such as Chef, Puppet, Octopus.</p>
  585. <p>Now let&#8217;s get started a little more deeper for every deployment step you did in the article I mentioned.</p>
  586. <h3><strong>Create an Azure automation account</strong></h3>
  587. <p>The very first step to is to create an Azure automation account. Each account is considered a unit which stores your configuration script or runbook. Azure automation account is also an Azure resource and needs a resource group to be put into. Saying I need to create an automation account which the purpose of managing and deploying some security configuration on my on-boarding virtual machine. The name is <strong>SecPolAutomation</strong> (<strong>SecPol</strong> stands for Security Policy).</p>
  588. <p>The subscription of your automation account must be the same with target resources you are going to deploy the configuration. The resource group doesn&#8217;t have to be the same.</p>
  589. <p><img data-attachment-id="6467" data-permalink="" data-orig-file="" data-orig-size="324,618" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azure-atm" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6467" src="" alt="" width="324" height="618" srcset=" 324w, 157w" sizes="(max-width: 324px) 100vw, 324px" /></p>
  590. <p>You are asked to use whether Run As account feature or not. The Run As account will create a service principal in Azure AD and a certificate. This kind of account is also assigned Contributor role-based access control in order to make sure that it has privilege to execute the configuration.</p>
  591. <h3>Importing Module Gallery</h3>
  592. <p>Because my plan is to deploy a sample security policy configuration against Account Policy. Hence, I need to add Security Policy DSC resource to my newly created automation account. From the blade, I click <strong>Modules </strong>then <strong>Browse gallery.</strong> Type &#8220;<strong>SecurityPolicy</strong>&#8221; on the search box.<strong> </strong>The exact name of the module is <strong>SecurityPolicyDsc</strong>.</p>
  593. <p><strong><img data-attachment-id="6468" data-permalink="" data-orig-file="" data-orig-size="941,221" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="secpolmodule" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6468" src="" alt="" width="941" height="221" srcset=" 941w, 300w, 768w, 552w" sizes="(max-width: 941px) 100vw, 941px" /></strong></p>
  594. <p>SecurityPolicyDsc is created by the Microsoft Power Shell team to allow to interact with four categories of Windows Server security policy.</p>
  595. <ul>
  596. <li><strong>User Rights Assignment</strong></li>
  597. <li><strong>Security Template</strong></li>
  598. <li><strong>Account Policy</strong></li>
  599. <li><strong>Security </strong><strong>Option</strong></li>
  600. </ul>
  601. <p>Without <strong>SecurityPolicyDsc</strong> module, your script has no interaction with security setting on the target virtual machine. Click the module and click <strong>Import</strong>. The DSC resources are temporarily stored in your Azure Automation account&#8217;s storage which you will need to import to virtual machine. You then need to wait around 5 minutes until the module is imported successfully.</p>
  602. <h3><strong>Adding your script to DSC configuration</strong></h3>
  603. <p>Let&#8217;s prepare a script first. I forked this script from this <a href="" target="_blank" rel="noopener">repo</a> for quick demostration.</p><pre class="crayon-plain-tag">configuration AccountPolicies
  604. {
  605.    Import-DscResource -ModuleName SecurityPolicyDsc
  607.    node localhost
  608.    {
  609.        AccountPolicy AccountPolicies
  610.        {
  611.            Name = 'PasswordPolicies'
  612.            Enforce_password_history = 15
  613.            Maximum_Password_Age = 12
  614.            Minimum_Password_Age = 2
  615.            Minimum_Password_Length = 8
  616.            Password_must_meet_complexity_requirements = 'Enabled'
  617.            Store_passwords_using_reversible_encryption = 'Disabled'
  619.        }
  620.    }
  621. }</pre><p>From the script above, my purpose is to make sure corporate password &amp; account policies are applied consistently across all virtual machines in my environment. For example, the minimum password length must be 8. Or the password must set to meet complexity requirement.</p>
  622. <blockquote><p><strong>Import-DscResource -ModuleName SecurityPolicyDsc</strong> is to make sure your virtual machine connects to the repository of SecurityPolicyDsc module to import to it locally.</p></blockquote>
  623. <p>Now you need to upload your script onto Pull machine in Azure. In fact, this is not a virtual machine you can manage but somewhere your script is uploaded to. All target virtual machines shall pull script from this location before the script is executed.</p>
  624. <p>Before you go to DSC configuration to add a configuration, you need to make sure the name of configuration in your code snippet matches with the script&#8217;s file name. Otherwise, Azure returns bad request message: <em>An error occured while import the DSC configuration &#8216;SecPoolAccountPolicy&#8217;. Error details: BadRequest: The configuration name in the script must match the configuration name..</em></p>
  625. <p>For example, from my code snippet above, the configuration name is <strong>AccountPolicies</strong> but my file name is <em><strong>SecPoolAccountPolicy.ps1</strong></em>, then I cannot import the script successfully.</p>
  626. <h3><strong>Compiling DSC Configuration</strong></h3>
  627. <p>In previous step, you completed adding your configuration by importing the DSC script to configure account policy setting in Local Security Policy for your window server. However, the script is just uploaded to the pull server. It needs to be compiled to generate a node configuration file.</p>
  628. <p>From the DSC Configuration, click on the uploaded script to compile. Wait until the compilation is completed. You can double check your DSC code by clicking <strong>View configuration source</strong>. The expanded blade shows you the source code.</p>
  629. <p><img data-attachment-id="6470" data-permalink="" data-orig-file="" data-orig-size="1159,486" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="acc-policy-dsc" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6470" src="" alt="" width="1159" height="486" srcset=" 1159w, 300w, 768w, 1140w, 552w" sizes="(max-width: 1159px) 100vw, 1159px" /></p>
  630. <p>If the compilation is completed, there is a node configuration automatically generated in DSC node configuration.</p>
  631. <h3>Adding DSC Node</h3>
  632. <p>A node represents a target virtual machine you want to execute your script. This term is used commonly in CICD deployment. Every node pulls configuration (whether it is a script of a kind of file) from pull server (master node) to execute.</p>
  633. <p><img data-attachment-id="6471" data-permalink="" data-orig-file="" data-orig-size="988,528" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="dsc-dia" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6471" src="" alt="" width="988" height="528" srcset=" 988w, 300w, 768w, 552w" sizes="(max-width: 988px) 100vw, 988px" /></p>
  634. <p>Every node needs to be running before getting added. When adding, you need to configure registration setting. Keep the access key by default. This is an encrypted access key of your Azure automation.</p>
  635. <p>Under <strong>Node configuration name</strong>, chose the node configuration which stores your script. Choose how frequent (in minutes) you need to contact the pull server to update the node configuration under <strong>Refresh Frequency</strong>. Under <strong>Configuration Mode Frequency</strong>, decide how frequent you want the background application of DSC to attempt to execute your script on the target node.</p>
  636. <p><img data-attachment-id="6472" data-permalink="" data-orig-file="" data-orig-size="344,538" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="vm-connection-dsc" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6472" src="" alt="" width="344" height="538" srcset=" 344w, 192w" sizes="(max-width: 344px) 100vw, 344px" /></p>
  637. <p>There are three configuration modes:</p>
  638. <ul>
  639. <li><strong>ApplyOnly</strong>: the DSC script just gets applied only.</li>
  640. <li><strong>ApplyAndMonitor</strong>: the DSC script gets applied and monitored. If the state is changeg then the DSC reports the discrepancy in the log.</li>
  641. <li><strong>ApplyAndAutoCorrect: </strong>in this mode, the DSC script gets applied and if the target node drifts from the desired state (e.g. state is reverted back to the origin), the DSC reports the discrepancy and re-apply the node configuration.</li>
  642. </ul>
  643. <p>Once all nodes are connected successfully, the node configuration will be triggered to execute your script. If the status is <strong>Compliant</strong>, the node configuration is successfully deployed.</p>
  644. <p><img data-attachment-id="6474" data-permalink="" data-orig-file="" data-orig-size="848,311" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="vm-complaint" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6474" src="" alt="" width="848" height="311" srcset=" 848w, 300w, 768w, 552w" sizes="(max-width: 848px) 100vw, 848px" /></p>
  645. <p>To verify the result, connect to each node to verify Local Security Policy</p>
  646. <p><img data-attachment-id="6476" data-permalink="" data-orig-file="" data-orig-size="1117,368" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="localsecpol" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6476" src="" alt="" width="1117" height="368" srcset=" 1117w, 300w, 768w, 552w" sizes="(max-width: 1117px) 100vw, 1117px" /><br />
  647. or use <strong>Get-DscConfiguration</strong></p>
  648. <p><img data-attachment-id="6475" data-permalink="" data-orig-file="" data-orig-size="608,340" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="get-dscconfig" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6475" src="" alt="" width="608" height="340" srcset=" 608w, 300w, 552w" sizes="(max-width: 608px) 100vw, 608px" /></p>
  649. <p>Note again, this article complements to the article <a href="" target="_blank" rel="noopener">Hardened Azure Virtual Machine Deployment</a> using Azure Automation DSC.</p>
  650. ]]></content:encoded>
  651. <wfw:commentRss>;p=6461</wfw:commentRss>
  652. <slash:comments>1</slash:comments>
  653. <post-id xmlns="com-wordpress:feed-additions:1">6461</post-id> </item>
  654. <item>
  655. <title>My recorded presentation talking about digital transformation with Azure Cognitive</title>
  656. <link></link>
  657. <comments></comments>
  658. <pubDate>Mon, 18 Dec 2017 02:57:45 +0000</pubDate>
  659. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  660. <category><![CDATA[Microsoft Azure]]></category>
  661. <category><![CDATA[azure cognitive services]]></category>
  663. <guid isPermaLink="false"></guid>
  664. <description><![CDATA[Last month I delivered my presentation at Vietnam Japan Cloud Developer 2017. With a commendable effort, Noro-san &#8211; the organizer...]]></description>
  665. <content:encoded><![CDATA[<p>Last month I delivered my presentation at <a href="" target="_blank" rel="noopener">Vietnam Japan Cloud Developer 2017</a>. With a commendable effort, Noro-san &#8211; the organizer and also Microsoft Japanese MVP made a recorded video of my presentation and published it over YouTube. For those who&#8217;d be curious about what I talked, have a look below 5 parts of the video.</p>
  666. <p><strong>Part 1</strong><br />
  667. <iframe class='youtube-player' type='text/html' width='700' height='424' src=';rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' allowfullscreen='true' style='border:0;'></iframe></p>
  668. <p><strong>Part 2</strong><br />
  669. <iframe class='youtube-player' type='text/html' width='700' height='424' src=';rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' allowfullscreen='true' style='border:0;'></iframe></p>
  670. <p><strong>Part 3</strong><br />
  671. <iframe class='youtube-player' type='text/html' width='700' height='424' src=';rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' allowfullscreen='true' style='border:0;'></iframe></p>
  672. <p><strong>Part 4</strong><br />
  673. <iframe class='youtube-player' type='text/html' width='700' height='424' src=';rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' allowfullscreen='true' style='border:0;'></iframe></p>
  674. <p><strong>Part 5</strong><br />
  675. <iframe class='youtube-player' type='text/html' width='700' height='424' src=';rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' allowfullscreen='true' style='border:0;'></iframe></p>
  676. <p>Hope you enjoy the technology!</p>
  677. ]]></content:encoded>
  678. <wfw:commentRss>;p=6454</wfw:commentRss>
  679. <slash:comments>1</slash:comments>
  680. <post-id xmlns="com-wordpress:feed-additions:1">6454</post-id> </item>
  681. <item>
  682. <title>Comprehensive checklist for SharePoint 2016 offline setup</title>
  683. <link></link>
  684. <comments></comments>
  685. <pubDate>Mon, 04 Dec 2017 09:18:00 +0000</pubDate>
  686. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  687. <category><![CDATA[SharePoint]]></category>
  688. <category><![CDATA[offline setup sharepoint 2016]]></category>
  689. <category><![CDATA[sharepoint 2016]]></category>
  691. <guid isPermaLink="false"></guid>
  692. <description><![CDATA[If you have ever set up SharePoint farm without Internet, you probably know how challenging it is. Because you don&#8217;t...]]></description>
  693. <content:encoded><![CDATA[<p style="text-align: left;">If you have ever set up SharePoint farm without Internet, you probably know how challenging it is. Because you don&#8217;t have Internet connection, Microsoft SharePoint Products Preparation Tool cannot connect directly to Microsoft Download center to download all prerequisites and help you automatically install and configure each of prerequisite. Once you encounter, it is hard to know which is the root cause because you leave the tool all.</p>
  694. <p>Offline setup is very often required if you work in a secure environment where the virtual machine you are going to install SharePoint has no Internet connection. Such an environment can be government, banking, software company or so on where data loss is a big concern which would make significant impact on business.</p>
  695. <p>This article is going to give your a comprehensive checklist for offline setup of SharePoint 2016 in a production environment which multiple parties get involved (e.g infrastructure team, Active Directory, security&#8230;). Each party is responsible for a specific scope. You cannot just be someone who is capable of touching or creating everything you need for your setup.</p>
  696. <blockquote><p>As said, this article gives an assumption that you don&#8217;t control the entirely infrastructure and system. You need to provide other teams what you want.</p></blockquote>
  697. <h3><span style="color: #ff6600;">Hardware preparation</span></h3>
  698. <p>Assume that you have already conducted a <a href="" target="_blank" rel="noopener">sizing blueprint</a> after reading requirement or having many meetings with clients. Now you need to prepare a hardware and software requirement in accordance with your sizing blueprint. Whatever you plan, make sure one thing that Microsoft indicated below</p>
  699. <blockquote><p>If you contact Microsoft Customer Support Services about a production system that does not meet the minimum hardware specifications described in this document, support will be limited until the system is upgraded to the minimum requirements. &#8211; <a href="" target="_blank" rel="noopener">Source</a></p></blockquote>
  700. <p>The hardware requirement can be found <a href="" target="_blank" rel="noopener">here</a>.</p>
  701. <p>You should also conduct a hardware verification checklist to verify given virtual machines and specs. The checklist ideally includes:</p>
  702. <ul>
  703. <li>Operating system</li>
  704. <li>vCPU</li>
  705. <li>RAM</li>
  706. <li>HDD</li>
  707. </ul>
  708. <p><img data-attachment-id="6391" data-permalink="" data-orig-file="" data-orig-size="1663,432" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="hw" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6391" src="" alt="" width="1663" height="432" srcset=" 1663w, 300w, 768w, 1500w, 1140w, 552w" sizes="(max-width: 1663px) 100vw, 1663px" /></p>
  709. <p>This verification checklist is to ensure if the infrastructure team gives you inadequate virtual machine compared with your sizing blueprint, you can pursue to update.</p>
  710. <h3><strong><span style="color: #ff6600;">Software Requirement</span></strong></h3>
  711. <p>The software required for OS, SharePoint and database is listed <a href="" target="_blank" rel="noopener">here</a>. In the context of multi-vendor engagement, setting OS is not your responsibility so you should not worry about the setup. With SharePoint, you need to download from the Internet and ask for license key. However, with SQL Server, you need to ask your vendor to log into Microsoft Licensing center to download an ISO which includes a key. If you use evaluation trial version, then you will have to re-configure SQL Server to enter your key which needs farm downtime.</p>
  712. <h3><span style="color: #ff6600;">Active Directory domain controller</span></h3>
  713. <p>All virtual machines in your SharePoint farm must be joined to the corporate domain controller. Installing SharePoint 2016 without domain controller is not supported. You can use PowerShell to create a configuration database though. Moreover, in a production environment I have never seen a case of SharePoint farm without a managed domain controller.</p>
  714. <h3><span style="color: #ff6600;"><strong>Service Account Preparation</strong></span></h3>
  715. <p>You can use one account to run all services including farm account role in SharePoint Server 2016. However this is a recommended best practice. Running all-in-one account would lead to security threat if this account is compromised to bad guy. The entirely farm would be easily taken. You need to consider running services with a number of service accounts. Of course it is not necessary to use many accounts for your farm which leads to overhead of account management and control. To me, the following is enough:</p>
  716. <ul>
  717. <li>Farm account</li>
  718. <li>SQL Service (if your database server is dedicated).</li>
  719. <li>Web application pool account</li>
  720. <li>Service application pool account</li>
  721. <li>Claims to Windows Token service account</li>
  722. <li>Search crawl account</li>
  723. <li>User Profile sync account</li>
  724. <li>Portal super user account</li>
  725. <li>Portal super reader account</li>
  726. </ul>
  727. <p>The list must be sent to the AD team before your setup. And every account needs some special permission you need to explicitly point out in your account request list.</p>
  728. <p>My friend in the community Vlad gives a very comprehensive list of accounts. Go check <a href="" target="_blank" rel="noopener">here</a>.</p>
  729. <h3><span style="color: #ff6600;"><strong>Firewall Port</strong></span></h3>
  730. <p>If offline setup is required, I strongly believe firewall port gets asked by the security team. SharePoint Server 2016 uses some special ports to run. And the port requirement <strong>DOES</strong> depend on your designated topology. First, look at the given guidance <a href="" target="_blank" rel="noopener">here</a> to know all the ports required in your SharePoint farm. Next, map it to your topology. Look at the example below. I designate to run my Search crawl component in <strong>APP01-PRD</strong> virtual machine so I do need to open HTTP port (80 or 443) from it to each front-end virtual machine. Search crawl component crawls website content by sending HTTP request under port 80 (if HTTP) and 443 (if HTTPS required as a policy). In the same example, note that I also use <strong>APP01-PRD</strong> to run MIM (Microsoft Identity Manager) to connect to Active Directory to pull user information. In this case, I must open port 5725 from this machine to AD. From the load balancer, there is a need of direction to each web front-end machine.</p>
  731. <p><img data-attachment-id="6400" data-permalink="" data-orig-file="" data-orig-size="1819,713" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="spport" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6400" src="" alt="" width="1819" height="713" srcset=" 1819w, 300w, 768w, 1500w, 1140w, 552w" sizes="(max-width: 1819px) 100vw, 1819px" /></p>
  732. <p>Note that I don&#8217;t need a bidirectional request so from the illustration, you don&#8217;t see bidirectional arrow. For example, there is not any requirement to let my web front-end machine to send a request to load balancer. Or my web front-end does not need to call Search crawl component.</p>
  733. <blockquote><p>If you need to set up a 5-tuple firewall with SharePoint farm to evaluate, do purchase my book &#8220;Azure IaaS Defense In Depth&#8221; <a href="" target="_blank" rel="noopener">here</a>. The book gives you step-by-step including screenshots to absolute beginners.</p></blockquote>
  734. <p>Almost firewall in the environment I&#8217;ve worked with is network-based 5-tuple firewall. So in the firewall request, you need to indicate at least the following:</p>
  735. <ul>
  736. <li>Source (e.g. APP01-PRD)</li>
  737. <li>Destination (e.g. WEB01-PRD)</li>
  738. <li>Protocol (e.g. HTTP, TCP&#8230;)</li>
  739. <li>Port (e.g. 80, 443&#8230;)</li>
  740. <li>Direction: unidirectional/bidirectional</li>
  741. <li>Justification (optional): better to have this one to give the security team justification including reference as to why to open a port.</li>
  742. </ul>
  743. <h3><span style="color: #ff6600;"><strong>SharePoint Prerequisites</strong></span></h3>
  744. <p>Because you don&#8217;t have Internet connection, you must download all prerequisites. There are many PowerShell to help you out but I think sources from DanHome gives a trust. Go download <a href="" target="_blank" rel="noopener">here.</a> If you are still not really confident, go to this <a href="" target="_blank" rel="noopener">link</a> to download each individual.</p>
  745. <p>The common process I have to follow is to download prerequisites, then copy to the given thumb drive. They are all scanned throughout a corporate anti-virus software before being copied to the target SharePoint virtual machines.</p>
  746. <blockquote><p>Your files downloaded from Internet may be blocked by Windows Server Smart Screen Filter. Make sure every prerequisite is not blocked before the installation. You can unblock by opening File property.</p></blockquote>
  747. <h3><span style="color: #ff6600;"><strong>Feature &amp; .NET Framework installation</strong></span></h3>
  748. <p>One of the most common missing tasks before SharePoint installation is .NET framework installation. And such an installation must be done by targeting the same OS installation source you use.</p>
  749. <p><img data-attachment-id="6401" data-permalink="" data-orig-file="" data-orig-size="1063,561" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="sxs" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6401" src="" alt="" width="1063" height="561" srcset=" 1063w, 300w, 768w, 552w" sizes="(max-width: 1063px) 100vw, 1063px" /></p>
  750. <p>The PowerShell script below is recommended for automation</p><pre class="crayon-plain-tag">Import-Module ServerManager
  752. Add-WindowsFeature Net-Framework-Features,Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Filtering,Web-Digest-Auth,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Application-Server,AS-Web-Support,AS-TCP-Port-Sharing,AS-WAS-Support, AS-HTTP-Activation,AS-TCP-Activation,AS-Named-Pipes,AS-Net-Framework,WAS,WAS-Process-Model,WAS-NET-Environment,WAS-Config-APIs,Web-Lgcy-Scripting,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer –Source D:\sources\sxs</pre><p><strong>D:\sources\sxs</strong> is the location where the sxs is located. With this way, you don&#8217;t have to worry about correct framework build you need to download. Just ask the FM team to mount the installation ISO to specify the path in your script.</p>
  753. <p>If you run the script on Windows Server 2016, remove <strong>Application-Server,AS-Web-Support,AS-TCP-Port-Sharing,AS-WAS-Support,AS-HTTP-Activation,AS-TCP-Activation,AS-Named-Pipes,AS-Net-Framework. </strong>Reference which reflects to WS 2012 R2 is <a href="" target="_blank" rel="noopener">here</a>.</p>
  754. <p>The new one looks like below</p><pre class="crayon-plain-tag">Import-Module ServerManager
  756. Add-WindowsFeature Net-Framework-Features,Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Filtering,Web-Digest-Auth,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,WAS,WAS-Process-Model,WAS-NET-Environment,WAS-Config-APIs,Web-Lgcy-Scripting,Windows-Identity-Foundation,Server-Media-Foundation,Xps-Viewer &ndash;Source D:\sources\sxs</pre><p>Credit to Vlad&#8217;s <a href="" target="_blank" rel="noopener">article</a>.</p>
  757. <h3><span style="color: #ff6600;"><strong>PowerShell to run prerequisites</strong></span></h3>
  758. <p>This is one of the most important steps in the entirely offline setup. If you don&#8217;t pass this step, you cannot install SharePoint.</p>
  759. <p>Before SharePoint installation, prepare two folders:</p>
  760. <ol>
  761. <li><strong>PreSP16</strong>: this folder is to store all prerequisite files needed for SharePoint, including all components.</li>
  762. <li><strong>SP16_Sources</strong>: this folder is to store SharePoint Server 2016 installation source. If you download an ISO file, you need to extract it to ensure after restarting your virtual machine, the Preparation Tool (prerequisiteinstaller.exe) still can recognize the installation path</li>
  763. </ol>
  764. <p></p><pre class="crayon-plain-tag">$PreSP16Path = &quot;C:\PreSP16&quot;
  765. Start-Process &quot;C:\SP16_Sources\prerequisiteinstaller.exe&quot; &ndash;ArgumentList &quot;/SQLNCli:$PreSP16Path\sqlncli.msi /IDFX11:$PreSP16Path\MicrosoftIdentityExtensions-64.msi /Sync:$PreSP16Path\Synchronization.msi /AppFabric:$PreSP16Path\WindowsServerAppFabricSetup_x64.exe /MSIPCClient:$PreSP16Path\setup_msipc_x64.exe /WCFDataServices56:$PreSP16Path\WcfDataServices.exe /DotNetFx:$PreSP16Path\NDP453-KB2969351-x86-x64-AllOS-ENU.exe
  766. /ODBC:$PreSP16Path\msodbcsql.msi
  767. /MSVCRT11:$PreSP16Path\vcredist_x64.exe /MSVCRT14:$PreSP16Path\vc_redist.x64.exe /KB3092423:$PreSP16Path\AppFabric-KB3092423-x64-ENU.exe&quot;</pre><p>The script does trigger the <strong>prerequisiteinstaller.exe</strong> and connect to the folder <strong>PreSP16</strong> to automatically install all prerequisites. During the installation and configuration, you are asked to restart the computer to finish the process. If there is no issue and you are a lucky person, you will see the outcome below.</p>
  768. <p><img data-attachment-id="6403" data-permalink="" data-orig-file="" data-orig-size="651,524" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="SharePoint-2016-Installation-3" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6403" src="" alt="" width="651" height="524" srcset=" 651w, 300w, 552w" sizes="(max-width: 651px) 100vw, 651px" /></p>
  769. <p>This script is shared by a Microsoft PFE <a href="" target="_blank" rel="noopener">here</a>.</p>
  770. <h3><span style="color: #ff6600;"><strong>AppFabric: installation error</strong></span></h3>
  771. <p>What happen if the prerequisite installation is not done? One of the most common issues is broken AppFabric installation. Even  every prerequisite is successfully installed and configured, without AppFabric you still cannot run setup.exe to start installing SharePoint binaries.</p>
  772. <p>First, do check if the required prerequisites are correct versions and are not blocked:</p>
  773. <ul>
  774. <li><a href="">Windows Server AppFabric 1.1</a></li>
  775. <li><a href="">Cumulative Update Package 7 for AppFabric 1.1 for Windows Server</a></li>
  776. </ul>
  777. <p>Also make sure you run feature &amp; .NET framework installation successfully. Next, uninstall <strong>AppFabric 1.1 for Windows Server</strong> via Control Panel. Run the following command again</p><pre class="crayon-plain-tag">C:\SP16_Sources\prerequisiteinstaller.exe /appFabric:C:\PreSP16\WindowsServerAppFabricSetup_x64.exe</pre><p><strong>C:\SP16_Sources\prerequisiteinstaller.exe</strong> is the location of preparation tool.</p>
  778. <h3><span style="color: #ff6600;"><strong>Advanced MinRole</strong></span></h3>
  779. <p>For every setup, you may be given a SharePoint Server 2016 RTM source. This source does not include Service Pack 1 (aka November 2016 CU) which allows you to use Shared Roles capability. This happens when you need to combine two roles on a virtual machine, for example Front-end with Distributed cache. Go download SP 1 <a href="" target="_blank" rel="noopener">here</a> to use Shared Roles.</p>
  780. <p><img data-attachment-id="6406" data-permalink="" data-orig-file="" data-orig-size="932,648" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="minrole" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter wp-image-6406" src="" alt="" width="843" height="589" /></p>
  781. <p>Below is the outcome if everything is setup correctly.</p>
  782. <p><img data-attachment-id="6407" data-permalink="" data-orig-file="" data-orig-size="1451,674" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="outcome" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6407" src="" alt="" width="1451" height="674" srcset=" 1451w, 300w, 768w, 1140w, 552w" sizes="(max-width: 1451px) 100vw, 1451px" /></p>
  783. <h3><span style="color: #ff6600;">Hardening VM</span></h3>
  784. <p><a href="" target="_blank" rel="noopener">Hardening virtual machine</a> and make it a base template is a common security practice. That said, there are a few cases you may have seen:</p>
  785. <ol>
  786. <li>The security team gives you a hardening guideline which includes a set of local security policies to apply on OS level, or specific rules to IIS or SQL Server.</li>
  787. <li>PowerShell script to automate the security policy configuration</li>
  788. <li>The security gives you a virtual machine image template which is already configured.</li>
  789. </ol>
  790. <p>If #1 and #2, you are lucky to verify every rule before your deployment. If you are an experienced SharePoint guy, you will know how things impact your SharePoint. For example, <a href="" target="_blank" rel="noopener">enabling FIPS can cause broken search</a> or security token service. Another example is Bypass Traverse Checking. A default security policy is only to grant this policy to administrator. However, if you install and configure SharePoint, you need to grant the policy to at least every service account which touches to Windows service (e.g. farm account, Search account&#8230;)</p>
  791. <p>If #3, the best way is to ask for which have been configured. Otherwise, you have to spend much of your time doing debug or tracking using some hacking techniques which are prohibited.</p>
  792. <h3><span style="color: #ff6600;"><strong>Conclusion</strong></span></h3>
  793. <p>These things are what I&#8217;ve collected during my work for government agencies. All the things can be simulated if you use IaaS cloud. Give it a try with Microsoft Azure to perform the entirely simulation, even with 5-tuple firewall using Network Security Group (NSG).</p>
  794. <p>If I have missed something, please kindly share and I will update.</p>
  795. ]]></content:encoded>
  796. <wfw:commentRss>;p=6388</wfw:commentRss>
  797. <slash:comments>1</slash:comments>
  798. <post-id xmlns="com-wordpress:feed-additions:1">6388</post-id> </item>
  799. <item>
  800. <title>Keys to SharePoint Server 2016 Planning on Microsoft Azure</title>
  801. <link></link>
  802. <comments></comments>
  803. <pubDate>Mon, 27 Nov 2017 02:41:06 +0000</pubDate>
  804. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  805. <category><![CDATA[Microsoft Azure]]></category>
  806. <category><![CDATA[SharePoint]]></category>
  807. <category><![CDATA[azure iaas]]></category>
  808. <category><![CDATA[azure iaas defense in depth]]></category>
  809. <category><![CDATA[azure iaas security]]></category>
  810. <category><![CDATA[sharepoint 2016 azure]]></category>
  812. <guid isPermaLink="false"></guid>
  813. <description><![CDATA[Planning for SharePoint Server 2016 can be challenging due to lack of Microsoft documentation. If the purpose is experiment with...]]></description>
  814. <content:encoded><![CDATA[<p>Planning for SharePoint Server 2016 can be challenging due to lack of Microsoft documentation. If the purpose is experiment with SharePoint 2016 deployment on Azure IaaS, you can grab PowerShell with some of my notes down <a href="" target="_blank" rel="noopener">here</a>. This post is going to share my real-world experience when planning for SharePoint 2016 farm on Microsoft Azure.</p>
  815. <blockquote><p>You want to know more as to why SharePoint on Azure IaaS is still a good consideration? Read <a href="" target="_blank" rel="noopener">here</a></p></blockquote>
  816. <p>With my experience, there are the following areas to help you get started with planning for SharePoint farm:</p>
  817. <ul>
  818. <li>Farm Topology</li>
  819. <li>Capacity Planning</li>
  820. <li>Identity Management</li>
  821. <li>Business Continuity</li>
  822. <li>Security</li>
  823. </ul>
  824. <h3><span style="color: #ff6600;">Farm Topology</span></h3>
  825. <p>Farm Topology is very important for every SharePoint deployment. It indicates how the farm looks like from architectural perspective. From the SharePoint farm topology, we will have better preparation for capacity planning, high availability and security. Such a question like “How many web front-end server in your SharePoint farm” sounds very familiar with those whom have been doing the architecture design.</p>
  826. <p><img data-attachment-id="6379" data-permalink="" data-orig-file="" data-orig-size="1004,562" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azure-iaas-sp16" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6379" src="" alt="" width="1004" height="562" srcset=" 1004w, 300w, 768w, 552w" sizes="(max-width: 1004px) 100vw, 1004px" /></p>
  827. <p>In SharePoint Server 2016, Microsoft introduces a new feature called MinRole. Described by Microsoft, MinRole is a new farm topology based on a set of predefined server roles. During your farm configuration in SharePoint Server 2016 you will see a difference compared with the version of 2013. You are allowed to specify the role for the server you are going to configure. MinRole basically offers 4 dedicated roles:</p>
  828. <ul>
  829. <li>Front-end</li>
  830. <li>Application</li>
  831. <li>Distributed Cache</li>
  832. <li>Search</li>
  833. </ul>
  834. <p>“<strong>Custom</strong>” role is the traditional setup like SharePoint Server 2013 in which you can adjust SharePoint services of your choice. For example, you can start Managed Metadata service on a server to call it an application server.</p>
  835. <p>More than the dedicated roles, if you set up your farm with Shared Roles mode if hardware resource is limited. There are two options in Shared Roles setting:</p>
  836. <ul>
  837. <li>Front-end with Distributed Cache</li>
  838. <li>Application with Search</li>
  839. </ul>
  840. <p>Shared Roles mode is only available in <a href="" target="_blank" rel="noopener">SharePoint Server 2016 Feature Pack 1</a> or later.</p>
  841. <p>The Single-Server Farm option is used purposely for a development or testing use.</p>
  842. <p><a href=""><img data-attachment-id="5347" data-permalink="" data-orig-file="" data-orig-size="630,542" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="min-role" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-5347" src="" alt="" width="630" height="542" srcset=" 630w, 300w" sizes="(max-width: 630px) 100vw, 630px" /></a></p>
  843. <blockquote><p>For more information about MinRole in SharePoint Server 2016, read this <a href="" target="_blank" rel="noopener noreferrer">article</a></p></blockquote>
  844. <p>To plan for SharePoint Server 2016 farm topology, firstly you need to think of the type of farm. It can be a content farm to store content databases. It can also be a service farm that does not aim to store content. A service farm is used to host sharable service application where other farms are consumed. The following service applications you can share across your farms.</p>
  845. <ul>
  846. <li>Business Data Connectivity</li>
  847. <li>Machine Translation</li>
  848. <li>Managed Metadata</li>
  849. <li>User Profile (*)</li>
  850. <li>Search</li>
  851. <li>Secure Store</li>
  852. </ul>
  853. <p>(*) User Profile Service Application is not available in SharePoint Server 2016. You need to plan for a dedicated User Profile Synchronization server running the core of Microsoft Identity Manager server.</p>
  854. <p>Another type of farm should be mentioned here is Search farm. In this farm, you are going to build a multi-server Search topology rather than hosting all Search components on a single server in the farm. The Search topology depends on how large your amount of data is. It also depends on performance expectation, and how much of Search your application is used.</p>
  855. <table style="height: 242px;" width="675">
  856. <tbody>
  857. <tr>
  858. <td width="115"><strong>Server Role</strong></td>
  859. <td width="170"><strong>Required for Content Farm?</strong></td>
  860. <td width="173"><strong>Required for Services Farm?</strong></td>
  861. <td width="165"><strong>Required for Search Farm?</strong></td>
  862. </tr>
  863. <tr>
  864. <td width="115">Front-end</td>
  865. <td width="170">Yes</td>
  866. <td width="173">No</td>
  867. <td width="165">No</td>
  868. </tr>
  869. <tr>
  870. <td width="115">Application</td>
  871. <td width="170">Yes</td>
  872. <td width="173">Yes</td>
  873. <td width="165">No</td>
  874. </tr>
  875. <tr>
  876. <td width="115">Distributed Cache</td>
  877. <td width="170">Yes</td>
  878. <td width="173">Yes</td>
  879. <td width="165">No</td>
  880. </tr>
  881. <tr>
  882. <td width="115">Search</td>
  883. <td width="170">Yes, if hosting Search</td>
  884. <td width="173">Yes, if hosting Search</td>
  885. <td width="165">Yes</td>
  886. </tr>
  887. </tbody>
  888. </table>
  889. <p>After defining the type of farm, start looking into each tier. You can follow MinRole guideline to identify SharePoint tier. There is a so-called three-tier model:</p>
  890. <ul>
  891. <li>Front-End Tier</li>
  892. <li>Application Tier</li>
  893. <li>Data Tier</li>
  894. </ul>
  895. <p>The Front-End tier means by its name, where web services and web application pages are handled. Server in this tier basically receives incoming page request including query made in browser from end users. Front-End server often makes people confused if used in the security context. This kind of server called Front-End interfaces with Internet to add an extra layer to mitigate attack to your actual web front-end server. In SharePoint, if we call a server “Web Front-End” we do mean that this is not an interfacing server with reverse proxy or security model installed. It’s a server running the Microsoft SharePoint Foundation Web Application service.</p>
  896. <blockquote><p>My article posted <a href="" target="_blank" rel="noopener noreferrer">here </a>would clarify just a little bit of a so-called SharePoint Web Front-End server.</p></blockquote>
  897. <p>A server in Application tier often run one or several services which are associated to SharePoint service applications to function for specific business needs (e.g. User Profile Service, Business Connectivity Services…). A server hosting Search component and running Search related services is considered an application server. In MinRole, Microsoft separates Search role to help you better optimize your Search. Below is the list of available service applications in SharePoint Server 2016:</p>
  898. <ul>
  899. <li>Managed Metadata Service</li>
  900. <li>Secure Store Service</li>
  901. <li>Business Data Connectivity</li>
  902. <li>Visio Graphics Service</li>
  903. <li>Search</li>
  904. <li>State Service</li>
  905. <li>App Management Service</li>
  906. </ul>
  907. <p>Excel Services Service Application, User Profile Service Application and Work Management Services are deprecated in SharePoint Server 2016.</p>
  908. <p>A server in Data tier is just running SQL Server to store content databases and other SharePoint databases.</p>
  909. <p>Make sure you understand three-tier model. You do not have as always to build your SharePoint farm as three-tier model. However most of the cases people still prefer talking about three-tier model.</p>
  910. <h3><span style="color: #ff6600;"><strong>Capacity Planning</strong></span></h3>
  911. <p>Capacity planning is one of the indispensable tasks for every SharePoint planning. Capacity planning often comes along with farm topology to complete the final proposal. Capacity planning commonly is to identify hardware specification requirement to run your SharePoint farm, and how much of allocated space to store system files, SharePoint related files (e.g. Search Index) and databases. We often call it a familiar term “Sizing”.</p>
  912. <p>To effectively sizing your SharePoint farm, firstly you need to identify workload characteristics in your SharePoint application. To know the reference of workload characteristics, read this article <a href=""></a></p>
  913. <p>The approach to accurately identifying your needed capacity is to build a test environment, run several testing tools and record the result for comparison. The more time the test is conducted, the more accurate the capacity plan. It can be easily done in a large IT company where hardware resource is ready for your test. Unless you should follow Microsoft guide. HP Enterprise also provides you a very good guide in planning capacity here <a href=""></a></p>
  914. <p>You should not too much worry of your capacity planning because you can tailor your SharePoint farm at any time at needed. It can include adding more server to handle your workload. For example, when your web front-end server exceeds load baseline, you can go to add another web front-end server then set up load balancing to handle the workload. This can be costly. However, if that helps improve performance, you need to consider. SharePoint is designed in such flexibility. Another reason as to why not worrying capacity planning is that Microsoft Azure as said allows you to scale up and out your infrastructure when needed.</p>
  915. <h3><span style="color: #ff6600;"><strong>Identity Management</strong></span></h3>
  916. <p>Without identity, SharePoint Server 2016 will not work. In the past, setting up a standalone SharePoint Server 2010 or SharePoint Server 2013 is supported without an Active Directory Domain Controller. However, this setup mode is no longer supported in SharePoint Server 2016.</p>
  917. <p>There are several authentications method supported in SharePoint Server 2016:</p>
  918. <ul>
  919. <li>Basic</li>
  920. <li>NTLM</li>
  921. <li>Kerberos</li>
  922. <li>SAML</li>
  923. <li>Forms-Based Authentication</li>
  924. </ul>
  925. <p>Each authentication has its own purpose and mechanism to work. For example, if you have no intention to work with federation trust, just keep NTLM as it is a default authentication method in your organization. Perhaps you might need to use Kerberos for better authentication performance.</p>
  926. <h3><span style="color: #ff6600;"><strong>Business Continuity</strong></span></h3>
  927. <p>This term perhaps should not be used in this article because it’s very broad. Business Continuity is often a set of activities to make sure the business operation is available even when it runs into a catastrophic. In the IT field, it often refers to making your system to be available as much as possible, depending on how critical your system is.</p>
  928. <p>If your SharePoint runs many critical classified business functions, it is the time for business continuity planning. It can include implementing high availability and disaster recovery for your SharePoint farm. As introduced <a href="" target="_blank" rel="noopener">here</a>, Microsoft Azure can be a very good alternative for hosting a DR farm with the capability of Azure Site Recovery.</p>
  929. <p>The setup of high availability for a SharePoint farm needs to include all of the tiers from front-end tier with Azure Load Balancer, Azure Application Gateway to application tier with a pair of virtual machines running the same set of services, put in the same Azure availability set, to database tier in which you implement AlwaysOn, or use third party storage for Failover Clustering Instance implementation. This article is not going to give you step by step for every piece mentioned here.</p>
  930. <h3><span style="color: #ff6600;"><strong>Security</strong></span></h3>
  931. <p>There was a rumor without any official confirmation from trusted source that the leaked information that <a href="" target="_blank" rel="noopener">Snowden revealed was stored in SharePoint</a>. Anyway, we all heard of that. The store would disabuse those who don’t have security awareness in their mind. Daily activities on SharePoint is to create document, share information and work collaboratively. Shared documents may contain intellectual property, financial report, confidential employee information, business result or so on. Imagine if any of this kind of information are compromised to your company’s competitor someday, it will probably devastate the company’s business. Moreover, the compromising would debase your company reputation.</p>
  932. <blockquote><p>If you&#8217;re interested in hands-on SharePoint farm setup on Azure with applied defense in depth strategy, go purchase my book <a href="" target="_blank" rel="noopener">here</a> with only 9,99USD</p></blockquote>
  933. <p>I was involved in a few SharePoint disaster recovery projects related to security incident. I can’t tell you more details but these incidents resulted huge impacts on those companies from stock value deduction, reputation going down to increasingly employee turnover.</p>
  934. <blockquote><p>I have number of articles covering Azure IaaS security which you can refer <a href="" target="_blank" rel="noopener">here</a></p></blockquote>
  935. <h3><span style="color: #ff6600;">Conclusion</span></h3>
  936. <p>Be aware that this is the first step to planning SharePoint Server 2016 farm on Microsoft Azure. Each key described in this article has more things to do. For example, with capacity planning you do need to know appropriate Azure VM size and storage to optimize your workload. I will cover these things further in future posts.</p>
  937. ]]></content:encoded>
  938. <wfw:commentRss>;p=5346</wfw:commentRss>
  939. <slash:comments>4</slash:comments>
  940. <post-id xmlns="com-wordpress:feed-additions:1">5346</post-id> </item>
  941. <item>
  942. <title>Hardened Azure Virtual Machine Deployment</title>
  943. <link></link>
  944. <comments></comments>
  945. <pubDate>Wed, 22 Nov 2017 08:42:28 +0000</pubDate>
  946. <dc:creator><![CDATA[Thuan Soldier]]></dc:creator>
  947. <category><![CDATA[CyberSecurity]]></category>
  948. <category><![CDATA[Microsoft Azure]]></category>
  949. <category><![CDATA[azure dsc]]></category>
  950. <category><![CDATA[azure hardening]]></category>
  951. <category><![CDATA[azure security]]></category>
  952. <category><![CDATA[azure vm]]></category>
  954. <guid isPermaLink="false"></guid>
  955. <description><![CDATA[During my time working with the Government Cloud, I recognized that every on-boarding virtual machine after successfully provisioned needed to...]]></description>
  956. <content:encoded><![CDATA[<p>During my time working with the Government Cloud, I recognized that every on-boarding virtual machine after successfully provisioned needed to apply a script called hardening. Digging into this script, I realized that it contained many security configuration policies. When running this script, Windows will automatically configure <strong>Local Security Policy</strong> and built-in advanced firewall (for Windows Server). This practice is part of security by default, and can be found in information security policy in large organizations, especially governmental environment. While it is to make sure new on-boarding machine will have intended configuration you need, and all machines will have the same hardening template.</p>
  957. <blockquote><p>If you want to learn advanced Azure IaaS Defense in Depth with lot of hands-on labs to practice, go order my book <a href="" target="_blank" rel="noopener noreferrer">here</a></p></blockquote>
  958. <p>In Microsoft Azure, you can automate provisioning your virtual machines while applying a custom script inside to configure security policies by using Azure Automation Desired State Configuration. It allows you to build a custom script, and trigger it in your virtual machine. The script may contain local security policy setting, firewall rule, antivirus deployment or other settings which may help protect your virtual machine. <a href="" target="_blank" rel="noopener">Azure Automation Desired State Configuration</a> is built on top of PowerShell Desired State Configuration.</p>
  959. <p><img data-attachment-id="6350" data-permalink="" data-orig-file="" data-orig-size="921,241" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azure-dsc" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6350" src="" alt="" width="921" height="241" srcset=" 921w, 300w, 768w, 552w" sizes="(max-width: 921px) 100vw, 921px" /></p>
  960. <p>There are many hardening guidelines but I would high recommend you to take Security Technical Implementation Guide conducted by USA Department of Defense (DoD) <a href="" target="_blank" rel="noopener">here</a>.</p>
  961. <p>You can use custom script extension to automate triggering script in your virtual machine. However Azure Desired State Configuration is still recommended for manageable centralized configuration and deployment.</p>
  962. <h3><span style="color: #ff6600;"><strong>Deployment Step</strong></span></h3>
  963. <p>You can RDP to every virtual machine to run a hardening script. However, this takes time and is not considered a practical deployment. This lab is going to walk you through steps to automate hardening script deployment using Azure Desired State Configuration (DSC)</p>
  964. <p>Log into the Azure Management Portal ( using your administrator account. From the left panel, click <strong>New</strong>. Click <strong>Monitoring + Management</strong>. Click <strong>Automation</strong>.</p>
  965. <p><img data-attachment-id="6351" data-permalink="" data-orig-file="" data-orig-size="952,364" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-01" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6351" src="" alt="" width="952" height="364" srcset=" 952w, 300w, 768w, 552w" sizes="(max-width: 952px) 100vw, 952px" /></p>
  966. <p>On the <strong>Add Automation Account</strong> blade, enter name of the new automation account. Select your subscription under <strong>Subscription</strong> setting. Select <strong>Use existing</strong> under <strong>Resource group</strong> setting. Select <strong>did-infra-rg </strong>(the one you created already) from the drop-down list. Select your location under <strong>Location</strong> setting. Select <strong>Yes</strong> under <strong>Create Azure Run As</strong> account setting. Click <strong>Create</strong>.</p>
  967. <p><img data-attachment-id="6353" data-permalink="" data-orig-file="" data-orig-size="478,735" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-0" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6353" src="" alt="" width="478" height="735" srcset=" 478w, 195w" sizes="(max-width: 478px) 100vw, 478px" /></p>
  968. <p>You can add <strong>Automation Accounts</strong> navigation to the left panel to easily navigate to manage your automation account. Click to open your automation account.</p>
  969. <p><img data-attachment-id="6354" data-permalink="" data-orig-file="" data-orig-size="535,413" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-02" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6354" src="" alt="" width="535" height="413" srcset=" 535w, 300w" sizes="(max-width: 535px) 100vw, 535px" /></p>
  970. <p>On the <strong>did-auto-account</strong> blade, click <strong>Modules Gallery</strong>.</p>
  971. <p><img data-attachment-id="6355" data-permalink="" data-orig-file="" data-orig-size="269,316" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-03" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6355" src="" alt="" width="269" height="316" srcset=" 269w, 255w" sizes="(max-width: 269px) 100vw, 269px" /></p>
  972. <p>On the <strong>Modules Gallery</strong> blade, enter security on the search box and press <strong>Enter</strong>. In the result, click <strong>SecurityPolicyDsc</strong> to add the module to your automation account.</p>
  973. <p><img data-attachment-id="6357" data-permalink="" data-orig-file="" data-orig-size="1045,220" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-04" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6357" src="" alt="" width="1045" height="220" srcset=" 1045w, 300w, 768w, 552w" sizes="(max-width: 1045px) 100vw, 1045px" /></p>
  974. <p>On the <strong>SecurityPolicyDsc</strong> blade, click <strong>Import</strong>.</p>
  975. <p><img data-attachment-id="6358" data-permalink="" data-orig-file="" data-orig-size="859,480" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-05" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6358" src="" alt="" width="859" height="480" srcset=" 859w, 300w, 768w, 552w" sizes="(max-width: 859px) 100vw, 859px" /></p>
  976. <p>On the <strong>Import</strong> blade, click <strong>OK</strong>.</p>
  977. <p><img data-attachment-id="6359" data-permalink="" data-orig-file="" data-orig-size="320,241" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-06" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6359" src="" alt="" width="320" height="241" srcset=" 320w, 300w" sizes="(max-width: 320px) 100vw, 320px" /></p>
  978. <p>Click <strong>Modules</strong> to review all available modules, including the one you just imported.</p>
  979. <p><img data-attachment-id="6361" data-permalink="" data-orig-file="" data-orig-size="1200,727" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-07" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6361" src="" alt="" width="1200" height="727" srcset=" 1200w, 300w, 768w, 1140w, 552w" sizes="(max-width: 1200px) 100vw, 1200px" /></p>
  980. <p>Click <strong>DSC</strong> configurations. Click <strong>Add a configuration</strong>.</p>
  981. <p><img data-attachment-id="6362" data-permalink="" data-orig-file="" data-orig-size="615,234" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-08" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6362" src="" alt="" width="615" height="234" srcset=" 615w, 300w, 552w" sizes="(max-width: 615px) 100vw, 615px" /></p>
  982. <p>On the <strong>Import</strong> blade, click folder icon to browse to your DSC configuration file. This is your hardening PowerShell script. The name is automatically populated from the pre-defined parameter in the script. Click <strong>OK</strong>.</p>
  983. <p><img data-attachment-id="6363" data-permalink="" data-orig-file="" data-orig-size="317,380" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-09" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6363" src="" alt="" width="317" height="380" srcset=" 317w, 250w" sizes="(max-width: 317px) 100vw, 317px" /></p>
  984. <p>Click on your newly added script.</p>
  985. <p><img data-attachment-id="6364" data-permalink="" data-orig-file="" data-orig-size="546,138" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-10" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6364" src="" alt="" width="546" height="138" srcset=" 546w, 300w" sizes="(max-width: 546px) 100vw, 546px" /></p>
  986. <p>On the blade, click <strong>Compile</strong>.</p>
  987. <p><img data-attachment-id="6365" data-permalink="" data-orig-file="" data-orig-size="589,268" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-11" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6365" src="" alt="" width="589" height="268" srcset=" 589w, 300w, 552w" sizes="(max-width: 589px) 100vw, 589px" /></p>
  988. <p>Azure asks you to confirm to compile your DSC configuration. Click <strong>Yes</strong>.</p>
  989. <p><img data-attachment-id="6366" data-permalink="" data-orig-file="" data-orig-size="554,182" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-12" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6366" src="" alt="" width="554" height="182" srcset=" 554w, 300w, 552w" sizes="(max-width: 554px) 100vw, 554px" /></p>
  990. <p>You can check from the blade the compiling status.</p>
  991. <p><img data-attachment-id="6367" data-permalink="" data-orig-file="" data-orig-size="552,350" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-13" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6367" src="" alt="" width="552" height="350" srcset=" 552w, 300w" sizes="(max-width: 552px) 100vw, 552px" /></p>
  992. <p>After the compiling process is finished, you can check the status</p>
  993. <p><img data-attachment-id="6368" data-permalink="" data-orig-file="" data-orig-size="553,159" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-14" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6368" src="" alt="" width="553" height="159" srcset=" 553w, 300w, 552w" sizes="(max-width: 553px) 100vw, 553px" /></p>
  994. <p>Go back to your automation blade, click DSC nodes to start adding your virtual machine. Click <strong>Add Azure VM</strong>.</p>
  995. <p><img data-attachment-id="6369" data-permalink="" data-orig-file="" data-orig-size="729,241" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-15" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6369" src="" alt="" width="729" height="241" srcset=" 729w, 300w, 552w" sizes="(max-width: 729px) 100vw, 729px" /></p>
  996. <p>On the <strong>Add Azure VMs</strong> blade, click <strong>Virtual Machines</strong> setting. Select the jump virtual machine as an example. Click <strong>OK.</strong></p>
  997. <p><img data-attachment-id="6370" data-permalink="" data-orig-file="" data-orig-size="903,494" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-16" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6370" src="" alt="" width="903" height="494" srcset=" 903w, 300w, 768w, 552w" sizes="(max-width: 903px) 100vw, 903px" /></p>
  998. <p>Click <strong>Registration</strong> setting. On the <strong>Registration</strong> blade, select <strong>Primary key</strong> under <strong>Registration</strong> <strong>key</strong> setting. Select your DSC configuration under <strong>Node</strong> <strong>Configuration Name</strong> setting. Keep <strong>Refresh Frequency</strong> and <strong>Configuration Mode Frequency</strong> settings by default. Select <strong>ApplyOnly</strong> under <strong>Configuration</strong> <strong>Mode</strong> setting. Keep <strong>Allow</strong> <strong>Module</strong> <strong>Override</strong> <strong>and Reboot Node if Needed</strong> settings by default.</p>
  999. <p>Select <strong>StopConfiguration</strong> under <strong>Action</strong> <strong>after Reboot</strong> setting.</p>
  1000. <p><img data-attachment-id="6371" data-permalink="" data-orig-file="" data-orig-size="319,526" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-17" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6371" src="" alt="" width="319" height="526" srcset=" 319w, 182w" sizes="(max-width: 319px) 100vw, 319px" /></p>
  1001. <p>Click <strong>Create</strong>. During the process, <strong>Microsoft.PowerShell.DSC</strong> extension is automatically installed on the jump virtual machine.</p>
  1002. <p><img data-attachment-id="6372" data-permalink="" data-orig-file="" data-orig-size="561,161" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="azuredid-dsc-18" data-image-description="" data-medium-file="" data-large-file="" class="aligncenter size-full wp-image-6372" src="" alt="" width="561" height="161" srcset=" 561w, 300w, 552w" sizes="(max-width: 561px) 100vw, 561px" /></p>
  1003. <p>RDP to the jump virtual machine to verify your hardening configuration which is successfully applied.</p>
  1004. <h3><span style="color: #ff6600;"><strong>Conclusion</strong></span></h3>
  1005. <p>This article shows you how easy automating script deployment on an Azure virtual machine is by using DSC. This way helps you save time if you work on a large environment with many virtual machines. To download sample Local Security Policy scripts written to support DSC deployment, go <a href="" target="_blank" rel="noopener">here</a>.</p>
  1006. <p>[<span style="color: #ff0000;"><strong>Update</strong></span>] I wrote another article to complement to this <a href="" target="_blank" rel="noopener">article</a>.</p>
  1007. ]]></content:encoded>
  1008. <wfw:commentRss>;p=6349</wfw:commentRss>
  1009. <slash:comments>3</slash:comments>
  1010. <post-id xmlns="com-wordpress:feed-additions:1">6349</post-id> </item>
  1011. </channel>
  1012. </rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda