Category: imperfect lab

The Imperfect Lab: More DCs and Static IPs

When I was last working in my Imperfect Lab, I added another server to the existing cloud service and decided to make it a domain controller.  When you set up domain controllers (cloud or on-premises) a few things become really important – IP Addresses and DNS.
By default, Azure will provide DNS services from the fabric if you don’t specify your own DNS.  You would think there is some PowerShell to do that directly, but surprisingly there isn’t.  You can set the DNS for each network using the Management Portal or by exporting the network configuration file and updating it.  I just used the portal and made sure that my ImperfectNet listed the IP address for both servers that would act as domain controllers.
If you don’t set a domain controller as the DNS server, all the VMs that come up inside your virtual network will look to an Azure fabric DNS server and won’t be able to authenticate to your domain.  Since this is a crucial to AD function, I also wanted to make sure that the VMs that were acting as domain controllers had static internal IP addresses. 
Now, these addresses aren’t really “static” on the OS. They are more like DHCP reservations handed out from the fabric manager.  But the end result is the same – VMs that have the correct IP address, regardless of the order they are started.
To do this with PowerShell, you first need to have the VMs in the Stopped (Deallocated) state. This way the addresses are free to assign.  If the VM is already running, the address is allocated already, thus can’t be assigned.  You can double check that an address is free with:
Test-AzureStaticVNetIP –VNetName ImperfectNet –IPAddress 192.168.1.5
To set the static address, I used:
Get-AzureVM -ServiceName ImperfectCore -Name DC-Cloud1 | Set-AzureStaticVNetIP -IPAddress “192.168.1.4” | Update-AzureVM
Take note of the use of quotes around the IP address in that last line. It matters. I don’t know why.  Just trust that I wasted a lot of time on your behalf for that knowledge.
Then to finally kick off the addition of my second domain controller in this domain, I used:
Install-ADDSDomainController -Credential (Get-Credential) -DatabasePath ‘C:\Windows\NTDS’ -DomainName ‘imperfectlab.com’ -InstallDns:$true -LogPath ‘C:\Windows\NTDS’ -NoGlobalCatalog:$false -SiteName ‘ImperfectNet’ -SysvolPath ‘C:\Windows\SYSVOL’ -NoRebootOnCompletion:$true -Force:$true -Verbose
One note about the paths used for the logs and SYSVOL… I’ve left them on C:\ for convenience, but for production, you will want to set up your DCs in Azure with an additional disk where you direct those files to go.  Read more about the reason behind that best practice here.
Also, if this Domain Controller happens to connect back to an on-premises domain. Be sure to make the proper changes to you AD Sites and Services to ensure proper site topology.

Update (12/26/14): For easy access to code snippets, you can find them here.

The Imperfect Lab: There’s No Such Thing as a Free Gateway

Sometimes I forget that the internet isn’t really free.  I have the convenience of having a MDSN subscription from work, so I enjoy the access to a set amount of Azure credits each month to spend.  However, some things are more “spendy” than others and gateways fall into that category for me, particularly for a testing scenario that doesn’t have a “real” business need behind it.
MSDN users of Azure do get some discounted rates. All instances for Windows and Windows Server Virtual Machines, Cloud Services, Websites, and HDInsight are discounted up to 40% off our Pay-as-you-go rates. The MSDN rate on these services is equal to the rate for a Linux virtual machine of the same size and type. (For more details about MSDN benefits visit http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/)
But all the other things are billed at regular rate, for gateways that rate is about $.05 per hour, a tad over one dollar a day.  When connecting a VNET to a VNET you are paying for two gateways, so my costs just to keep that running for my Imperfect Lab will eat up about a third of my monthly credits.  Take note, even gateways you aren’t actively using are charged. So if you have a point-to-site gateway setup for clients to connect with but no clients are connecting, that’s being charged too, just to keep it available. 
So with the holidays coming and my growing list of things I’d like to do in the lab, I’m going to rip down the VNET-to-VNET connectivity for the time being.  I’m going to build out my little infrastructure in one VNET to start and then extend it to the second VNET once I really have a set plan in place.
Onward to my domain controller creation and tying that into Azure Active Directory. Stay tuned.

The Imperfect Lab: Deploying More VMs

As I mentioned, I had created my first VM in my Imperfect Lab with the Azure Portal.  But I wanted to be able to do this using PowerShell from my workstation To recap my “physical” set up so far:
  • VNETs
    • ImperfectNet
    • AnotherNet
  • Storage Accounts in Different Regions
    • imperfectstore (West US)
    • anotherstore (East US)
  • Cloud Services
    • imperfectcore
    • anothercore
(I don’t think I’ve mentioned it before, but if you are just starting out and need to get your ISE connected to you Azure account, just run Add-AzureAccount. You’ll get prompted for your credentials.)

To start, I’m just going to create an additional server in the same network as my current domain controller.  Then I’ll have a server I can promote to DC later, or use for another service. 
If you have multiple subscriptions and/or multiple storage accounts set up, like I do, you need to make sure Azure knows where you want to put things. My subscription happens to be the Visual Studio one.
Set-AzureSubscription -SubscriptionName “Visual Studio Ultimate with MSDN” -CurrentStorageAccount “imperfectstore”
Then you’ll want to configure the basic variables for your VM. In this case, this is the adminstrator name and password, as well as the name of the Windows Server 2012 R2 image available at the time of this exercise. You’ll want to make sure to get the current name of whatever OS you want to install.
$un = “adminname”
$pwd = “secretpassword”
$image = “a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201411.01-en.us-127GB.vhd”
Pick up that VM image the full list with: Get-AzureVMImage | Select ImageName
Then,  configure a few more variables using the New-AzureVMConfig.  In this case, I’m settting the server name and instance size, pulling in the username and password variable I set with the lines above and specifying the pre-existing subnet I want to use.
$newVM = New-AzureVMConfig -Name “Server2” -InstanceSize “Small” -Image $image |
     Add-AzureProvisioningConfig -Windows -AdminUserName $un -Password $pwd |
     Set-AzureSubnet -SubnetNames “FirstSubnet”
Finally, kick off the VM creation with one of the following options: 
  • Into an Existing Cloud Service: New-AzureVM -VMs $newVM -ServiceName “imperfectcore” 
  • Into an New Cloud Service:  New-AzureVM -VMs $newVM -ServiceName “newcloudservice” -Location “West US” -VNetName “imperfectnet” 
Give this all a few minutes to cook and your new VM will be deployed. I haven’t joined it to the domain yet… baby steps here, baby steps!  I like to make sure one thing works at time, so it’s easier to troubleshoot when I have issues.  That’s what a lab is for, right?  

Update (12/26/14): For easy access to these code snippets, you can find them here.


The Imperfect Lab: Standing Up Active Directory in Azure with PowerShell Remoting

Today in my Imperfect Lab, I needed to start adding some servers so I could build out a domain. So I popped over to the management portal and quickly spun up “DC-Cloud1” in the “FirstSubnet” of my ImperfectNet.

  • ImperfectNet
    • FirstSubnet (192.168.1.0/24) <- right in here!
    • HalfSubnet (192.168.2.0/25)
    • Gateway (192.168.3.200/29)

I logged in and was just about to click “Add Roles/Features” when I paused. What fun is that? I’ve installed AD a million times that way and it would be way more interesting to do it from PowerShell ISE from my laptop. So I closed out my RDP session and got to work.

First you have to install the remote access certificate on your local machine. To do that you want to download this script – Configures Secure Remote PowerShell Access to Windows Azure Virtual Machines.  Put is somewhere easy to access, open it in PowerShell ISE and then feed the script your personal variables to install the certificate on your machine.  Once that’s done, you’ll be able to use the lines below to open a PowerShell session directly to your VM. (For more info Michael Washam’s script, check out his post, Introduction to Remote PowerShell with Windows Azure.)

$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -Name $Name 
$cred = Get-Credential  
Enter-PSSession -ConnectionUri $uri -Credential $cred  

Now that I had a secure, remote session it was time to install Active Directory.

Add-WindowsFeature -name ad-domain-services -IncludeManagementTools
Install-ADDSForest -DomainName “yourdomain.com” -ForestMode 5 -DomainMode 5

Those “mode” numbers are adjustable for controlling the forest and domain functional levels. 5 is for 2012. For Server 2003 functional level use 2, for Server 2008 use 3.

Finally, just in case I wanted easy access to RDP to the machine, I installed the newest Remote Desktop Connection Manager 2.7. This way I don’t have to download and keep track of RDP files from the Azure Portal every time. (Shout out to Tommy Patterson for letting me know about that version update last week!)

The Imperfect Lab: Connecting a VNET to another VNET

As I mentioned yesterday, I’m struggling with setting up the “perfect” lab environment for myself. So instead of trying to make it perfect, I’m just going to start by simply getting started and letting in evolve.  Because starting is most of the battle, right?  Most environments grow and change and become a bit messy, so I am just going to embrace a little chaos!

My starting goal is to create two networks in Azure (in two different regions) and connect them.  To start I’ll need two VNETs in Azure. I also created two corresponding storage accounts in each region, so that when I’m building my servers, everything is as neat an organized as I can make it.

In each of the networks, I carved out a few subnets, because I don’t know exactly what I’m doing with them yet. Keep in mind you will need to make at a small Gateway subnet in each. Also, as soon as you put a VM in a subnet, you can no longer edit it.

  • ImperfectNet – 192.168.1.0/22 (West region)
  • AnotherNet – 192.168.4.0/23 (East region)
Because I want to connect them together with site-to-site networking, I have to create corresponding “local” networks in Azure to sort of trick each network into thinking its connecting to a physical network.  So under the “Local Networks” tab, I created “ImperfectLocal” and “AnotherLocal” with the same IP address ranges as the virtual networks. Be sure to put in a fake VPN Gateway Address as a placeholder here, you’ll update it later after Azure gives you a real gateway address.

In each network, I threw the ticky-box under Site-to-Site Connectivity, selected the correct “local” network and then created the Gateway subnet.  After everything was finished configuring, when you return to the dashboard page of each network, you will see the remote network showing.  Azure will tell you that “the gateway was not created”.
Click “create gateway” at the bottom. For VNET to VNET connectivity, you have to go with Dynamic Routing.  Do this for each network and wait for it to complete.  (Creating gateways actually takes a while, this might be a good time to get lunch.)
Once your gateways are created, write down the IP addresses carefully and then edit those “local networks” with the fake VPN gateways to the correct ones Azure just assigned you.
Finally, you have connect the networks together with shared key.  There isn’t any way to do this in the portal, so pop over to PowerShell and use the following code to hook them together.  You have to run the command twice with the corresponding network names and the SAME shared key. Please make your key longer then the sample I put in here.

Set-AzureVNetGatewayKey -VNetName YourVNETName -LocalNetworkSiteName TheOppositeLocalNet -SharedKey abc123xyz

Set-AzureVNetGatewayKey -TheOtherVNetName YourVNETName -LocalNetworkSiteName TheOtherLocalNet -SharedKey abc123xyz

So now I’ve got two connected networks in Azure, albeit empty of servers.  Next up… starting to build out my “imperfect” domain.

One more thing… if you want the offical “Azure” instructions for this, complete with images, go to http://msdn.microsoft.com/en-us/library/azure/dn690122.aspx.  


The Quest for the Perfect Lab

There are a few old sysadmin jokes out there… one that often comes to mind for me these days is the one-liner about how the perfect network is one that no one is on.  But now that I have the luxury of being able to build just about any lab network I want (either in Azure or using Hyper-V) I find myself nearly paralyzed by wanting to build the “perfect” network/lab for my needs.

I start, I stop, I get sidetracked by a different project, I come back to my plan, only to realize I’ve forgotten where I left off (or forgotten where I wrote down that fancy admin password for that VM) and end up tearing it out and starting over again.  The end result is I’m getting no where fast.

I’ve got several MCSE exams in my future that I need to build some things for hands on for.  I have a little internal metric of how I need to improve my PowerShell a bit more.  I have work training items that sort of fit into all this and I keep striving for the perfect lab, the perfect naming system, the perfect password that I won’t forget… well, I guess my “perfectionist” is showing.

It’s a slow week here in the office with the Thanksgiving holiday approaching, so now is the perfect time to sit down with a pen and a paper and really figure out what I’m going to build and what I want to use it for.

Because there is something worse than a network that no one uses.  It’s that network I keep deleting.