The Imperfect Lab: Azure Networking – Two Ways

Around this time last year, I kicked off my “Imperfect Lab” and used it as a story to play around in Azure and get more comfortable with PowerShell. And then I got busy with some other work priorities (as we all do) and I shut down those VMs, with the hopes of dusting them off in the future to continue with more learning.

At any rate, with all the changes to Azure in the last year, it’s really time to reboot the Imperfect Lab and give it a new shine, using some of the fresh new tools – particularly the *new” Portal, Azure Resource Manager (ARM), Azure PowerShell 1.0 and Templates.

Let’s recap what I have to start with (all in “classic” Azure Service Manager)

  • A cloud service and related virtual network
  • Two domain controllers (one using the minimal interface and one running core)
  • One member server that runs the AD Sync service
  • Traditional AD synced to Azure AD

So now where to begin?

When using ARM, it’s no longer possible for the creation of a VM resource without a virtual network, so it seemed fitting for me to start with the network.  It’s also not possible to mix ASM and ARM resources, I’ll be using this network to deploy all the lab VMs I’ll be using in ARM going forward. For those of you who aren’t familiar with old-school Azure, the classic mode (aka Azure Service Manager or ASM) made it possible to create resources in a cloud service without an user-manageable virtual network.

One of the other tasks that was difficult using ASM was programmatically creating and updating networking. It required downloading and editing an XML file and I found that generally distasteful. With ARM, you’ve got two options – straight up PowerShell or an ARM Template.

If you don’t know where to begin with an ARM Template, you can check out this repository of Azure Quickstart Templates. To create a basic network with two subnets, I used this one –

You can deploy this template using the Azure portal (which will allow you to adjust the parameters to your liking) or you can edit the template to your meet your needs or you can deploy it as is via PowerShell. If you want more details on the ways you can deploy templates, I recommend reading this –

The other option is use just vanilla PowerShell from the command line or via ISE. I used the following, which is using PowerShell 1.0:

$vnetName = "ImperfectRMNet"
$RGroup = "ImperfectRG"
$Location = "West US"
New-AzureRmResourceGroup -Name $RGroup -Location $Location
$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name SubNet6 -AddressPrefix ""
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name SubNet7 -AddressPrefix ""
New-AzureRmVirtualNetwork `
 -Name $vnetName `
 -ResourceGroupName $RGroup `
 -Location $Location `
 -AddressPrefix "" `
 -Subnet $subnet1, $subnet2

Take note that with PowerShell 1.0, there is no “Switch-AzureMode” cmdlet and all of the “New” commands include “RM” in the cmdlet somewhere to differentiate between creating classic Azure resources.  There is nothing else to this basic network, no external IP address or load balancer that would normally come default with a cloud service in ASM.


In with December!

When I return to the office after Thanksgiving, I’m always both shocked and pleased to see the holiday lobby decorations have magically appeared in all the office building lobbies downtown.  They are always different and certainly start off the month of December with some cheer.

If you need some events to attend in December to round out your year, this is what I have on my radar:

Hope to see you around before the years end!

Upcoming MVA Courses

I was poking around on Microsoft Virtual Academy today and discovered a bunch of great looking live events that are coming up in the next several weeks.  If you’ve never checked out MVA, now is the time to visit and register!

The Imperfect Lab: Deploying More VMs

As I mentioned, I had created my first VM in my Imperfect Lab with the Azure Portal.  But I wanted to be able to do this using PowerShell from my workstation To recap my “physical” set up so far:
  • VNETs
    • ImperfectNet
    • AnotherNet
  • Storage Accounts in Different Regions
    • imperfectstore (West US)
    • anotherstore (East US)
  • Cloud Services
    • imperfectcore
    • anothercore
(I don’t think I’ve mentioned it before, but if you are just starting out and need to get your ISE connected to you Azure account, just run Add-AzureAccount. You’ll get prompted for your credentials.)

To start, I’m just going to create an additional server in the same network as my current domain controller.  Then I’ll have a server I can promote to DC later, or use for another service. 
If you have multiple subscriptions and/or multiple storage accounts set up, like I do, you need to make sure Azure knows where you want to put things. My subscription happens to be the Visual Studio one.
Set-AzureSubscription -SubscriptionName “Visual Studio Ultimate with MSDN” -CurrentStorageAccount “imperfectstore”
Then you’ll want to configure the basic variables for your VM. In this case, this is the adminstrator name and password, as well as the name of the Windows Server 2012 R2 image available at the time of this exercise. You’ll want to make sure to get the current name of whatever OS you want to install.
$un = “adminname”
$pwd = “secretpassword”
$image = “”
Pick up that VM image the full list with: Get-AzureVMImage | Select ImageName
Then,  configure a few more variables using the New-AzureVMConfig.  In this case, I’m settting the server name and instance size, pulling in the username and password variable I set with the lines above and specifying the pre-existing subnet I want to use.
$newVM = New-AzureVMConfig -Name “Server2” -InstanceSize “Small” -Image $image |
     Add-AzureProvisioningConfig -Windows -AdminUserName $un -Password $pwd |
     Set-AzureSubnet -SubnetNames “FirstSubnet”
Finally, kick off the VM creation with one of the following options: 
  • Into an Existing Cloud Service: New-AzureVM -VMs $newVM -ServiceName “imperfectcore” 
  • Into an New Cloud Service:  New-AzureVM -VMs $newVM -ServiceName “newcloudservice” -Location “West US” -VNetName “imperfectnet” 
Give this all a few minutes to cook and your new VM will be deployed. I haven’t joined it to the domain yet… baby steps here, baby steps!  I like to make sure one thing works at time, so it’s easier to troubleshoot when I have issues.  That’s what a lab is for, right?  

Update (12/26/14): For easy access to these code snippets, you can find them here.

The Imperfect Lab: Standing Up Active Directory in Azure with PowerShell Remoting

Today in my Imperfect Lab, I needed to start adding some servers so I could build out a domain. So I popped over to the management portal and quickly spun up “DC-Cloud1” in the “FirstSubnet” of my ImperfectNet.

  • ImperfectNet
    • FirstSubnet ( <- right in here!
    • HalfSubnet (
    • Gateway (

I logged in and was just about to click “Add Roles/Features” when I paused. What fun is that? I’ve installed AD a million times that way and it would be way more interesting to do it from PowerShell ISE from my laptop. So I closed out my RDP session and got to work.

First you have to install the remote access certificate on your local machine. To do that you want to download this script – Configures Secure Remote PowerShell Access to Windows Azure Virtual Machines.  Put is somewhere easy to access, open it in PowerShell ISE and then feed the script your personal variables to install the certificate on your machine.  Once that’s done, you’ll be able to use the lines below to open a PowerShell session directly to your VM. (For more info Michael Washam’s script, check out his post, Introduction to Remote PowerShell with Windows Azure.)

$uri = Get-AzureWinRMUri -ServiceName $cloudServiceName -Name $Name 
$cred = Get-Credential  
Enter-PSSession -ConnectionUri $uri -Credential $cred  

Now that I had a secure, remote session it was time to install Active Directory.

Add-WindowsFeature -name ad-domain-services -IncludeManagementTools
Install-ADDSForest -DomainName “” -ForestMode 5 -DomainMode 5

Those “mode” numbers are adjustable for controlling the forest and domain functional levels. 5 is for 2012. For Server 2003 functional level use 2, for Server 2008 use 3.

Finally, just in case I wanted easy access to RDP to the machine, I installed the newest Remote Desktop Connection Manager 2.7. This way I don’t have to download and keep track of RDP files from the Azure Portal every time. (Shout out to Tommy Patterson for letting me know about that version update last week!)

Week 5 of Modernizing Your Infrastructure with Hybrid Cloud

This is the 2nd to last week of the  “Modernizing Your Infrastructure with Hybrid Cloud”  series and ipart 5, Yung Chou and Keith Mayer demonstrate ways in which you can manage and automate your hybrid cloud environment. Tune in for this demo heavy session as they showcase System Center, Microsoft Azure and the Windows Azure Pack as well as PowerShell for Azure, PowerShell DSC for configuration management and Azure Automation for automated runbooks.
  •  [1:15] When architecting a Hybrid Cloud infrastructure, what are some of the important considerations relating to management and automation?
  • [4:09] You mentioned PowerShell for automation … how can PowerShell be leveraged for automation in a Hybrid Cloud?
  • [7:54]  Is PowerShell my ONLY choice? Are there other automation and configuration management solutions available for a Hybrid Cloud?
  • [11:12] DEMO: Let’s see some of this in action
    • Brief tour of System Center and Azure / Azure Pack management portal interfaces
    • Getting started with PowerShell for Azure, Azure Pack automation
    • Intro to PowerShell DSC for configuration management
    • Intro to Azure Automation for automated runbooks

Also upcoming for the blog posts related to this week:
  • Tue: Getting Started with On-Demand Private Clouds with Azure Pack by Keith Mayer
  • Wed: Automating the Hybrid Cloud with PowerShell and Azure Automation by Keith Mayer
  • Thu: PowerShell Desired State Configuration (DSC) by Kevin Remde
  • Fri: Monitoring the Hybrid Cloud by Dan Stolts

Happy Valentine’s Day From TechNet Radio!

Its time to break out the “We PowerShell” candy and cuddle up with your favorite PowerShell cmdlets as Dr. Love…er…we mean Dr. Scripto, joins us for this special Valentine’s Day edition of TechNet Radio. Tune in as Blain Barton and Ed Wilson dish out the PowerShell love advice and give us their Top 14 things they love about Windows PowerShell.

  • [1:17] I have a lot of workloads out there, is Windows PowerShell everywhere I need it to be?
  • [2:12] Is Windows PowerShell really readable code?
  • [3:10] Is it easy to get started with Windows PowerShell?
  • [5:54] Is Windows PowerShell well documented via the community, and via books and blogs? 
  • [7:32] I think I’m addicted to Windows PowerShell.  Should I see a doctor?
  • [9:12] We are on version 4.0 now- does PowerShell get better with age?
  • [10:16] Is Windows PowerShell easy to use? 
  • [11:08] I’ve been using PowerShell forever, but have some newbies that want to learn, is it easy to get help
  • [12:57] Is Windows PowerShell Self Discoverable? 
  • [14:06] Is Windows PowerShell Self Documenting?
  • [15:39] Does Windows PowerShell really save IT time
  • [17:38] Does Windows PowerShell really save IT money?
  • [20:12] Is knowing Windows PowerShell good for job security? 
  • [20:56] I don’t always script, but when I do, should I use PowerShell and why? 
  • [23:08] Are PowerShell and Azure meant for each other?
  • [24:54] A PowerShell Love Poem: “How do I love thee PowerShell….let me count the ways…”

Northern California Powershell Users Group in SF!

Tonight, I had the honor of hosting the Northern California Powershell Users Group in San Francisco.  The topic was using Azure with Powershell.

For those of you who were there, a lot of conversation revolved around provisioning and managing Azure and I wanted to mention that Microsoft (via Technet Events) just finished up a round of IT Camps for Azure IaaS.

At those events, attendees build out a dev/test environment in Azure and while most of the lab guide detailed everything out with using the GUI, there was a bonus challenge at the end that included doing everything with Powershell.

If you are looking to start using Azure with Powershell and want a good place to start experimenting, I suggest getting a free Azure Trial and then downloading the lab manual to give it a shot yourself.  You can find a copy of the lab manual at under the “Azure Camp – Fall 2013” folder.

You’ll find the “Challenge Exercise” and instructions on where to find the necessary Powershell, towards the end of the manual.


PowerShell… Now Less Daunting

Last Friday, I had the luxury of attending another PacITPros TechDays… It was all about PowerShell.  Jason Helmick taught in SF and in the East Bay.  Both days were completely packed. PowerShell IS where Windows is going for administration.

If you haven’t had the chance to listen to Jason talk about PowerShell, you are missing a great chance to learn how to use it. Jason is fun, upbeat and knows his stuff.  Check out his blog ( for more about PowerShell.  He might just mention where he’ll be speaking next.

So what did I take away from the class?

1) Learn this: get-help
Seriously, it’s ALL about RTFM. Learn it, love it, learn how to use it. It’s all there.

2) Don’t type this:  get-service | stop-service
PowerShell can give you a bunch of ways to make your job easier and another bunch of ways to screw up big time. Read and comprehend before you press enter. PowerShell doesn’t ask if you are sure.

After 8 hours of lecture and labs, Jason didn’t teach us the “Top 10 PowerShell Commands for Administering Windows”.  We didn’t walk out of class with a handout of the everything we’d need to know.  Quite the contrary.  Jason taught us where to find what we needed and how to figure out if whatever we were trying to do would work or not.  And that is really all you need to be comfortable with the command line of the future for Windows.

Migrating to Exchange 2010 (Part 2) – Certificates

Depending on your installation of Exchange 2010 and what internal and external services you want to provide, you’ll likely need a new SSL certificate from a 3rd party provider. You probably already have a basic certificate, but that’s just not going to cut it anymore. 
If youl’ll be supporting mailboxes on a previous version of Exchange or providing access to supporting Outlook Anywhere, you’ll likely need additional host names on your certificate, like and This will require a SAN (Subject Alternate Name) certificate. 
Exchange supports different URLs for internal and external access and after a typical installation, your internal URLs will be set to the FQDN of the server name ( and external URLs will be set to whatever host name you specify during the install of the CAS server, like 
In order for us to get a shiny new SAN certificate, we had to revoke our existing while we were waiting for the new certificate to be issued. This would cause some temporary certificate problems with anyone who tried to use Outlook Web Access, but since this was a weekend project and I already declared the entire weekend as a maintenance window I wasn’t too concerned about it. 
Meanwhile, I moved all my users mailboxes to the new server. All the Outlook clients were happy with the server’s self-signed certificate, which was great, since our 3rd party certificate provider took a few days to finish issuing the new cert. Once the new certificate came, I loaded it onto the mail server and authorized it for IIS to use.

My OWA certificate errors disappeared, but shortly there after we started getting reports of Outlook 2007 complaining about the certificate having a different name than what it was expecting. This was because we didn’t include the server name as part of the certificate, but all the internal URLs referenced the FQDN of the server’s real name.   

Some of the internal URLs can be change in the Exchange Management Console, but there are a few that are easily overlooked since you can only change them using PowerShell, particularly the URLs for Autodiscover and EWS (Exchange Web Service). 
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl
Then be sure to recycle your MSExchangeAutodiscoverAppPool in IIS.  You can read more about this issue in Microsoft’s KB 940726.