Tag: Microsoft

Azure Policy – Audit for Network UDR Changes

Azure Policy has been available for some time now, but for folks getting start with Cloud Governance, Azure Policy is a service in Azure that allows you to manage, assign, and create custom policies. These policies can be used to enforce a global set of rules or specific set of controls for a specific environments, ie. less control and governance in a “development” environment. This allows resources to stay compliant with you enterprise standards. Azure policies can enforce different rules, from Denying specific services, for example, ensuring only resources are built within a specific region, ie. resources can only be built within the Canadian regions. Conversely, rather than enforcing, policies can also be configured to Audit, where resources will be marked if they are not compliant, for example, a Storage Account is not configured with secure transfer.

Before diving into the policy itself, I want to quick go over the types of conditions that are available, and that can be used to enforce different compliance rules. The following table shows how different policy effects work with the condition evaluation for the resulting compliance state. Although you don’t see the evaluation logic in the Azure portal, the compliance state results are shown. The compliance state result is either compliant or non-compliant.

Resource StateEffectPolicy EvaluationCompliance State
ExistsDeny, Audit, Append, DeployIfNotExist, AuditIfNotExist*TrueNon-Compliant
ExistsDeny, Audit, Append, DeployIfNotExist, AuditIfNotExist*FalseCompliant
NewAudit, AuditIfNotExist*TrueNon-Compliant
NewAudit, AuditIfNotExist*FalseCompliant
  • *The Append, DeployIfNotExist, and AuditIfNotExist effects require the IF statement to be TRUE. The effects also require the existence condition to be FALSE to be non-compliant. When TRUE, the IF condition triggers evaluation of the existence condition for the related resources.

Source: https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

In this example today, I want to show a real world example, where a customer recently asked to monitor any changes being made to their UDRs (User Defined Routes/Routing).

The following will continuously monitor all UDRs in the environment. If any changes are made to a single UDR table, it will be audited and its changes will be tracked. Once the policy is enabled, you can see it in action by creating/modifying a UDR.

“policyRule”: {
   “if”: {
      “anyOf”: [
       {
            “source”: “action”,
            “like”: “Microsoft.Network/routeTables/*”
       }
    ]
    },
   “then”: {
   “effect”: “audit”
    }
}

See below for the compliance once a change has been made to a UDR. Once you drill down to the event, the user, the activity log, you can then see the exact changes that were made to the UDR.

I hope this was helpful! 

Step-by-Step – Installing System Center Operations Manager (SCOM) 2019 on Windows Server 2019 with SQL 2017

This post I will be installing System Center Operations Manager 2019 (SCOM) RTM, Build Number 10.19.10050.

Here is some of the background information. As this post will concentrate on the installation of SCOM 2019, I am going to omit the setup and configuration of the Domain Controller, Windows Server 2019 for the SCOM Management Server. Also to note, I am using a PaaS instance of SQL 2017 (hosted on Azure), likewise the entire environment lives on Azure in an IaaS and PaaS configuration.

Service Accounts and Local Administrator:

DomainAccount Description Local Admin on…
domainSCOM_AA SCOM Action Account SCOM
domainSCOM_DA SCOM Data Access/SDK Account SCOM
domainSCOM_SQL_READ SCOM SQL Reader n/a
domainSCOM_SQL_WRITE SCOM SQL Writer n/a
domainSCOM_Admins SCOM Administrators Group SCOM
domainSQL_SA SQL Service Account n/a

Now, if you’re lazy like me, or are tired of doing this setup for environments, I have scripted the automation of these accounts. You can find that link here, Microsoft TechNet Gallery.


Let’s Begin:

Since I am hosting SQL on a dedicated server, I will install SSRS (SCOM Reporting) on that server.

Well, that’s not new… Prerequisites. Since this is a clean, vanilla Windows 2019 server, we will need to install all the necessary Web Console components, along with Report Viewer Controls (probably SQL CLR Types too..).

  • For the Report Viewer Prerequisites, go HERE.
  • Here is the PowerShell command I ran to install the necessary IIS features/roles:
Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Mgmt-Compat, Web-Metabase, NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-HTTP-Activation45, NET-WCF-TCP-PortSharing45, WAS, WAS-Process-Model, WAS-Config-APIs -restart

 

Once the server is back online, you will need to register ASP.Net.

6

You will need to apply the following using Command Prompt (as Administrator)). Yes, this is a screenshot from a previous post…Forgot to capture the screenshot when running it this time..

  1. cd %WINDIR%Microsoft.NETFramework64v4.0.30319
  2. aspnet_regiis.exe -r
  3. IISRESET
  4. Reboot your server…

Once the server is back online, let’s try that Prerequisites check again….

Great! Now all of Prerequisites have been met!

Provide a meaningful Management Group Name (there’s no going back after this…)

SQL Server will be where your SCOM SQL instance(s) were installed. Remember, to either disable the Windows Firewall, or open SQL TCP Ports 1433.

 

I recommend always keeping this off, and manually updating your SCOM infrastructure.

One quick review. Looks good. Hit Install, and get some fresh air!

A few minutes later….

Sweet! All good. I hope this helps. If you have any questions or issues, please drop me a line.

Happy 2019 SCOM’ing!

(more…)

Step-by-Step: Setup and Configure Azure Site Recovery (ASR) with Windows Server 2016 Hyper-V using ARM

Not too long ago, Microsoft announced the support of Windows 2016 and Azure Site Recovery (ASR). Microsoft’s announcement can be found HERE.

With that said, I decided to setup ASR with my Hyper-V 2016 environment. Rather than the typical blog posts (screenshots etc.,) I decided to create a step-by-step video that demonstrates how to setup ASR with Windows Server 2016 and Hyper-V. That video can be found HERE at Channel 9.

In addition this post is a series of blog posts for Azure Site Recovery (ASR).

Step-by-Step – Installing System Center Operations Manager (SCOM) 2016 on Windows Server 2016 with SQL 2016

This post I will be installing System Center Operations Manager 2016 (SCOM) RTM, Build Number 7.2.11719.0.

Here is some of the background information. As this post will concentrate on the installation of SCOM 2016, I am going to omit the setup and configuration of the Domain Controller, Windows Server 2016 for both SCOM Management Server and SQL Server (Please note, I am using SQL Server 2016, both servers on Windows 2016).

If you need help setting up SQL 2016 for SCOM 2016, please visit HERE.

Environment:  Virtual; ESX 6.0 Hypervisor

SCOM Management Server:

  • Windows Server 2016
  • 4 vCPU (2.00GHz)
  • 12 GB memory
  • 100GB Diskspace
  • 1GB vNIC

SQL Server:

  • Windows Server 2016
  • SQL Server 2016
  • 4 vCPU (2.00GHz)
  • 24 GB memory
  • 300GB Diskspace
  • 1GB vNIC

Service Accounts and Local Administrator:

Domain\Account Description Local Admin on…
domain\SCOM_AA SCOM Action Account SCOM & SQL
domain\SCOM_DA SCOM Data Access/SDK Account SCOM & SQL
domain\SCOM_SQL_READ SCOM SQL Reader SQL
domain\SCOM_SQL_WRITE SCOM SQL Writer SQL
domain\SCOM_Admins SCOM Administrators Group SCOM
domain\SQL_SA SQL Service Account SQL
domain\SQL_SSRS SQL Service Reporting Services Account SCOM

 

Now, if you’re lazy like me, or are tired of doing this setup for environments, I have scripted the automation of these accounts. You can find that link here, Microsoft TechNet Gallery.


Let’s Begin:

2

3

For completeness, let’s install all the features of SCOM 2016. (I am hosting a default SQL 2016 instance on the SCOM Management Server for SSRS)

4

5

Well, that’s not new… Errors. Since this is a clean, vanilla Windows 2016 server, we will need to install all the necessary Web Console components, along with Report Viewer Controls (probably SQL CLR Types too..).

  • For the Report Viewer Prerequisites, go HERE.

Note, oddly I was unable to install with CLR SQL 2016, Reports Viewer still complained and required CLR SQL 2014.

  • Here is the PowerShell command I ran to install the necessary IIS features/roles:
Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Mgmt-Compat, Web-Metabase, NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-HTTP-Activation45, NET-WCF-TCP-PortSharing45, WAS, WAS-Process-Model, WAS-Config-APIs -restart

 

Once the server is back online, you will need to register ASP.Net.

6

You will need to apply the following using Command Prompt (as Administrator)).

  1. cd %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\
  2. aspnet_regiis.exe -r
  3. IISRESET
  4. Reboot your server…

Once the server is back online, let’s try that Prerequisites check again….

7

Great! Now all of Prerequisites have been met!

8

Provide a meaningful Management Group Name (there’s no going back after this…)

9

SQL Server will be where your SCOM SQL instance(s) were installed. For me, I have built two instances on my SQL2016 server (SCOM_OPSMGR & SCOM_DW).

10

11

12

13

14

15

16

17

I recommend always keeping this off, and manually updating your SCOM infrastructure.

18

One quick review. Looks good. Hit Install, and get some fresh air!

19

A few minutes later….

20

Sweet! All good. I hope this helps. If you have any questions or issues, please drop me a line.

Please note, it is STRONGLY ADVISED to install the Update Rollup 1 once you have deployed SCOM 2016. For that walk-through, please visit the following post, HERE.

Happy 2016 SCOM’ing!

(more…)

What’s New in System Center Operations Manager (SCOM) 2016?

Later this month, System Center Operations Manager (SCOM) 2016 along with the System Center suite and Windows Server 2016 will be available to the public. With that said, what’s new in SCOM 2016? Is it work the upgrade? etc., etc.

In previous posts, I did a walk-through on Maintenance Mode schedulesManagement Pack Updates, and how to integrate your SCOM environment with Operations Management Suite (OMS) go here for those.

While there isn’t exactly a change-log provided by Microsoft/System Center team(s), there is an article indicating the new features introduced in System Center Operations Manager SCOM 2016:

  • Management Pack Updates and Recommendations
  • Alert Data Management
  • Extensible Network Monitoring
  • Monitoring Nano Server and Workloads
  • Console User Interface Performance Improvements
    • HTML5 dashboards? Bye-bye Silverlight!?
  • Scalability Improvement with Unix/Linux Agents Monitoring
  • Maintenance Schedules
  • Extend Operations Manager with Operations Management Suite
  • Partner Program in Administration Pane

For the complete breakdown for what’s new in SCOM 2016, go HERE.

Microsoft Most Valuable Professional Award – Cloud and Datacenter Management

I am proud and happy to announce, Microsoft has awarded me their Most Valuable Professional award this October, for my contributions within the Cloud and Datacenter Management technical communities.

mvp_logo_horizontal_preferred_cyan300_rgb_300ppi

“Microsoft Most Valuable Professionals, or MVPs, are community leaders who’ve demonstrated an exemplary commitment to helping others get the most out of their experience with Microsoft technologies. They share their exceptional passion, real-world knowledge, and technical expertise with the community and with Microsoft.”

For more information, please visit the LINK.

 

Monitoring VMware (ESX/ESXi) with OMS

We all know monitoring Hyper-V and/or SCVMM with OMS is rather straight forward, and native. However, what about VMware (ESX/ESXi)?

In my VMware environment, I am using ESXi Host version 5.5 and vCenter version 6.0.

The following post is to help you monitor your ESX/ESXi environment with OMS.

  • First, you will need to enable the ESXi Shell, or SSH on your ESXi host, see HERE how
  • Next, you will need to configure the syslog(s) on your ESXi host, see HERE how

My ESXi server’s IP 10.10.10.30, and I will be forwarding the syslog(s) to my vCenter Windows Server IP 10.10.10.34. To be safe, I am going to configure both port 514 UDP and TCP .

ConfiguringSyslogOnESXiviaSSH

  • Remember to disable the firewall(s) on your vCenter Windows server
  • Now on your vCenter Windows Server, you will need to deploy the OMS Agent (Microsoft Monitoring Agent), see HERE how
    • Once your vCenter server is communicating with OMS, we can move on to the next step
  • Within OMS, if you haven’t already, you will need to enable “Custom Logs“; Settings > Preview Features > Enabled Custom Logs

EnableCustomLogs

  • Next, set up the following syslog file as your custom log on your vCenter server. In my case, my ESXi hostname is ‘RaviESXi’ and its IP is 10.10.10.30.
  • Followed by importing your syslog into OMS for the first time (see below for instructions)

C:\ProgramData\VMware\vCenterServer\data\vmsyslogcollector\yourESXiHostnameHere\syslog.log

For me, that path translates to, “C:\ProgramData\VMware\vCenterServer\data\vmsyslogcollector\RaviESXi\syslog.log

In my example, I then created an OMS custom log named “VMwareWin” for ESXi syslog. (By default, _CL suffix will be automatically added, which will result as, “VMwareWin_CL”) If you are unfamiliar with OMS’ Custom Logs, see HERE.

Once you have completed this step, it make take some time for your data to start showing up in OMS. Give it an hour or so…

  • Now we can start creating some custom fields within OMS. For example, ESXi Hostname, vmkernel, hostd, etc. See HERE about OMS’ custom fields in log analytics.
    • If you have done everything correctly, you should have custom logs and custom fields similar to this:

CreatingCustomLogs(2)

CreatingCustomFields

  • Now  you can start creating some dashboards with some custom queries!

For example, here’s one query I tested with and thought was worthy for its own dashboard:

All events and number of occurrences:

Type=VMwareWin_CL | measure count() by VMwareProp_CFDashboard1Example

Of course the number of queries and dashboards is endless at this point. Feel free to let me know your thoughts and some queries/dashboards you have come up with!

Lastly, don’t forget to add some important syslog OMS Data Log Collection, here is what I have configured:

6

Cheers!