Category Archives: Expert advice on Windows based systems and hardware

Expert advice on Windows based systems and hardware

Learn the basics of PowerShell for Azure Functions

just for developers; several scripting languages open up new opportunities for admins and systems analysts as well.

Scripting options for Azure Functions

Azure Functions is a collection of event-driven application components that can interact with other Azure services. It’s useful for asynchronous tasks, such as data ingestion and processing, extract, transform and load processes or other data pipelines, as well as microservices or cloud service integration.

In general, functions are well-suited as integration and scripting tools for legacy enterprise applications due to their event-driven, lightweight and infrastructure-free nature. The ability to use familiar languages, such as PowerShell, Python and Node.js, makes that case even stronger. Since PowerShell is popular with Windows IT shops and Azure users, the best practices below focus on that particular scripting language but apply to others as well.

PowerShell for Azure Functions

The initial implementation of PowerShell for Azure Functions uses PowerShell version 4 and only supports scripts (PS1 files), not modules (PSM1 files), which makes it best for simpler tasks and rapid development. To use PowerShell modules in Azure Functions, users can update the PSModulepath environment variable to point to a folder that contains custom modules and connect to it through FTP.

When you use scripts, pass data to PowerShell functions through files or environment variables, because a function won’t store or cache the runtime environment. Incoming data to a function, via an event trigger or input binding, is passed using files that are accessed in PowerShell through environment variables. The same scheme works for data output. Since the input data is just a raw file, users must know what to expect and parse accordingly. Functions itself won’t format data but will support most formats, including:

  • string;
  • int;
  • bool;
  • object/JavaScript Object Notation;
  • binary/buffer;
  • stream; and
  • HTTP

PowerShell functions can be triggered by HTTP requests, an Azure service queue, such as when a message is added to a specified storage queue, or a timer (see Figure 1). Developers can create Azure Functions with the Azure portal, Visual Studio — C# functions only — or a local code editor and integrated development environment, although the portal is the easiest option.

Triggers for PowerShell functions
Figure 1. PowerShell functions triggers

Recommendations

Azure Functions works the same whether the code is in C#, PowerShell or Python, which enables teams to use a language with which they have expertise or can easily master. The power of Functions stems from its integration with other Azure services and built-in runtime environments. Writing as a function is more efficient than creating a standalone app for simple tasks, such as triggering a webhook from an HTTP request.

While PowerShell is an attractive option for Windows teams, they need to proceed with caution since support for Azure Functions is still a work in progress. The implementation details will likely change, however, for the better.

Configure Windows Storage Spaces to serve up hot data fast

One way is through Windows Storage Spaces, the storage virtualization feature available in Windows Server 2012 and onward. Storage Spaces pools available storage resources and shifts more frequently used data onto flash media through its tiered storage functionality.

Files that are often accessed, changed, read and written to could be stored on solid-state media, while old data and archives in less demand are fine on slower, less expensive hard disk media. This arrangement significantly expands the capacity of a storage pool at a more manageable cost without sacrificing performance. Administrators have the option to set up simple spaces with no resiliency or mirrored spaces — two or more copies of data that are stored separately — for fault tolerance in the pool, similar to RAID, to avoid data loss. Technically, Windows Storage Spaces works with as little as one solid-state drive (SSD) and one hard disk drive (HDD), but shops typically need more storage than that.

With Windows Storage Spaces and a full disk enclosure, it just takes a few PowerShell commands to set up the hot fast drives and cold slow drives, then make the pool available to the network.

How to set up Windows Storage Spaces

First, create the storage pool with this PowerShell script:

$s = Get-StorageSubSystem

New-StoragePool -StorageSubSystemId $s.UniqueId -FriendlyName StorageSpacesPool -PhysicalDisks (Get-PhysicalDisk -CanPool $true)

Change the assigned media type — SSD or HDD — to the disks that make up the pool in the following PowerShell commands.

Get-StoragePool StorageSpacesPool | Get-PhysicalDisk | {some criteria, maybe size, to identify your SSDs} | Set-PhysicalDisk –MediaType SSD

Get-StoragePool StorageSpacesPool | Get-PhysicalDisk | {criteria to pick out your HDDs} | Set-PhysicalDisk –MediaType HDD

After the assignments, double-check the disk configuration:

Get-StoragePool StorageSpacesPool | Get-PhysicalDisk | Sort MediaType | Format-Table FriendlyName, Size, MediaType, HealthStatus, OperationalStatus -AutoSize

Next, set up the tiers:

Get-StoragePool StorageSpacesPool | New-StorageTier –FriendlyName HotHot –MediaType SSD

Get-StoragePool StorageSpacesPool | New-StorageTier –FriendlyName ColdCold –MediaType HDD

Finally, set up the resiliency, simple spaces and mirrored spaces features:

Get-StoragePool StorageSpacesPool | Set-ResiliencySetting -Name Simple -NumberOfColumnsDefault 4

Get-StoragePool StorageSpacesPool | Set-ResiliencySetting -Name Mirror -NumberOfColumnsDefault 2

$SSD = Get-StorageTier -FriendlyName HotHot

$HDD = Get-StorageTier -FriendlyName ColdCold

Get-StoragePool StorageSpacesPool | New-VirtualDisk -FriendlyName SimpleSpace -ResiliencySettingName Simple –StorageTiers $SSD, $HDD -StorageTierSizes 32GB, 128GB -WriteCacheSize 1GB

Get-StoragePool StorageSpacesPool | New-VirtualDisk -FriendlyName MirroredSpace -ResiliencySettingName Mirror -StorageTiers $SSD, $HDD -StorageTierSizes 32GB, 128GB –WriteCacheSize 1GB

There are some caveats. The host OS must run Windows Storage Spaces on a physical machine. Also, Microsoft will not support a just a bunch of disks (JBOD) enclosure that is not listed as compatible with Storage Spaces on the Windows Server Catalog site. A storage pool on an unsupported JBOD enclosure will probably work, but if problems occur, Microsoft won’t work to resolve them.

Windows Storage Spaces vs. Storage Spaces Direct

While the names are similar, the two Storage Spaces features in Windows Server differ. Some in IT believe Storage Spaces Direct in Windows Server 2016 supersedes Storage Spaces. But that is not the case, and both features still exist.

Storage Spaces — and Clustered Storage Spaces — is available in Windows Server 2012 and onward. Windows Storage Spaces is essentially software RAID with logical volume pooling and built-in software fault tolerance.

Storage Spaces Direct is only available in the Datacenter edition of Windows Server 2016 and executes its functionality quite differently. It creates pools of different types of media logically addressed together and then deconstructed and reassigned on the fly — the epitome of software-defined storage.

Which should you use?

If you’re not on the Windows Server 2016 Datacenter edition, the choice is clear: Use Windows Storage Spaces.

For medium-sized shops, the price tag of Storage Spaces Direct — still substantially below the cost of a software-defined storage area network product — might still be too high.

Windows Storage Spaces offers the advantage of connecting standard commodity hardware, such as spinning disk drives and solid-state drives, with regular servers, which operate on less expensive Windows Server 2012 editions. Most shops either already use or are planning a migration to this server OS or later versions.

Windows PowerShell DSC book trains IT to lock down systems

When a server configuration drifts from its approved baseline, bad things happen.

A seemingly innocuous setting change can trigger a catastrophic domino effect that ripples through the data center. A high availability cluster could crumble, or a disaster recovery configuration could collapse just when it’s needed most. To protect the business — and themselves — the IT department should implement a change management tool, such as Windows PowerShell Desired State Configuration (DSC).

Windows PowerShell DSC is a management extension in PowerShell that gives administrators more control over Windows machines. Introduced with PowerShell 4.0, Windows PowerShell DSC builds on that automation tool with its own cmdlets and language extensions to tighten controls on software deployments and server configurations. Windows PowerShell DSC sets a desired state for a server, which the IT department applies to existing or new machines. Administrators set up Windows PowerShell DSC to use push mode to send configurations to machines, pull mode to have the machines retrieve configurations from the server or a combination of these two modes.

In The DSC Book by Don Jones and Melissa Januszko, the authors explain these nuances and why administrators should use Windows PowerShell DSC for more than simple server deployments. The book, which comes in a Forever Edition format, meaning the authors will continually update and expand it, consists of six parts. After an introduction that details why Windows PowerShell DSC exists, the authors get into advanced territory, such as partial configurations and best practices for resource design. The book also covers common trouble spots and error messages in PowerShell DSC, with possible resolutions.

In this excerpt taken from the book’s introduction, Jones and Januszko describe the difference between Windows PowerShell DSC and the Group Policy management tool:

On the surface, DSC and Group Policy seem to serve the same high-level purpose. Both of them enable you to describe what you want a computer to look like, and both of them work to keep the computer looking like that. But once you dig a little deeper, the two technologies are grossly different.

Group Policy is part and parcel of Active Directory (AD), whereas DSC has no dependency on, or real connection to, AD.

The DSC BookThe DSC Book

by Don Jones and Melissa Januszko

Group Policy makes it easy to target a computer dynamically based on its domain, its location (organizational unit, or OU) within the domain, its physical site location, and more. Group Policy can further customize its application by using Windows Management Instrumentation (WMI) filters and other techniques. DSC, on the other hand, is very static. You decide ahead of time what you want a computer to look like, and there’s very little application-time logic or decision-making. Group Policy predominantly targets the Windows Registry, although Group Policy Preferences (GPP) enables additional configuration elements. Extending Group Policy to cover other things is fairly complex, requires native C++ programming, and involves significant deployment steps. DSC, on the other hand, can cover any configuration element that you can get to using .NET or Windows PowerShell. Extending DSC’s capabilities is a simple matter of writing a PowerShell script, and deploying those extensions is taken care of by DSC’s infrastructure.

Editor’s note: This excerpt is from The DSC Book, authored by Don Jones and Melissa Januszko, published by Leanpub, 2016.

Powered by WPeMatico

Construct a chain of commands with the PowerShell pipeline

Administrators new to PowerShell can construct intricate workflows within a single line of code once they learn how to tap into the automation tool’s piping abilities.

The ability to take output from one command and send it as input to the next command with the PowerShell pipeline is a major feature that sets PowerShell apart from other scripting languages. The pipeline links multiple commands to perform complex actions, such as configuration changes. In other operating systems such as Linux, the shell needs to parse the text output from a command before it can work with the data.

It’s useful to think of PowerShell objects as analogous to a car, and the methods as the actions a car can take, such as moving forward or backward. Usually, an administrator would need a separate script for each method, but the PowerShell pipeline enables admins to consolidate those scripts and pass — or pipe — rich objects from one command to another.

The PowerShell pipeline helps condense code. For example, take the script below:

$service = Get-Service -Name XXX

$serviceName = $service.Name

Stop-Service -Name $serviceName

The administrator can shorten this code with the PowerShell pipeline to chain commands to pass the objects. The previous script is now one line of code that begins the task and stops it automatically when it completes:

Get-Service -Name XXX | Stop-Service

This video tutorial further explains what the PowerShell pipeline is and demonstrates how it works with real-life examples. 

View All Videos

Powered by WPeMatico

Microsoft spotlights exploit connected to SMB on July Patch Tuesday

Windows Server administrators can’t catch a break when it comes to vulnerabilities and the Server Message Block…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

protocol.

Microsoft addressed 54 vulnerabilities on July Patch Tuesday, including yet another potential exploit connected to Server Message Block (SMB), which has been the vulnerability du jour of recent ransomware attacks.

One remote code execution vulnerability in all supported versions of Windows Server, labeled CVE-2017-8589, could allow an attacker to take control of a system through an SMB connection. This vulnerability resides in the Window Search service and how it handles files, but the attacker can use an SMB connection as an attack vector to compromise the host.

While it uses SMB, this vulnerability is not related to the exploits used in the WannaCry attacks earlier this year, which were originally compiled by the National Security Agency and then leaked by hackers. But administrators should be vigilant anytime a vulnerability related to SMB is discovered, because the network file-sharing protocol has a large attack surface, said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif.

“That’s the easiest way to get to a system — almost every Windows system is going to be running SMB of some kind,” he said. “If I were going to try to exploit a system, I would focus on that.”

Exploits in Windows Explorer, web browsers addressed

A 30-day patching cycle might not be [quick] enough to have all of your systems covered by the time malware comes out.
Jimmy Grahamdirector of product management, Qualys Inc.

Another vulnerability that affects all supported versions of Windows Server, CVE-2017-8563, could allow attackers to elevate privileges and obtain system-level access to domain controllers. Microsoft only rates this as important instead of critical, but Graham advised Windows Server admins to address it quickly.

Graham also highlighted CVE-2017-8463, a vulnerability in Windows Explorer that could become a target for exploit kits even though it requires heavy user interaction, Graham said. The exploit also resides in the Internet Explorer and Edge web browsers.

“[The vulnerability] would require someone to get a system on the network, create a malicious share, drop some malware in it and then send that in an instant messaging link or an email,” he said.

Urgent care needed

Microsoft seemed to catch its breath with July Patch Tuesday. In June, the company issued updates for a whopping 94 vulnerabilities, including some for unsupported systems, such as Windows Server 2003.

Although July Patch Tuesday addressed just 54 vulnerabilities — with only 19 listed as critical — admins should treat them seriously and patch them quickly. As the WannaCry attacks showed, attackers don’t need long to take advantage of an unpatched system.

“Looking at the patch-to-exploit time frame, those time frames have been so compressed [recently],” Graham said. “Obviously, testing is still required, and you need to test patches before you deploy them in your environment. But what we’ve seen is less than 30 days from the exploit release and the malware release in WannaCry.

“So, with that the case, a 30-day patching cycle might not be [quick] enough to have all of your systems covered by the time malware comes out.”

For more information about the remaining security vulnerabilities released on July Patch Tuesday, visit Microsoft’s Security Update Guide.

Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at dcagen@techtarget.com.

Next Steps

Adapt to Microsoft’s patching changes

Admins lose some control with new patching process

Security Update Guide brings growing pains


Essential Guide

Catch up on the Windows Server patches of 2017

Powered by WPeMatico

Make a Windows Server 2016 Essentials comparison to find the best fit

Windows Server 2016 Essentials, which replaces the soon to be obsolete Small Business Server, is available in two…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

similar-sounding options. And the version you install has a direct effect on usage rights and available features.

One point of confusion among enterprises during a Windows Server 2016 Essentials comparison is whether Essentials is a role within Windows Server 2016 Essentials or if it’s a separate stockkeeping unit (SKU) or edition. The answer: It’s both. And the difference between the two comes down to client access licensing.

The Windows Server 2016 Essentials edition is a separate SKU that you purchase. When you install an Essentials server from this SKU, it automatically establishes this version and sets up tools — after installing the core Windows Server 2016 OS.

The Essentials edition suits small businesses, nonprofit organizations and other businesses that previously gravitated toward Small Business Server; these shops likely desire a prefitted kit that sets things up and eliminates the need to hire a full-time IT staff member.

The Essentials experience, on the other hand, refers to the Essentials role that you can check within the Server Manager’s Roles and Features Wizard in any Windows Server 2016 edition. The Essentials role puts the features and control panel of Essentials onto a regular server box, without the native licensing features. All Windows Server 2016 DVDs and ISO images have this role as an option, so you get the functionality without purchasing the separate SKU.

Benefits of the Windows Server 2016 Essentials role

So, after a Windows Server 2016 Essentials comparison, why would an administrator want to install the Windows Server 2016 Essentials role? The bottom line: cool features. The Essentials product includes a portal that enables you to access certain desktops or laptops off premises using Remote Desktop Services over the web — without having to set up the RDS web experience and deal with certificates and Secure Sockets Layer ports. It also has a client backup feature; admins choose 100 of the most important user desktops and can automatically back them up to a member server — either instead of or in addition to the enterprise’s current backup strategy.

Why would an administrator want to install the Windows Server 2016 Essentials role? The bottom line: cool features.

For example, a branch office within your company needs some of the Essentials features but also must be connected to the domain at corporate headquarters. There are times when it’s valuable to have the Essentials role available along with the separate SKU. Often, this setup is ideal for smaller networks and small businesses that don’t have a full-fledged AD deployment but need on-premises authentication and storage that communicates with Office 365, hosted email and SharePoint functions.

Caveats of Windows Server 2016 Essentials

While in some cases it is beneficial to have both the Windows Server 2016 Essentials SKU and the role, there can be issues with this setup. A Windows Server 2016 Essentials comparison reveals some caveats:

  • Windows Server 2016 Essentials edition must act as the domain controller at the root of a forest; it must hold all of the flexible single master operations roles. However, admins can deploy the Essentials role or experience on any member server in an existing AD domain.
  • From a support perspective, the Essentials edition supports 25 single users and 50 devices, while the role on a regular member server supports 100 users and 200 devices.
  • Windows Server 2016 Essentials licensing diverges widely. Windows Server client access licenses must separately cover all of those 100 users and 200 devices on a member server under the Essentials role, as the role does not include any built-in client access licenses. The Essentials SKU, on the other hand, includes 25 user and 50 device client access licenses for that product — without the need to purchase any additional licenses.
  • Admins can only back up client computers to the one computer that is running the Essentials role; this must be configured manually.

Next Steps

Windows Server 2016 brings a cloud focus

Test your Windows Server 2016 licensing knowledge

Think carefully before a Windows Server 2016 upgrade

Dig Deeper on Windows Operating System Management

Powered by WPeMatico

How can IT put PowerShell Integrated Scripting Environment to use?

PowerShell Integrated Scripting Environment is a tool that can benefit all levels of users, which is why many developers and administrators use it almost exclusively when working with PowerShell — often skipping the original console altogether.

With PowerShell ISE, which provides a graphical user interface (GUI) for writing and fixing PowerShell scripts, IT administrators and developers can write, edit and run PowerShell scripts and commands. It provides a more user-friendly way to work with the wide range of features available for creating and testing PowerShell codes.

For example, PowerShell ISE includes IntelliSense for autocompleting commands and for matching cmdlets, variables, parameters and other language elements. The GUI also provides quick access to a variety of snippets that make it easier to construct command logic, such as looping structures. In addition, admins get multiple execution environments, selective code execution and the ability to run commands from either the PowerShell script or the console pane.

What else can PowerShell ISE do?

PowerShell script development

PowerShell Integrated Scripting Environment provides many other features to support PowerShell script development, such as drag-and-drop editing, tab completion, block selection, syntax coloring, keyboard shortcuts and Unicode support. Plus, admins can open PowerShell script files by dragging them from Windows Explorer to the PowerShell ISE GUI. They can even extend the PowerShell Integrated Scripting Environment object model to customize the deployment and add functionality.

Troubleshooting

Admins can also use PowerShell Integrated Scripting Environment to troubleshoot and debug PowerShell scripts. Although this goes hand in hand with script development, sometimes admins must fix an existing script and want to use PowerShell ISE’s debugging capabilities. Not only do they get features such as selective execution and multiple execution environments, but they can also set up breakpoints, step through code, check variable values and display call stacks. In addition, PowerShell Integrated Scripting Environment displays parsing errors as admins type.

PowerShell Integrated Scripting Environment is also useful as a learning tool.

Running complicated commands

Admins might also use PowerShell Integrated Scripting Environment when they want to run complex ad hoc commands and prefer to avoid the inherent clunkiness of the PowerShell console. With PowerShell ISE, they can type all their code in the script pane and then, when they’re ready, run part or all of the code. This also makes it easier to tweak the script if admins need to run it multiple times, incorporating slight modifications with each execution.

Learning

PowerShell Integrated Scripting Environment is also useful as a learning tool. Someone new to PowerShell can benefit a great deal from built-in features, such as IntelliSense, snippet access and parse error displays.

Powered by WPeMatico

Use PowerShell when working with Hyper-V checkpoints

images of Hyper-V VM. For example, you can take checkpoints of a VM, perform your application testing and revert the checkpoint to a known state if you need to retest. Although you can use Hyper-V Manager to perform checkpoint tasks, it’s easier to do the same tasks using PowerShell.

By default, Hyper-V checkpoints aren’t enabled on VMs. In order to execute the PowerShell commands below, you’ll be required to enable checkpoints on the VMs. You can use the Hyper-V Manager to enable checkpoints for a VM, but you can also execute the Set-VM PowerShell cmdlet. To enable checkpoints for a single VM, execute the Set-VM –Name SQLVM –CheckPointType Enable PowerShell command. Next, run Set-VM –Name SQLVM –CheckPointType ProductionOnly to configure the VM to use a production checkpoint — first introduced in Hyper-V 2016.

Once you have enabled checkpoints for a VM, you can execute the below PowerShell commands to take checkpoints or revert to a checkpoint of your choice.

Create a checkpoint

To create a checkpoint, use the CheckPoint-VM PowerShell cmdlet. Just executing CheckPoint-VM –Name SQLVM will create a checkpoint for an SQLVM. If you need to take another checkpoint, execute the same command. Note that when you take a checkpoint, Hyper-V creates a checkpoint entry with the date and time when the checkpoint was taken.

To list all of the Hyper-V checkpoints for a VM, use Get-VMSnapshot –VMName SQLVM.

Note that the Checkpoint-VM PowerShell cmdlet doesn’t support taking checkpoints for a VM running on a remote Hyper-V host. If you need to perform a checkpoint for a remote VM, interact with the remote VM using the Get-VM PowerShell cmdlet and then pipe the Checkpoint-VM cmdlet as shown in the command below:

Get-VM Remote_SQLVM –ComuterName RemoteHyper-VHost | Checkpoint-VM

By using the command above, you are performing a checkpoint for a VM that is running on RemoteHyper-VHost.

To restore or revert to a checkpoint for a VM, use the Restore-VMSnapshot PowerShell cmdlet. If you would like to restore an SQLVM to a previous checkpoint, execute the PowerShell commands below:

$ThisVM = “SQLVM”

$ThisVM | Get-VM | Get-VMSnapshot –Name “SnapshotName” | Restore-VMSnapshot –Confirm:$False

Note that you will be required to stop the VM before performing the checkpoint restore operation.

Powered by WPeMatico

Reduce downtime with Azure Site Recovery service

The Azure Site Recovery service uses Microsoft’s cloud platform to prevent a halt in operations when issues arise. Azure Site Recovery moves workloads to and from different data centers — as well as both public and private clouds — to keep key services online and available.

What is Azure Site Recovery?

The Azure Site Recovery service has two elements:

  • The software and connections move VMs and services between two private data centers — either owned or rented by your organization — including Hyper-V and VMware VMs.
  • The Azure public cloud service acts as a data center stand-in and provides hot site disaster recovery capabilities. The Azure Site Recovery service also supports the hypervisors on Hyper-V and VMware vSphere. Azure Site Recovery does not work with the Xen hypervisor.

New Azure portal offers advanced management

At one time, administrators needed PowerShell to set up Azure Site Recovery  to use Azure Resource Manager style deployments. IT shops can now use the new Azure portal to set up a new Azure Site Recovery environment, including a recovery vault.

This update enables IT to specify different VM sizes within the same account and set up fine-grained access to each resource based on user roles. Only the new portal supports fresh deployments, but it also can manage and support any existing deployments that began via the “classic” portal.

How to set up Azure Site Recovery

In addition to an Azure subscription, the organization needs an Azure storage account that holds data replicated from on-premises servers.

Log into the new portal to create a Recovery Services vault inside the storage account. Select New > More Services > Monitoring + Management > Backup and Site Recovery (OMS) to create VMs with replicated data; these failed-over Azure VMs also need access to an Azure network.

VMware shops will need a local VM to run the configuration server role that coordinates the data and communication with Azure and also handles the data replication processes. This VM is the process server and functions as a replication gateway — it caches, compresses and encrypts replication data, then sends it to Azure. The process server discovers other VMs and adds them to a replication configuration. The configuration server also acts as the master target server, which handles the replication after a disaster concludes and roles shift from Azure back to the on-premises locations.

The Azure Site Recovery service also supports the hypervisors on Hyper-V and VMware vSphere. Azure Site Recovery does not work with the Xen hypervisor.

Windows and Hyper-V shops need either System Center Virtual Machine Manager in the on-premises environment to manage the VMs or the Site Recovery Provider that communicates with the service over the internet. They also must install the Recovery Services agent on non-Virtual Machine Manager hosts to manage data replication.

How does it work?

From there, the Azure Site Recovery service does most of the grunt work. It manages replication based on pre-programmed cycles of 1 minute, 2 minutes, 15 minutes and so on. After the initial seeding, Azure Site Recovery performs delta replication to save bandwidth. You can set up “exclude disks” to avoid replication of temporary files and page files.

Remember to set up a recovery plan that instructs the services where VMs go, on what schedule and in what order; this creates a recipe to follow if a disaster or business interruption occurs. You can then trigger a failback once the interruption concludes and return services to their normal operation and location.

Powered by WPeMatico

Microsoft stitches up Windows Server 2003 on busy June Patch Tuesday

Organizations that still use Windows Server 2003 got a surprise on June Patch Tuesday, with a Microsoft security…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

update for the unsupported server operating system.

A month after the company issued patches for legacy systems to ward off the WannaCry ransomware attacks that affected thousands of computers, Microsoft released a free patch for Windows Server 2003, which has been unsupported since 2015. Microsoft addressed the exploit used in the WannaCry attacks in its March Patch Tuesday, but that only applied to supported Windows systems. The company later issued updates to protect unsupported Windows XP, Windows 8 and Windows Server 2003 operating systems.

This most recent course reversal — which also applies to other unsupported systems, such as Windows XP — comes alongside June Patch Tuesday updates that addressed an eye-opening 94 vulnerabilities.

“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,” Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, wrote in a blog post. Hall indicated Microsoft chose to issue these additional security updates to protect unsupported systems from threats that may be similar to WannaCry.

Microsoft encourages businesses to migrate from legacy systems, such as Windows Server 2003, through end-of-life support deadlines. By releasing a security update for an unsupported product, Microsoft risks setting a precedent that businesses can stay with legacy products and still receive critical security updates.

In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, cautioned that this “should not be viewed as a departure from our standard servicing policies,” and businesses will be best-served by staying on Microsoft’s roadmap with supported Windows systems.

“It’s sort of a double-edged sword,” said Amol Sarwate, director of vulnerability labs for Qualys Inc., based in Redwood City, Calif. “For things like WannaCry, when the exploitation is so high and everyone and anyone is affected, Microsoft did the right thing by releasing patches for an end-of-life operating system.”

At the same time, “if they do this more often, people will start thinking the patches will be there, and that takes them away from the goal of moving away from the old operating systems,” he said.

Patch for in-the-wild vulnerability

Of the 94 vulnerabilities Microsoft identified for June Patch Tuesday, 27 are remote code execution (RCE) exploits that could allow an attacker to take control of a machine.

Sarwate said the top priority for Windows Server administrators should be CVE-2017-8543, which affects Windows Server 2008 and above, and is currently exploited in the wild. On an unpatched system, attackers can send a specially crafted Server Message Block request to the Windows Search service to gain control of a computer.

Administrators should give prompt attention to address CVE-2017-8507, an RCE vulnerability in Microsoft Outlook an attacker could use to gain control of a system when a user views an email message, Sarwate said.

For more information about the remaining security vulnerabilities released on June Patch Tuesday, visit Microsoft’s Security Update Guide.

Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at dcagen@techtarget.com.

Next Steps

How to adapt to Microsoft’s patching changes

New patching process may mean less control

Security Update Guide brings growing pains


Essential Guide

Catch up on the Windows Server patches of 2017

Powered by WPeMatico