Category Archives: Expert advice on Windows based systems and hardware

Expert advice on Windows based systems and hardware

Updates to Sysinternals tools benefit server admins

Some Windows Server admins who grapple with security issues or access control might not know that they have a comprehensive…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

set of free tools just a mouse click away.

The Sysinternals tools — a collection of more than 70 utilities for diagnostic, troubleshooting and monitoring purposes from Microsoft — have been around since 1996.

Mark Russinovich, CTO of Microsoft Azure, still has a hand in updating the tools he produced more than two decades ago to ensure they work with the latest Windows OSes and to add new features and capabilities, such as enhanced malware detection.

This year saw quite a few updates to the Sysinternals tools collection. Here’s a rundown of what additional functionality was added that could help untangle a few issues in your data center.

ProcDump

ProcDump, currently at version 9.0, checks running applications for CPU spikes and, if found, provides a dump to help the administrator determine the origin of the spike. As a secondary feature, ProcDump also generates crash dump data for hung applications.

Microsoft’s recent improvements to ProcDump should benefit Windows Server admins who need to troubleshoot application performance on a server. The most significant change is ProcDump now features triggers to start the dump process. ProcDump is a command-line utility, and prior to the current release, the administrator ran ProcDump on an as-needed basis. Starting with version 9.0, ProcDump can be set up to watch for a problematic condition, such as a stuck application, and perform a dump automatically. This helps collect relevant data when problems occur, as opposed to gathering data minutes or even hours after an issue happens.

Sysmon

The Sysmon (System Monitor) tool runs in the background to check and record system activity to the Windows event log. Sysmon is normally used to detect malware, but it also assists with other types of security incident management.

While the Windows OS also logs system activity, Sysmon gathers even more detail. Sysmon collects very granular information about network connections, process creations and any changes that are made to a file’s creation time.

Microsoft put in quite a bit of work on Sysmon in 2017. Version 6.0, released in February, added the option to show event schema and monitor itself for configuration changes. This version also introduced support for named pipes and a feature to display registry entries in its native format.

A few months after it released Sysmon 6.0, Microsoft put out version 6.1 in September to correct several bugs and add support for monitoring Windows Management Instrumentation event filters and event consumers for enhanced malware detection capabilities. Microsoft also added an autostart option to the tool.

Version 6.2, released in November, lets the user alter the names of the Sysmon service and driver to avoid detection from malware.

Autoruns

Windows servers have a tendency to evolve over time. As OS and application updates take place, they can leave behind remnants of the previous version. Although Autoruns is not designed to check systems for OS or application leftovers, it detects anything configured to run automatically when the system boots. In essence, Autoruns reveals anything from legitimate system processes to processes that are still running but are no longer needed. Admins can also use Autoruns to detect malware.

In September 2017, Microsoft published version 13.80 of Autoruns. While it was largely a bug fix release, Microsoft did add a few new capabilities. For example, the latest version of Autoruns performs asynchronous file saves and displays names for drivers and services.

AccessChk

The AccessChk command-line tool validates the level of access users or groups have to specific network resources.

Windows Server has multiple ways to approve access to a particular resource; sometimes, a user gets excessive, cumulative or even contradictory permissions as a result. AccessChk tests access permissions through its examination of files, folders, registry keys and Windows services.

In February 2017, Microsoft updated AccessChk to report on process trust access control and token security attributes. Microsoft further tweaked the utility in September 2017 with a cache for improved handling of multiple object enumeration.

Sysinternals Live

One of the more recent additions to the utilities lineup is Sysinternals Live, which offers web-based versions of some of the Sysinternals tools. The advantage to Sysinternals Live is it provides the most current version of the tools directly from Microsoft without the need to download or install the utilities.

Snag a better software service contract with these tactics

are ways to knock the price down.

If your organization purchases all its software licenses through the vendor that made the software, then the support options are somewhat limited. Software vendors might have one or two — possibly even three — support options, but there isn’t usually a way to negotiate a custom support plan when you buy direct.

This isn’t to say the business should not try to get better terms, but software vendors do not typically negotiate on the types of support. Hence, the only avenue for compromise is on price.

Understand where you have leverage

Negotiating the price of a support and software service contract is a common practice. Few enterprise software vendors list license or support prices because the cost is typically based on the number of licenses to be purchased. Support costs are usually figured into the sales quote.

When purchasing software directly from the software vendor — and the vendor does not publicly disclose pricing — then there is room to haggle. Never take the vendor’s first quote. Much like dealing with a car salesperson, it’s almost always possible to get a better price if you push for it.

The software vendor’s goal is to make money. The more it stands to get, the better your position is to work a less costly deal. Suppose you get a quote for three licenses, plus one year of service. It might be possible to talk the price down a little bit, but the vendor has no motivation to give a price break on such a small order. But, on an order for 3,000 licenses, the vendor stands to make a lot of money and will most likely make accommodations to get your business.

Some wiggle room with small orders

What can you do to negotiate the cost of a software service contract on a relatively minor order?

Try asking the vendor to throw in the service contract for free; explain that the small number of licenses means you won’t tie up their phone lines. You might also add that you will probably never use the support, but your boss insists that you have an agreement as a safety net.

You could say that the service cost pushes the software beyond your budget, and that, without a more favorable agreement, you will have no choice but to find a less expensive — possibly open source — product.

You still aren’t likely to get a free support agreement, but if the vendor understands the deal hinges on the support contract, then they will probably give a discount at the very least.

Get a break with an advance purchase

Another way to negotiate on the service contract is to purchase multiple years of support. If the company plans to use the software for an extended period of time, then it would probably pay for a support contract each year anyway. Why not pay for three to five years of support up front in exchange for a deeply discounted price?

If you purchase software from a value-added reseller rather than the software vendor, then these techniques might still be viable. You may be able to negotiate the scope of the service contract.

For example, one company I worked for had an agreement with a reseller that the company would purchase all software through the reseller — that included OS licenses, application licenses and everything else — but expected 24/7, on-site technical support for that software. This service contract was expensive, but the company lowered the price by agreeing to handle Tier I support events internally. The company’s IT staff — many who had various IT certifications — would handle whatever support incidents they could. For issues that proved more troublesome, the company would call the reseller for support.

Even with primary support handled by the organization’s IT staff, the support agreement was still expensive. The most important thing this organization did was keep careful records of all support incidents. When it was time to renegotiate the support contract at the end of the first year, the company used those reports to show it had only asked for support on a certain number of occasions. Those records gave the company leverage to get a better price than it had paid for the previous year’s support contract.

What are the options for OpenStack-supported hypervisors?

while retaining control over their own infrastructure and data. Cloud frameworks don’t provide the underlying virtualization for an enterprise private cloud, making it critical that a cloud framework support as many major hypervisors as possible. There is a wide range of OpenStack-supported hypervisors, and you should carefully consider the level of support each provides and how that matches your particular needs.

Together, VMware and Microsoft currently hold the majority of the hypervisor marketplace. Microsoft Hyper-V can run Windows, Linux and FreeBSD VMs under OpenStack, while VMware vSphere 5.1.0 and later will support VMware-based Linux and Windows images through vCenter Server. XenServer and Xen Cloud Platform can run Linux or Windows VMs, though the Nova compute service must be installed in a paravirtualized VM. Even OpenStack Nova compute supports the native Ironic bare-metal hypervisor for machine provisioning and control.

Use libvirt with Linux-based hypervisors

It’s important to remember that all hypervisors aren’t created equal.

Many OpenStack-supported hypervisors are Linux-based but will typically require the libvirt open API for virtualization and management. For example, libvirt will allow Kernel-based Virtual Machine under OpenStack, and KVM versions are available to run PowerPC and Power Architecture processors, IBM System/390 mainframes and more conventional x86 processor architectures. The Xen Project hypervisor will run under libvirt to support Linux, Windows, FreeBSD and NetBSD VMs under OpenStack Nova. Libvirt supports Virtuozzo 7.0.0 and later for containers and VMs based on KVM.

Generally, OpenStack will also use libvirt to support Linux Containers, Quick EMUlator and User-mode Linux, though these platforms are rarely used outside of legacy application maintenance.

It’s important to remember that all hypervisors aren’t created equal, and OpenStack-supported hypervisors might not receive the same level of support, stability, performance or interoperability. Private cloud adopters should invest time into performing due diligence tests and experiments to verify the compatibility between the chosen hypervisor and cloud framework to ensure adequate results for the needs of the specific enterprise.

Will PowerShell Core 6 fill in missing features?

Administrators who have embraced PowerShell to automate tasks and manage systems will need to prepare themselves…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

as Microsoft plans to focus its energies in the open source version called PowerShell Core.

All signs from Microsoft indicate it is heading away from the Windows-only version of PowerShell, which the company said it will continue to support with critical fixes — but no further upgrades. The company plans to release PowerShell Core 6 shortly. Here’s what admins need to know about the transition.

What’s different with PowerShell Core?

PowerShell Core 6 is an open source configuration management and automation tool from Microsoft. As of this article’s publication, Microsoft made a release candidate available in November. PowerShell Core 6 represents a significant change for administrators because it shifts from a Windows-only platform to accommodate heterogeneous IT shops and hybrid cloud networks. Microsoft’s intention is to give administrative teams a single tool to manage Linux, macOS and Windows systems.

What features are not in PowerShell Core?

PowerShell Core runs on .NET Core and uses .NET Standard 2.0, the latter is a common library that helps make some current Windows PowerShell modules work in PowerShell Core.

As a subset of the .NET Framework, PowerShell Core misses out on some useful features in Windows PowerShell. For example, workflow enables admins to execute tasks or retrieve data through a sequence of automated steps. This feature is not in PowerShell Core 6. Similarly, tasks such as sequencing, checkpointing, resumability and persistence are not available in PowerShell Core.

A few other features missing from PowerShell Core 6 are:

  • Windows Presentation Foundation: This is the group of .NET libraries that enable coders to build UIs for scripts. It offers a common platform for developers and designers to work together with standard tools to create Windows and web interfaces.
  • Windows Forms: In PowerShell 5.0 for Windows, the Windows Forms feature provides a robust platform to build rich client apps with the GUI class library on the .NET Framework. To create a form, the admin loads the System.Windows.Forms assembly, creates a new object of type system.windows.forms and calls the ShowDialog method. With PowerShell Core 6, administrators lose this capability.
  • Cmdlets: As of publication, most cmdlets in Windows PowerShell have not been ported to PowerShell Core 6. However, the compatibility with .NET assemblies enables admins to use the existing modules. Users on Linux are limited to modules mostly related to security, management and utility. Admins on that platform can use the PowerShellGet in-box module to install, update and discover PowerShell modules. PowerShell Web Access is not available for non-Windows systems because it requires Internet Information Services, the Windows-based web server functionality.
  • PowerShell remoting: Microsoft ports Secure Socket Shell to Windows, and SSH is already popular in other environments. That means SSH-based remoting for PowerShell is likely the best option for remoting tasks. Modules such as Hyper-V, Storage, NetTCPIP and DnsClient have not been ported to PowerShell Core 6, but Microsoft plans to add them.

Is there a new scripting environment?

For Windows administrators, the PowerShell Integrated Scripting Environment (ISE) is a handy editor that admins use to write, test and debug commands to manage networks. But PowerShell ISE is not included in PowerShell Core 6, so administrators must move to a different integrated development environment.

Microsoft recommends admins use Visual Studio Code (VS Code). VS Code is a cross-platform tool and uses web technologies to provide a rich editing experience across many languages. However, VS Code lacks some of PowerShell ISE’s features, such as PSEdit and remote tabs. PSEdit enables admins to edit files on remote systems without leaving the development environment. Despite VS Code’s limitations, Windows admins should plan to migrate from PowerShell ISE and familiarize themselves with VS Code.

What about Desired State Configuration?

Microsoft offers two versions of Desired State Configuration: Windows PowerShell DSC and DSC for Linux. DSC helps administrators maintain control over software deployments and servers to avoid configuration drift.

Microsoft plans to combine these two options into a single cross-platform version called DSC Core, which will require PowerShell Core and .NET Core. DSC Core is not dependent on Windows Management Framework (WMF) and Windows Management Instrumentation (WMI) and is compatible with Windows PowerShell DSC. It supports resources written in Python, C and C++.

Debugging in DSC has always been troublesome, and ISE eased that process. But with Microsoft phasing out ISE, what should admins do now? A Microsoft blog says the company uses VS Code internally for DSC resource development and plans to release instructional videos that explain how to use the PowerShell extension for DSC resource development.

PowerShell Core 6 is still in its infancy, but Microsoft’s moves show the company will forge ahead with its plan to replace Windows PowerShell. This change brings a significant overhaul to the PowerShell landscape, and IT admins who depend on this automation tool should pay close attention to news related to its development.

Dig Deeper on Microsoft Windows Scripting Language

Windows administrators contend with call to the cloud

As Microsoft pushes its cloud through a variety of avenues, Windows administrators find themselves grappling with more down-to-earth problems.

Many companies and their worn-down IT staffs, tethered by increasing costs and workloads associated with legacy equipment, might not be able to resist the call of the cloud much longer. As Microsoft CEO Satya Nadella beckons organizations with talk of digital transformation powered by the company’s Azure platform, it must be tempting for some admins, who can imagine the day they can pitch their servers — and their corresponding maintenance headaches — into the dumpster.

PowerShell, the script-based automation tool into which Microsoft has poured significant resources the last several years, can alleviate some of the pain associated with these maintenance tasks. As organizations’ infrastructures continue to expand and pull in different operating systems, namely Linux, Microsoft touts the open source PowerShell Core as the conduit through which IT will find administrative nirvana. But for many admins who get burned out from the constant demands of their jobs, it can be difficult to find the time to learn a new way to manage and configure systems.

SearchWindowsServer reached out to its contributors for their thoughts on Microsoft’s recent moves and whether they will ease the various challenges facing many IT departments.

Cloud-friendly a misnomer for some admins

Stuart BurnsStuart Burns

Stuart Burns: A lot of Windows shops do not fully utilize automation technology. Linux administrators went through the same thing, but are further along the curve.

The trend with Microsoft server products is a shift from GUI-style management to a command-line-first approach. Old-style Windows administrators must learn to write scripts with a certain level of proficiency. But when everything is reduced to a PowerShell script that runs against an Azure environment, what is left for the administrator to do?

As the world shifts to infrastructure as code and software-defined data centers, the Windows administrator that wants to stay relevant must know how to code and handle the cloud as well as they know their current on-premises infrastructure.

Look for Microsoft make inroads with cloud offerings

Adam FowlerAdam Fowler

Adam Fowler: Despite all the hype around Azure and Office 365, many companies still need the basics, such as a file share.

Microsoft’s spin is to put file shares in the cloud with Azure File Sync. The service offers similar abilities to the distributed file-system service, but takes it several steps further. Azure File Sync keeps recently accessed files local, while older files remain in Azure. Windows administrators can set it up for multiple sites and not worry about what data goes where.

I also like what I’ve seen about the new server tool, Project Honolulu, that compiles numerous management features in a nice web interface. It includes utilities such as Server Manager, Hyper-Converged Cluster Manager and Failover Cluster Manager for on-premises systems. While it’s very early in the project’s development, it shows promise that Microsoft has not forgotten its Windows Server customers who are not PowerShell aficionados.

The future will bring more hybrid interoperability. The Operations Management Suite (OMS) offering, for example, has a lot of server support. OMS is an option as the hub for log shipping, data analysis, along with health checks of the servers and the applications they run.

Is the chasm between Microsoft and its customers growing?  

Jonathan HassellJonathan Hassell

Jonathan Hassell: Looking ahead, I expect Microsoft to further push its Azure services and cloud management services in general, including a de-emphasis on System Center in favor of Intune. I do not expect System Center Configuration Manager to last another five years.

There’s a disconnect between where big corporations are and where Microsoft is in terms of tech progress — and that gap is widening. Yes, Azure’s range of services is impressive. If you want to drop a quarter-million to call yourself a hybrid cloud user with Azure Stack, then fine. But there are still mainframes around. There are still critical line-of-business apps that run on Windows Server 2008 — even some on Windows Server 2003.

I also expect more navel-gazing about why Microsoft feels compelled to update Windows every six months in its Semi-Annual Channel. None of the IT people I talk to want that.

Server channels attempt to cater to two crowds

Brien Posey: One of the more intriguing recent developments for Windows Server admins is Microsoft’s new dual-channel release model, which addresses differing needs in the customer base.

Windows administrators generally fall into two different camps. On one side, there are administrators who prefer nonfrequent, well-tested, monolithic Windows Server releases. Microsoft has taken this approach over the last 20 years, with a new Windows Server version every two to three years.

Brien PoseyBrien Posey

On the other side of the equation are Windows Server admins who want to be on the bleeding edge of technology. For them, new Windows Server features cannot come quickly enough. They see frequent updates as a key to achieve business agility and maintain a competitive advantage.

In an effort to satisfy both sides, Microsoft now has two release channels for Windows Server.

This approach is the only way that Microsoft can make customers happy. The only question is how easy it would be for a company to switch channels. That might not end up being a cheap or easy thing to do.

GDPR requirements loom for Windows Server admins

The clock is ticking to get your Windows systems ready for the General Data Protection Regulation. To assist with…

these compliance efforts, Microsoft offers several resources to help systems administrators.

A European Union privacy law, GDPR goes into effect in May 2018 and signifies more wide-reaching ramifications for IT than other regulations. For example, while the Health Insurance Portability and Accountability Act is relevant only to healthcare providers, most organizations must adhere to GDPR requirements. The regulation applies to any organization — including those based outside Europe — that processes, collects or stores data of EU citizens.

This sweeping data privacy regulation presents a compliance challenge for even the smallest companies. For example, if a U.S. company sells items from its website to an EU citizen, GDPR applies to that business. Even something minor, such as storing an EU citizen’s phone number on digital media, forces a company to either observe the rules or delete the data.

What is GDPR?

GDPR imposes stringent requirements on how businesses handle the personal data of EU citizens. GDPR will replace the EU’s Data Protection Directive, which only affected organizations with a physical presence in Europe.

The GDPR requirements state that “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”

Organizations subject to GDPR compliance rules will need to retain data processing records that show a strong effort has been made to observe the more than 100 GDPR requirements. Penalties for noncompliance go up to 20 million euros — about $24 million — or up to 4% of a company’s annual revenue, whichever is more.

How does Windows Server help with GDPR?

Although Windows Server 2016 does not have specific features related to GDPR, the OS has other functionality to protect organizations from a data breach.

For example, the Just Enough Admin and the Just in Time Admin features protect against overprivileged administrative accounts. If a business has one administrator whose main responsibility is Active Directory management, then this person usually gets full administrative privileges, even though they just need to perform one specific type of administrative task. The Just in Time Admin and Just Enough Admin features grant the permissions required for a specific task for a limited period of time. The IT department can add an additional layer of security by configuring Windows to validate the administrator’s identity through multifactor authentication before the request is granted.

Another security feature that can help with GDPR compliance initiatives is Windows Defender Credential Guard. New to Windows Server 2016, this feature uses a hypervisor to isolate authentication credentials to restrict access to privileged system software. A similar tool called Windows Defender Remote Credential Guard protects the credentials used for remote desktop sessions.

Windows Defender Device Guard is an application whitelisting tool in Windows Server 2016 that an admin uses to specify which binaries can run on the system to prevent malware attacks. If there is an attempt to execute unauthorized code, Windows Server will block it and log the activity.

Microsoft updated Windows Server’s security auditing capabilities, which is useful for GDPR compliance. The company designed Windows Server 2016 to integrate with security information and event management systems and extended the server OS to support two new types of auditing. For the first time, Windows Server can natively audit group memberships and Plug and Play (PnP) activity. PnP auditing helps admins detect the use of external storage devices.

What else does Microsoft offer?

Microsoft promotes its cloud service as a method to accelerate GDPR compliance. For companies that do not have that option, there are other Microsoft services and tools that can help.

The GDPR Benchmark is a questionnaire that asks about two dozen questions and offers a series of recommendations based on the answers. Figure 1 shows an excerpt from the site.

GDPR survey
Figure 1. Microsoft’s GDPR assessment site provides recommendations based on the answers to a series of questions.

The site asks for the company’s location, size and whether it is a Microsoft partner and then proceeds with a number of GDPR-specific questions. The GDPR Benchmark tool is essentially a Microsoft sales utility, but it has merit to highlight the areas the admin needs to address to meet GDPR requirements.

A Microsoft site dedicated to GDPR offers guidance through a series of documents and videos that can assist organizations though the compliance process.

GDPR Detailed Assessment
Figure 2. The GDPR Detailed Assessment package includes an Excel spreadsheet to measure a company’s level of GDPR compliance.

Figure 2 shows an Excel spreadsheet that is part of the GDPR Detailed Assessment package on the site. The spreadsheet contains more than 100 questions related to how the organization stores, maintains, secures and processes data. Complete the spreadsheet to assess the overall compliance readiness of the organization and which areas require improvement.

Upgrade your IT admin career options with these tips

As anyone who has been working in the Microsoft space in the last few years knows, the rate of change for a Windows sys admin has accelerated greatly, and it’s time to buckle in or fall behind.

Gone are the days of an environment that remains static for years. We’re now in a cloud and “as a service” world. With DevOps and Agile deployment methodologies in vogue, administrators get many small updates more frequently rather than the occasional, giant update every few years.

Due to this new world — which usually makes business sense due to the economics of scale — IT admins need to update their skills to stay current. How can you stay afloat in this rapidly changing environment and prepare for advancement in your IT admin career?

This shift is a bit of an inconvenience for an admin and everyone who works in information technology. It requires a new mindset and a different skill set to manage the evolving infrastructure. We have moved from a known environment in which we controlled when and where updates occurred. At the very least, we could trace those changes. Now, it’s an outside entity that decides what updates happen and when they’re applied — often with no notice or communication.

Get your head in the Microsoft cloud

To adapt, admins need to be in the right mindset. In the world of Microsoft, you do yourself a disservice if you don’t consider options beyond being fully on premises. It’s next to impossible to stay on prem anyway.

Where does your email filtering service sit? Where do your OS updates originate from? How much does your disaster recovery environment cost to maintain? These questions are always going to come back to the cost and which one makes more financial sense. As a technical professional, you need to understand the pros and cons of different solutions at the high level. There is no ultimate better or worse answer; each has its strengths and weaknesses.

Because of changes in technical approaches from vendors and the rate-of-change expectations from companies, admins should learn as much as possible about Azure and Office 365. You may not use VMs in the cloud, but a major hardware refresh or office relocation that contains your existing data center may be all it takes for a decision to be made that throws you into the clutches of the cloud.

Admins new to Azure and Office 365 might be surprised by what each has to offer. Azure has a huge list of services and features that go beyond hosting VMs. Even Azure experts will say that it’s not possible to be highly knowledgeable in all areas of Microsoft’s cloud. Office 365 also has an extensive list of services and features that Microsoft changes and upgrades constantly.

To help sys admins, Microsoft provides a few ways to advance their learning efforts. The company’s Evaluation Center offers test environments in its TechNet Virtual Labs to try out features in its cloud products. There are also Microsoft Mechanics videos that showcase new products and features with brief technical demos and discussions.

Engineer new possibilities with PowerShell

The road to better opportunities in your IT admin career journey is paved with PowerShell cmdlets. This automation and configuration management tool has been around since Exchange 2007, and every Windows admin should know how to use it, regardless of the task.

Many IT admins still barely use PowerShell. If you’re in that group, don’t put it off any longer. It doesn’t matter which Microsoft product you work with; they all can be managed or configured with PowerShell. For an admin, it’s a good career move. PowerShell experience is a strong bullet point on a resume. For some jobs that deal with Azure or Office 365 management, it will be a hard requirement rather than a desirable skill.

To learn PowerShell, there is plenty of material online, such as videos, articles and books for beginners. I prefer a more direct approach. I forced myself to use PowerShell commands for simple tasks I already knew how to do — copying a file, changing an attribute on an Active Directory account or stopping a running service.

[embedded content]

How the cloud service differs
from on-premises Active Directory

PowerShell commands can be cumbersome at first, but use Google searches to understand basic concepts, such as piping and variables. These efforts will build your knowledge to develop advanced scripts that perform complex tasks that would be impossible or extremely time-consuming with a GUI utility.

Follow Microsoft’s lead to guide your career path

Companies that don’t use Azure and Office 365 are scarcer every day. It can be hard to justify managing your own Exchange Server when Microsoft can do it for you. An admin who builds experience in these areas, even if it’s only time spent testing and playing with the features, will be ahead of someone who did not invest the time to learn these technologies.

Even in your current job, use PowerShell to write a script for a particularly time-consuming task. For example, build one that generates a report of all users in the company by department and site, while excluding contractors and disabled accounts. This type of scripting ability is a great skill to have.

Keep an eye on Microsoft’s direction, and stay up to date on those technologies. These efforts will make sure you’re in the best place to advance your IT admin career internally or with another company.

Light workload awaits admins on November Patch Tuesday

Microsoft released updates to close 53 vulnerabilities on November Patch Tuesday. But, of the 14 vulnerabilities that affect Windows Server, none have a critical rating.

All the Windows Server-related vulnerabilities are listed as important, and, per Microsoft’s advice with patching, admins should address them as soon as possible.

CVE-2017-11847 uses an elevation of privilege vulnerability in the Windows kernel that affects Windows Server 2008 and up. An attacker who successfully uses this exploit can undertake a range of actions on the server, from deleting data to creating accounts with full user rights.

This vulnerability requires the attacker to first log on to the system, but Microsoft’s Exploitability Index Assessment gives it a rating of “Exploitation More Likely,” which should spur admins to take action without delay.

“You’d need to have someone who has access to the machines, but that’s how a lot of these guys operate these days,” said Gill Langston, director of product management at Qualys Inc., based in Redwood City, Calif. “They’re in the network for a while and they work their way from machine to machine. In that case, they could get on to that server, they could elevate and then get further access to get more information off the machines.”

Several vulnerabilities involve information disclosure in the Windows kernel: CVE-2017-11842, CVE-2017-11849, CVE-2017-11851 and CVE-2017-11853. An attacker can use these vulnerabilities together to compromise a server and attempt to stay undetected for a significant length of time to steal information from an organization.

“The more systems they have access to, the more privilege they have, the more opportunity they have to get into the network and get more information about the network,” Langston said. “This definitely wouldn’t be one of those crimes of opportunity where they enter remotely and grab some data. It would be a long game.”

Semi-Annual Channel release requires adjustments

Microsoft added Windows Server to a Semi-Annual Channel this fall, beginning with Windows Server version 1709. The company plans to release a new edition of Windows Server every six months that targets the needs of businesses that churn out rapid application updates in DevOps environments.

In Windows Server version 1709, Nano Server is a container-based image. It has no servicing stack. To patch Nano Server, admins replace the runtime image with the latest build of the runtime image.

“In the Linux world with containers, you always rebuilt the image with the new packages. I’m not sure on the Windows side if that’s completely figured out,” Langston said.

As with any new technology, users and vendors will need time to develop those habits.

“It took some time on the Linux container side too,” Langston said. “To this day, we talk to people who struggle with their strategy about containerization.”

For more information about the remaining security bulletins for November Patch Tuesday, visit Microsoft’s Security Update Guide.

Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at dcagen@techtarget.com.

How to build a bulletproof Hyper-V failover cluster

workload is to deploy a Hyper-V failover cluster.

Failover clusters ensure Hyper-V VMs continue to run when a problem knocks a host out of commission. But admins need to set up the cluster properly — paying special attention to the network configuration — to make sure the Hyper-V cluster and apps inside the VM will perform at an optimal level in production.

Get to know the Hyper-V cluster traffic types

To optimize Hyper-V failover cluster performance, admins must understand Hyper-V traffic types and configure Hyper-V networking based on the requirements. Hyper-V uses a physical network adapter for network traffic types, such as cluster, live migration, VM communication, storage, Hyper-V Replica and Hyper-V management traffic.

The cluster service monitors the availability of all nodes in the cluster when it sends a packet via the physical network adapter. A node that doesn’t respond with a health check — known as a cluster heartbeat — is removed from the cluster.

Hyper-V’s live migration feature moves a VM to another Hyper-V node in the cluster if a failure occurs. To do this, Hyper-V uses the physical network adapter used by the other Hyper-V traffic types. If Scale-Out File Server or iSCSI Target Server is deployed, Hyper-V will use the same physical network adapter to communicate with the SOFS cluster or iSCSI Target Server. Similarly, Hyper-V Replica and management network traffic types use the same physical network adapter.

While it’s possible to run all Hyper-V network traffic types through a single network adapter, this configuration might not be suitable for production environments. Some networking applications that run inside the VMs want a dedicated network queue to avoid communication delays. Multiple physical network adapters also help to live-migrate VMs as quickly as possible and avoid disruption. Some IT shops prefer a separate physical network adapter dedicated to management traffic.

To isolate Hyper-V network traffic, install the appropriate number of physical network adapters on the Hyper-V host, map each one to a Hyper-V virtual switch and then assign a unique subnet to each virtual network adapter. To complete the setup, use Failover Cluster Manager or Hyper-V Manager to configure the network settings to isolate network traffic.

For example, to isolate live migration traffic, open Failover Cluster Manager, right-click on Networks in the left navigation pane, click on Live Migration Settings and select a network adapter. In a similar fashion, admins can use Failover Cluster Manager to isolate cluster traffic. Go to Networks, right-click on a network and click on Properties. On the Properties page, select Allow cluster network communication on this network, and uncheck Allow clients to connect through this network. This dedicates a network for cluster-specific communications.

NIC teaming delivers resiliency

Microsoft introduced network interface card teaming with Windows Server 2012 to let admins group several virtual NICs across different physical NICs to add redundancy.

NIC teaming in Windows Server 2012 provides Hyper-V Port load balancing to distribute the VM network traffic based on the VM’s MAC address. Hyper-V Port load balancing uses a round-robin method to distribute VMs across the NIC team; an active network adapter in the team handles outbound traffic of the VMs.

NIC teaming supports two modes: switch-dependent and switch-independent. Switch-dependent mode requires a virtual switch to participate in the team. Admins can use switch-independent mode if the network adapters connect to a different virtual switch, each with no function or participation. For Hyper-V clusters, it’s recommended to use switch-independent mode with Hyper-V Port load balancing.

VMQ avoids unnecessary congestion

If the Hyper-V host has network adapters with the Virtual Machine Queue (VMQ) feature, the admins should enable it.

VMQ establishes a dedicated queue on the physical network adapter to transmit data directly to virtual network adapters — rather than route them to the management OS first — and prevents communication delays.

High availability through a Hyper-V failover cluster offers some level of assurance to the business, but admins should learn about the available settings and options to keep applications in VMs in the cluster operating at the expected level.

Understand Azure VM boot diagnostics

There are several tools you can use to troubleshoot and get to the root cause of VM issues in on-premises Hyper-V…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

hosts. When it comes to troubleshooting issues for VMs deployed in a cloud environment, such as Microsoft Azure public cloud, you need to rely on the troubleshooting mechanisms provided by the cloud vendor. For example, you might not be able to see the boot output of an Azure VM, as the VM is operating in a cloud. If any of the Azure VMs fail to boot, you might want to see what’s going on during the boot process that’s causing the failure. Similarly, you might want to capture screenshots to see the current state of the Azure VM.

Microsoft added support for the VM boot diagnostics extension, which enables debugging to troubleshoot VM boot-related issues and also help in capturing screenshots of the current state of the VM. There are two features provided as part of the VM boot diagnostics extension: console output and screenshots. Both features are available for Windows, as well as Linux Azure VMs.

By default, Azure VM boot diagnostics isn’t enabled for VMs. There are two ways to enable the VM boot diagnostics extension: Azure Portal and PowerShell. You might want to use the PowerShell method if you need to enable the diagnostics extension for multiple VMs.

Enable boot diagnostics for Azure VMs using Azure Portal

To enable diagnostics extension using Azure Portal and when creating a new Azure VM, follow the steps outlined below:

  1. When creating a new Azure VM, select Azure Resource Manager from the deployment model. Note that the Azure classic model won’t have the VM boot diagnostics option. VM boot diagnostics can only be enabled for an existing VM deployed using the Resource Manager model.
  2. After entering the VM’s basic settings, enable Diagnostics in the Monitoring section as shown below:
    Enable Azure VM boot diagnostics
    Enable VM boot diagnostics for a new Azure VM.


  3. Once Diagnostics is enabled, Azure will capture boot logging data and provide screenshots.

Enable boot diagnostics for Azure VMs using PowerShell

Microsoft also provides necessary PowerShell support to manage Azure resources, including enabling VM boot diagnostics for Azure VMs. To enable or disable VM boot diagnostics using PowerShell, use the Set-AzureRMVMBootDiagnostics PowerShell cmdlet. Execute the PowerShell commands below to enable VM boot diagnostics for a VM:

$ThisVM = Get-AzureRMVM –ResourceGroupName “ResourceGroup1” –Name “SQLVM”

Set-AzureRMVMBootDiagnostics –VM $ThisVM –Enable –ResourceGroupName “ResourceGroup1” –StorageAccountName “StorageAccountName”

If you need to enable diagnostics for all Azure VMs, here is the PowerShell script that can help:

$TheseVMs = Get-AzureRMVM *

ForEach ($ThisVMNow in $TheseVMs)

{

Set-AzureRMVMBootDiagnostics –VM $ThisVMNow –Enable

}

Check and download boot diagnostics data for Azure VMs

Once the Diagnostics extension is enabled, Azure will capture boot logs and provide screenshots. From Azure Portal, navigate to the VM for which you want to see the console output, click on All Settings, and then click on Boot Diagnostics. Clicking on Boot Diagnostics will show the current console output of the VM. From here, you can download the log file to the local machine.

To download diagnostics log files to your local machine using PowerShell, execute the Get-AzureRMVMBootDiagnosticsData PowerShell cmdlet as shown below:

Get-AzureRMVMBootDiagnosticsData –ResourceGroupName “RSGroup1” –Name “SQLVM” –Windows –LocalPath “C:VMBootDataSQLVM”

Note that when using the PowerShell cmdlet to download diagnostics log files, you need to specify the type of VM you’re running the command against. If the target Azure VM is running Linux, you need to specify -Linux, and if it’s a Windows VM, you need to specify -Windows.

There are a few other things you need to know about the VM boot diagnostics feature. For example, VM boot diagnostics is only available to Azure VMs deployed in Resource Manager. In other words, the Azure classic model doesn’t support the VM boot diagnostics extension. Also, it might take up to 10 minutes before screenshots are available for viewing.

Next Steps

Use Azure to set up performance load tests

Better manage your Azure costs

Take advantage of Azure Container Service