Tag Archives: Get

How to start using Ansible for Windows management

Get started
Bring yourself up to speed with our introductory content.

Ansible is a configuration management offering that runs on Linux but controls Windows systems with PowerShell. Find out how to get the tool running in your data center.


As more enterprises mix Linux and Windows machines into the IT stack, it makes sense to find a tool that manages…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

both platforms.

There are several tools designed for this purpose, but Ansible is making great strides to establish itself as the leader in this space. Ansible manages Linux and Windows systems. It has PowerShell support, so Windows admins can use their scripts once they learn Ansible’s management structure. The Ansible stack needs to run on Red Hat, Debian, CentOS, macOS or a similarly architected OS server or virtual machine.

Ansible doesn’t use the typical server/client architecture of other remote management tools, so the setup work might be foreign to some administrators. Ansible manages Windows systems via PowerShell remoting or Windows Remote Management (WinRM).

It only takes a few steps to set up the control machine, configure a Windows Server, execute individual commands on the configured machine and use custom scripts on Ansible for Windows management. Being able to copy and run your current PowerShell scripts is a quick way to get started with the Ansible console before learning how to dive deep into the Ansible playbook management approach.

Set up the control machine

To configure the Ansible control machine to manage hosts, enable PowerShell remoting on the host and give the appropriate credentials to Ansible for Windows administration, usually with a Secure Socket Shell key.

Make sure the Ansible control machine runs on a valid version of Python with an updated version of pip, then run the following command to install the pywinrm module:

$ pip install “pywinrm>=0.2.2”

Being able to copy and run your current PowerShell scripts is a quick way to get started with the Ansible console before learning how to dive deep into the Ansible playbook management approach.

Use the following code to add the Windows machine you want to control to the /etc/ansible/hosts file so Ansible registers the Windows machine:

[groupname]
192.168.1.1

Next, add the following configuration to Ansible in the /etc/ansible/group_vars/groupname.yaml file for basic authentication:

ansible_user: ‘YourHostsUsername’
ansible_password: ‘YourHostsPassword’
ansible_connection: ‘winrm’
ansible_winrm_transport: basic
ansible_port: ‘5986’
ansible_winrm_server_cert_validation: ignore
validate_certs: false

Set up the host

Be sure the Windows machine you want to manage is on a supported version of Windows — version 7 or later for desktops and 2008 or later for Windows Server — and PowerShell 3.0 or later.

Next, enable PSRemoting with this command:

Enable-PSRemoting -force

Then, set up the WinRM service — required to use PowerShell remoting — to start automatically.

Set-Service WinRM -StartMode Automatic

On the local machine, confirm you’ve started the WinRM service with the following cmdlet:

Test-WSMan

From a remote computer, add the -ComputerName parameter:

Test-WSMan -ComputerName “server123”

[embedded content]

A primer on Windows management via Linux

Next, set up a WinRM Listener with the PowerShell script below from Ansible. It sets up an HTTP and HTTPS listener, as well as configure basic authentication on the host. It might require some adjustments to use in a production environment.

$url=”https://raw.githubusercontent.com/ansible/ansible/devel/ examples/scripts/ConfigureRemotingForAnsible.ps1″
$file=”$env:tempConfigureRemotingForAnsible.ps1″

(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

For this tutorial, we use basic authentication, which you enable with the following command:

Set-Item -Path WSMan:localhostServiceAuthBasic -Value $true

Lastly, complete the host configuration for Ansible by creating the WinRM listener.

winrm quickconfig

This Ansible for Windows tutorial is tailored for managing an individual server. To deploy this configuration on many machines, create a group policy and deploy that to the Windows servers. The group policy should set the WinRM service to start automatically, run the configuration script and configure the WinRM listeners.

How to work with Ansible for Windows machine management

After finalizing the configuration from the Ansible server to the remote managed machine, you can run tasks remotely from the Ansible server.

First, test connectivity with a ping from the Ansible host.

$ ansible groupname -m win_ping

192.168.1.158 | SUCCESS => {
    “changed”: false,
    “ping”: “pong”
}

To run ad hoc commands on Windows from Ansible, you can easily create one-liners by calling the win_shell module. A simple example is stopping a service remotely for a group of machines from the Ansible console:

$ ansible groupname -m win_shell -a “Get-Service -Name servicename | Stop-Service”

You also have access to the win_command module to run executables remotely.

$ ansible groupname -m win_command -a whoami.exe

How to run an Ansible for Windows script

Another example of Ansible management of remote Windows servers is to copy a local PowerShell script to the remote managed machine.

$ ansible groupname -m win_copy -a “src=/path/to/script.ps1 dest=C:tempscript.ps1”

You can then run the script with the win_command module.

$ ansible groupname -m win_command -a “powershell.exe -ExecutionPolicy ByPass -File C:tempscript.ps1”

Ansible opens the door to advanced management capabilities

Ansible is worth learning due to its cross-platform capabilities that scale to manage a large number of devices. Once you’ve learned the basics, you can perform more in-depth tasks, such as using PowerShell Desired State Configuration with Ansible and working with custom modules.

Dig Deeper on Windows administration tools

Watch WE Day Aug. 17 at 8/7c on ABC |

Get ready to be inspired and to inspire your students to do good.

Invite your friends and families to join me and millions of Americans on August 17 to watch WE Day on ABC, a celebration of the transformative power of young people.

Microsoft is proud to support WE’s mission to empower youth to create a positive impact at home and around the world through service-learning. A supporter of the organization since 2013, we continue to help WE by equipping them with Microsoft technology that lets them bring the benefits of their programs to schools, families and youth around the world.

I am particularly excited about our work with WE to inspire students to make our world more inclusive through the WE Are One Campaign. Today, thousands of youth are learning, creating and ideating on ways they can leverage technology to make their classrooms and communities more accessible and inclusive for all.

The WE Day Special features a great example of the WE Are One Campaign at work.

Johnny (featured above) is a glowing example of a student using technology for good. He built a social networking app for people with disabilities and their families, motivated and informed by his brother, Christian.

I invite our passionate education community to take part in the free WE Schools program, including the WE Are One Campaign. Through service learning, students learn to take action on the issues that matter to them, while learning critical academic and life skills along the way.

The WE Day Special on ABC will inspire action through the stories of everyday Americans making extraordinary impact in their communities. And you can catch host John Stamos, alongside Selena Gomez, Jennifer Aniston, The Chainsmokers, Dierks Bentley, and WE co-founders Craig and Marc Kielburger on the WE Day stage as they celebrate youth and families committed to changing the world!

Join the WE Movement: Watch the WE Day Special August 17 at 8/7c on ABC @WEmovement #WEAreOne Click To Tweet

Set up Office 365 alerts to keep threats at bay

Get started
Bring yourself up to speed with our introductory content.

Office 365 offers administrators integrated tools to warn the IT staff about potential attacks or breaches of conduct. Find out what the options are and how to configure them.


Whether organizations run Exchange on premises or in Office 365, administrators have a responsibility to act quickly…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

when problems arise.

The sooner an admin knows about unusual activity, the faster they can react to avoid a service outage or repel an attack. Some examples include a rogue admin granting temporary access without permission, a user attempting to download a large amount of intellectual property or a server issue delaying mail flow.

For on-premises Exchange, alerting involves installing third-party monitoring software on your servers that analyze logs and issue warnings when it detects potential problems. On its cloud collaboration platform, Microsoft offers more options with Office 365 alerts via built-in functionality and Enterprise Mobility + Security, or administrators can use a third-party tool.

Options for Office 365 alerts

If you have Office 365 Enterprise E5 licensing — or have added the licensing for Advanced Compliance features — then you have access to Advanced Data Governance. Another option is to use a third-party tool that hooks into Office 365 and provides similar, and in some cases better, functionality.

On its cloud collaboration platform, Microsoft offers more options with Office 365 alerts via built-in functionality and Enterprise Mobility + Security, or administrators can use a third-party tool.

Advanced Data Governance offers a variety of features, such as automatic labeling of data, advanced retention and advanced eDiscovery, and automatic alerts from within Office 365’s Security and Compliance Center.

If you have Enterprise Mobility + Security Enterprise E5 licensing, then you have access to the advanced features within Microsoft Cloud App Security, which can also be purchased separately. This offering spots the use of shadow IT tools and also provides advanced proactive alerts and automatic actions for Office 365, to name just a few features.

Organizations with basic Office 365 licensing can use third-party products such as Radar Reporting, which utilizes API access to Office 365 to get up-to-date data from the service and provide alerts and insights.

Constructing Office 365 alerts

Admins can configure Office 365 alerts in the Security and Compliance Center from the Alerts panel. Figure 1 shows alert policies in the Dashboard section. Office 365 Enterprise E5 subscribers get default alerts that cover the basics, including privilege elevation, malware campaigns and unusual file activity.

Office 365 alerts panel
Figure 1. Dashboard, under the Alerts panel in the Security and Compliance Center, shows statistics about the Office 365 alerts.

To create Office 365 alerts, choose Alert Policies, and then select New Alert Policy.

A New Alert Policy dialog will appear. Select the Severity of the alert and the Category. Available categories include data loss prevention, threat management, data governance, permissions and mail flow.

The second page of the dialog shows the Activity picker. The list of activities that trigger an alert is extensive, covering common user activities, file and folder activities, data sharing, client synchronization, and administration activities.

After selecting the activity, configure the trigger threshold. Figure 2 shows the condition for a trigger if users download a significant number of files.

Create a new alert policy
Figure 2. Create a new alert policy to check if a user downloads a large number of files in an hour.

Office 365 bases its alert policies for data downloads in the last hour or longer. For this article, we’ve configured a policy that will issue an alert if a user downloads more than 1,000 files in 60 minutes. Beyond setting policies manually, Office 365 can send warnings if it detects activity it deems unusual.

After setting the Office 365 alerts, emails will arrive to nominated accounts when policies trigger. Figure 3 shows an example of an alert sent to an administrator when permissions changed for an Exchange Online mailbox.

A triggered alert
Figure 3. A warning from a permissions alert policy sent to an administrator

Clicking Investigate offers more detailed information about the alert in the Security and Compliance Center. Office 365 alerts can be marked as Resolved or you can choose View Activity List to see the executed commands and notify the affected users.

Dig Deeper on Office 365 and Microsoft SaaS setup and management

How a bastion forest limits exposure of admin privileges

Get started
Bring yourself up to speed with our introductory content.

A Windows Server 2016 feature called a bastion forest is the centerpiece of Microsoft’s privileged access management model that limits the exposure of admin rights.


Administrative accounts are necessary for IT workers, but they also pose a significant risk to an organization…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

if they fall into the wrong hands. One way to tighten security is to deploy a bastion forest.

When it comes to IT security, the bastion concept is not new. A bastion host, for example, is a hardened server that proxies requests to a back-end resource. It protects the back-end servers from various threats by removing direct access. A bastion forest works in a similar fashion by shielding a sensitive resource, namely Active Directory administrative accounts.

Moderating privileged credentials access

Bastion forests are a part of a layered privileged access management (PAM) architecture. The overarching idea behind PAM is to give IT workers narrow administrative privileges with a limited life span.

[embedded content]

How to tighten controls on privileged access

Administrative activities typically require one or more very specific privileges. Creating an Active Directory user account does not require the same permissions as other administrative tasks, such as managing a group policy setting.

Also, IT workers do not require administrative privileges at all times. If an administrator has no management tasks to perform, then PAM can restrict the privileged access.

How bastion forests restrict admin access

Bastion forests, which debuted in Windows Server 2016, are a key component in the PAM architecture. A bastion forest isolates privileged accounts from the rest of the Active Directory through a one-way trust to make it much more difficult for an attacker to compromise privileged accounts.

A bastion forest is different from a trusted forest that contains privileged accounts because an administrator does not log into a privileged account to manage Active Directory resources in the usual way. Instead, PAM only issues the permissions required for a specific administrative task for a limited time.

A bastion forest is different from a trusted forest that contains privileged accounts because an administrator does not log into a privileged account to manage Active Directory resources in the usual way.

In a PAM configuration, when administrators need to create an Active Directory user account, they must request privileged access in one of three ways: through a REST endpoint, via the New-PAMRequest cmdlet or through the Microsoft Identity Manager Web Service API. After it has been approved, the privileged account receives the requested permission through a foreign principal group in the bastion forest.

The interesting aspect of this security setup is the administrator’s account derives its privileges from a group membership in the bastion forest. The account does not hold any native elevated privileges in the organization’s primary forest.

Also, when adding an administrative account to the privileged group in the bastion forest, the group membership eventually expires. The time limit is set by specifying a time-to-live value in the PowerShell Set-ADObject cmdlet.

Dig Deeper on Windows systems and network management

Authenticating email in Exchange for brand protection

Get started
Bring yourself up to speed with our introductory content.

With help from the combined use of the SPF, DKIM and DMARC technologies, Exchange administrators can curb email spoofing to protect users and the company brand.


It only takes one user clicking on a phishing email to disrupt a company — and to damage its reputation. But administrators…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

can utilize technologies for authenticating emails in Exchange to stop these malicious attacks.

An enterprise that wants to prevent a security breach can implement Exchange email authentication protocols in tandem with the platform’s encryption features to protect the company’s reputation.

Email brand protection keeps malicious actors from using your company name for some disreputable scheme. Brand abuse occurs on a regular basis. Let’s look at some examples.

  • Have you ever received an email from your credit card company, but the language or wording wasn’t quite right? You might look closely at the sender address and notice it didn’t come from your credit card company.
  • Has your CEO ever received an email requesting money from what looks like your accounting department? Again, the language or format of the message probably made it very clear this wasn’t an internal message, but the fact that some external party sent it and your CEO received it is a problem.
  • Has a user clicked a link in an email that took them to a website where they filled in personal information only to find out the site was fake?

These are only a few examples of how a person outside of your organization can send an email that abuses your company brand. To thwart these attempts, your technical teams can employ technologies for authenticating email — specifically SPF, DKIM and DMARC.

Get started with SPF

We’re not talking about the sun protection found in sunscreen; SPF stands for Sender Policy Framework. SPF is a domain name system (DNS) TXT record entry that can be added to your external DNS. SPF is a great step toward brand protection because it can detect address spoofing.

SPF is a great step toward brand protection because it can detect address spoofing.

Your SPF TXT record should include an entry for your organization and the IP address and DNS name of any third party allowed to send email with your domain name. If your SPF TXT record is accurate, then this is one step toward allowing legitimate email to flow and blocking the messages that could harm your brand.

However, there are some limitations with SPF TXT records in Exchange. You can only have up to 10 DNS-based entries, so it’s helpful to see what other brand protection options are available, as SPF records will reach their limit quickly.

How DKIM signatures stop spoofing

DomainKeys Identified Mail (DKIM) signatures place a domain-based signature in the message header that identifies the message as internal to prevent email spoofing attempts. A DKIM signature offers additional brand protection with the proper setup.

[embedded content]

How to set up DMARC in Office 365

To set up DKIM for authenticating email, your technical team needs to enable DKIM signatures in the external email gateway. From there, the system generates a DKIM signature that you should set up in your external DNS. This setup in both areas proves that the DKIM signature in your message header belongs to your organization.

Third-party companies that you allow to send email as your organization can also use DKIM signatures. The company just needs to generate a DKIM signature for the messages that they will send under your domain, then your administrators need to add it to the external DNS. Not all third-party cloud providers offer this, so be sure to ask about it.

Last, but not least, we have DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is the key ingredient that enables SPF and DKIM to work at their highest level.

When a DMARC external DNS record is in place, it gives the organization a way to report on and understand the level of brand abuse. This reporting shows both valid messages and the brand abuse messages that would not be visible otherwise.

With DMARC enabled, you get the flexibility to use either DKIM or SPF, meaning if a message passes SPF or DKIM, then it will pass. With the limitations of SPF records, the ability to use DKIM instead is a great option.

Be aware of potential issues with authenticating email measures

The combined use of SPF, DKIM and DMARC offers the highest level of brand protection.

Authenticating email can lead to some harmful side effects, so be sure to test your setup. You can configure DMARC and SPF for detection only to determine any issues that might occur when they are fully implemented. I strongly encourage you to use a third-party reporting tool to clarify why certain messages are stopped if you use SPF and DMARC.

A good tool can help you add valid messages to your SPF record and DKIM signatures prior to enforcing DMARC. Take a measured testing approach to prevent business user impact.

Dig Deeper on Microsoft messaging and collaboration services

Azure file shares service lifts admin storage concerns

Get started
Bring yourself up to speed with our introductory content.

Admins who have tired of managing traditional file shares can see if the Azure Files service works as a substitute for traditional data center storage.


Azure file shares have come a long way from an Azure-only storage resource to a full-featured file server in the…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

cloud for multiple operating systems.

Azure Files creates server message block (SMB) shares on the Azure platform. This frees administrators from managing the underlying infrastructure providing those Azure file shares — updating Windows Server versions, patching the operating system, purchasing and maintaining the hardware, and handling most of the disk storage needs.

Admins who have heard of Azure Files might not consider it because its original purpose was to provide platform-as-a-service file sharing for other Azure resources or line of business applications within Azure virtual machines. In the latest release, however, Microsoft expanded Azure Files to support connections from outside Azure data centers.

To use Azure Files, administrators need only configure the SMB shares in the Azure portal and then access a Universal Naming Convention (UNC) path over the internet. Microsoft handles the rest of the file server administration.

Organizations pay a monthly storage fee for the service, which is currently 6 to 10 cents per gigabyte, and a small charge for various operations, such as file reads and directory listings.

Admins who have heard of Azure Files might not consider it because its original purpose was to provide platform-as-a-service file sharing for other Azure resources or line of business applications within Azure virtual machines.

Azure Files works on Windows 8.1, Windows 10, Windows Server 2012 R2, Windows Server 2016, macOS and Linux systems. Older versions of the Windows desktop client and Windows Server cannot connect to the SMB 3.0 file shares.

Creating the Azure file shares

Making a share in Azure is as easy as making an SMB share in Windows Server.

  1. Sign into the Azure portal.
  2. Use an existing storage account or create a new one, then access it.
  3. Click on the + File Share button.
  4. Give the file share a name and a quota — the maximum space available is 5 TB or 5,120 GB.

Mount the Azure file shares

Administrators can mount the Azure file shares, which are stored as blobs in Azure, on Windows, Linux or Mac systems and on virtual machines in the cloud or on premises.

Azure Files service setup
Use the Azure portal to create a new file share in the Azure Files service.

The first step is to give Windows your Azure account credentials. This is most easily done using the cmdkey command-line utility. You’ll need your Azure storage account name, your domain name and the storage account key that the Azure portal generates when you first create a file share. The key will end in two equal signs (==). Run the following command with that information:

cmdkey /add:.file.core.windows.net /user:AZURE /pass:

[embedded content]

Construct a cloud file share with the Azure
Files service.

This will store your Azure credentials so that connections to the Azure file share can persist between machine reboots and user sessions. Next, mount the share in one of two ways:

  • Using File Explorer or Windows Explorer, select Map Network Drive and copy the UNC path shown in the Azure portal. Select a local drive letter to associate with the UNC path similar to how you map a network drive on your local file server.
  • Using the command prompt and the net use command, execute the following:

net use : \.file.core.windows.net /user:Azure

How to set up a Linux machine

For Linux machines, make sure the cifs-utils package is installed. Then, create a directory under your mount point.

mkdir /mnt/MyAzureFileShare

Then, mount the service.

sudo mount -t cifs //.file.core.windows.net/ -o vers=3.0,username=,password=,dir_mode=0777,file_mode=0777,serverino

Or create a permanent mount.

sudo bash -c ‘echo “//.file.core.windows.net/ cifs nofail,vers=3.0,username=,password=,dir_mode=0777,file_mode=0777,serverino” >> /etc/fstab’

Adding Azure file shares to a Mac system

For macOS machines, disable SMB packet signing because Azure encrypts the connection end to end. Packet signing also hurts performance.

sudo -s
echo “[default]” >> /etc/nsmb.conf
echo “signing_required=no” >> /etc/nsmb.conf
exit

While you’re in the terminal, mount the share with this command:

mount_smbfs //@.file.core.windows.net/

Then, enter your storage account key as your password and you’re finished.

Azure File Sync keeps shared data in order

To ensure Azure Files runs smoothly, Microsoft developed Azure File Sync to turn local file servers into caches of the master data repository in the Azure file share service. The file sync service handles changes to Azure that happen on your local files and vice versa.

Any applications that might have compatibility or performance issues can use the local file server, while the main repository is centralized in the Azure service. Based on the needs of your organization, you might have a cache/local file server in each branch office or one per country or continent.

Dig Deeper on Microsoft Azure cloud services

How to build a Packer image for Azure

Get started
Bring yourself up to speed with our introductory content.

Packer is an open source tool that automates the Windows Server image building process to give administrators a consistent approach to create new VMs.


For admins who prefer to roll their own Windows Server image, despite the best of intentions, issues can arise…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

from these handcrafted builds.

To maintain some consistency — and avoid unnecessary help desk tickets — image management tools such as Packer can help construct golden images tailored for different needs. The Packer image tool automates the building process and helps admins manage Windows Server images. Packer offers a way to script the image construction process to produce builds through automation for multiple platforms at the same time. Admins can use code repositories to store validated Packer image configurations that admins across different locations can share to ensure stability across builds.

Build a Packer image for Azure

To demonstrate how Packer works, we’ll use it to build a Windows Server image. To start, download and install Packer for the operating system of choice. Packer offers an installation guide on its website.

Next, we need to figure out where to create the image. A Packer feature called builders creates images for various services, such as Azure, AWS, Docker, VMware and more. This tutorial will explain how to build a Windows Server image to run in Azure.

To construct an image for Azure, we have to meet a few prerequisites. You need:

  • a service principal for Packer to authenticate to Azure;
  • a storage account to hold the image;
  • the resource group name for the storage account;
  • the Azure subscription ID;
  • the tenant ID for your Azure Active Directory; and
  • a storage container to place the VHD image.

Validate the Windows Server build instructions

A Packer feature called builders creates images for various services, such as Azure, AWS, Docker, VMware and more.

Next, it’s time to set up the image template. Every Packer image requires a JSON file called a template that tells Packer how to build the image and where to put it. An example of a template that builds an Azure image is in the code below. Save it with the filename WindowsServer.Azure.json.

{
  “variables”: {
      “client_id”: “”,
      “client_secret”: “”,
      “object_id”: “”
  },
  “builders”: [{
    “type”: “azure-arm”,

    “client_id”: “{{user `client_id`}}”,
    “object_id”: “{{user `object_id`}}”,
    “client_secret”: “{{user `client_secret`}}”,
    “resource_group_name”: “labtesting”,
    “storage_account”: “adblabtesting”,
    “subscription_id”: “d660a51f-031d-4b8f-827d-3f811feda5fc”,
    “tenant_id”: “bb504844-07db-4019-b1c4-7243dfc97121”,

    “capture_container_name”: “vhds”,
    “capture_name_prefix”: “packer”,

    “os_type”: “Windows”,
    “image_publisher”: “MicrosoftWindowsServer”,
    “image_offer”: “WindowsServer”,
    “image_sku”: “2016-Datacenter”,
    “location”: “East US”,
    “vm_size”: “Standard_D2S_v3”
  }]
}

You should validate the schema before you start with the packer validate command. We don’t want sensitive information in the template, so we create the client_id and client_secret variables and pass those at runtime.

packer validate -var ‘client_id=value’ -var ‘client_secret=value’ WindowsServer.Azure.json

How to correct Packer build issues

After the command confirms the template is good, we build the image with nearly the same syntax as the validation command. For the purposes of this article, we will use placeholders for the client_id, client_secret and object_id references.

> packer build -var ‘client_id=XXXX’ -var ‘client_secret=XXXX’ -var ‘object_id=XXXX’ WindowsServer.Azure.json

When you run the build the first time, you may run into a few errors if the setup is not complete. Here are the errors that came up when I ran my build:

    • “Build ‘azure-arm’ errored: The storage account is located in eastus, but the build will take place in West US. The locations must be identical”
    • Build ‘azure-arm’ errored: storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=404 – Original Error: autorest/azure: Service returned an error. Status=404 Code=”ResourceGroupNotFound” Message=”Resource group ‘adblabtesting’ could not be found.”

[embedded content]

Using Packer to build an image from another VM.

  • “==> azure-arm: ERROR: -> VMSizeDoesntSupportPremiumStorage : Requested operation cannot be performed because storage account type ‘Premium_LRS’ is not supported for VM size ‘Standard_A2’.”

The error messages are straightforward and not difficult to fix.

However, the following error message is more serious:

==> azure-arm: ERROR: -> Forbidden : Access denied
==> azure-arm:
==> azure-arm:  …failed to get certificate URL, retry(0)

This indicates the use of the wrong object_id. Find the correct one in the Azure subscription role.

After adding the right object_id, you will find a VHD image in Azure.

Dig Deeper on Windows Server deployment