Azure Service Healing

I often get asked what happens if an Azure service or resource crashes.
I’m also sometimes asked how Azure keep Virtual Machines running 100%.

Well lets start with the second question. They Don’t! Azure is an extremely reliable platform but is still based on industry standard physical servers, power, networking… And sometimes a failure may occur that can cause a VM to reboot or go offline. Having said that uptime is of course extremely high, some services being higher than others. You can find official SLA listings here.

Now regarding what happens if a service does fail. Well Azure has a an Auto-Recovery feature called service healing. Auto-Recovery is available across all Virtual Machine sizes in all regions.
Azure has multiple ways to preform health checks on your resources. Every VM deployed in the form if Web and Worker role has an agent injected in to it that run a health check every 15 seconds, a web farm behind a load balancer will also have health checks performed by the load balancer itself. If a predefined number of consecutive health check fail or a signal from the load balancer causes a role to become unhealthy then a recovery action will be initiated which is to restart the role instance.

Another test preformed is the health of the virtual machine itself within which the role instance is running. The virtual machine is hosted on a physical server running inside an Azure datacenter. The physical server runs another agent called the Host Agent. The Host Agent monitors the health of the virtual machine by pinging the guest agent every 15 seconds. It is quite plausible that a virtual machine is under stress from its workload, which could be its CPU is at 100% utilization, because a machine may be under heavy load Azure will wait 10 minutes before preforming a recovery action. The recovery action in this case is to recycle the virtual machine with a clean OS disk in the case of a Web & Worker Role and in the case of Azure Virtual Machine we perform a reboot preserving the disk state intact.

Apart from this Azure take as many measures as possible to predict failure in advance this includes extensive monitoring of all hardware in the Datacenter including CPU, Disk IO etc.

Azure Cool Blob Storage

Azure’s new cool blob is now GA. But what is cool blob?

Well cool blob is a new blob storage feature for data that is accessed infrequently. In other words it’s good for backups, archives, scientific data etc.

The price of a cool blob is extremely low, between 1 to 1.6 cents per GB per month depending on region.

Cool blobs come with a 99% SLA compared with the 99.9% SLA offered on it’s hot tier. Azure cool blobs API is 100% compatible with existing blob storage offerings.

The Service is only available using the new modern ARM deployment, so if for some reason you need to use classic deployment then you cant take advantage of the new service. Also the service is offered as a block blob for unstructured data, so it can’t be used to store IAAS VHD’s, this makes sense as VHD’s need random read and write operations.

You can read more on the new offering at the Azure Blog over here

How To Manage Scheduler in new Azure AD Connect

As I mentioned last week the new version of Azure AD Connect has been released and now includes a built in scheduler. This means that it no longer relies on the Windows Task Scheduler to run synchronization jobs. While this is defiantly an improvement it does mean that you can no longer use the Windows task scheduler to manually run a job. That is now all down to PowerShell, so after tinkering around a bit I decided to list some of the most required commands for running jobs.

Fist of all after initial installation there is a Check box to start the initial sync after installation. If you do not check this box the sync will never run until a correct command is issued.Start Sync

To check if Sync is enabled or not we need to run the following command Get-ADSyncScheduler

Check Sync

In my case you can see that SyncCycleEnabled is set to true. However if it set to false then the client is not performing any syncs.
To enable the Sync cycle you will need to issue the following command Set-ADSyncScheduler -SyncCycleEnabled $True
The sync will be run automatically once every 30 minutes.

To manually kick off a sync cycle we will need to issue one of the following commands.

Start-ADSyncSyncCycle -PolicyType Delta

A delta sync cycle will:

  • Delta import on all connectors
  • Delta sync on all connectors
  • Export on all connectors

This is the command that you will usally use to run a manuall sync.

You could also run a full cycle by issuing the following command
Start-ADSyncSyncCycle -PolicyType Initial

An initial sync cycle will

  • Full import on all connectors
  • Full sync on all connectors
  • Export on all connectors

You mainly want to issue this command if you have made one of the following changes:

  • Added more objects or attributes to be imported from a source directory
  • Made changes to the Synchronization rules
  • Changed filtering so a different number of objects should be included

If for some reason you need to stop the Sync Scheduler then you can issue the following command Stop-ADSyncSyncCycle

So now that you know the commands you can go ahead and update to the latest version of Azure AD Connect.





New Azure AD Connect

The new version of Azure AD connect has been released.

So what’s new?

  • Automatic upgrade feature for Express settings customers.
    Support for the global admin using MFA and PIM in the installation wizard.
  • user’s sign-in can be changed after initial install.
  • We can now set Domain and OU filtering in the installation wizard.
  • We get a Scheduler is built-in to the sync engine.

Also Device Writeback and Directory extensions are now fully available (previously these were preview only).

You can download the new version of Azure AD Connect here.

Azure V2 is now the default portal

For those who have worked with Azure already you’ve probably seen the link for the preview portal?

Well the preview portal is now more or less out of preview. I say more or less as some services such as Azure AD will still redirect you back to the classic portal.

However most services such as Virtual Machines, Networking, SQL… can now be fully managed through the new portal.

The new portal isn’t just a portal it’s partly a new Azure and is being referred to as Azure V2.

There a re many functionality changes the main being that we now cluster recourses into a resource group (AKA – ARM – Azure Resource Manager) to allow for lifecycle management of shared resources.
This in a way replaces the former Cloud Service.

Also Networking is rebuilt from the ground up, objects such as load balancers and nics which provide a lot of flexibility in how you design your resources.
Allowing us to separately manage traffic rules per ARM, VM, nic or load balancer.

Unfortunately current VM’s and resources created in Cloud Service are still managed through the classic portal. Only newly created VM’s created in the new portal (or Powershell) and odcourse deployed to ARM can be managed from the New portal.

My understanding is that Microsoft is working on a migration path to the New model.

Let’s hope they make this available to us soon.

Connecting Windows 10 to Azure AD

Las year Microsoft released Azure AD. Now at first I wasn’t sure what the value of this product really was. As time has gone by we’ve learnt that apart from being the foundation for office 365 user management Azure AD can be used for allowing SSO between cloud services including non Microsoft services such as Salesforce, Dropbox, Box and way more.

But with Windows 10 comes the big change. I’ve been running the preview version of windows 10 for the better part of 3 months now and I must say that I am thoroughly enjoying both the OS and the Azure AD connection. Connecting your Windows 10 to Azure AD allow for SSO with all supported platforms. This of course includes office 365 (Web based SSO requires using Microsoft Edge as your browser), CRM Online and any other service that you have connected to Azure AD such as Salesforce, Dropbox and so forth. You can also extend capabilities to GPO, Anti Virus management, Software Deployment and more by using an MDM solution such as Microsoft Intune.

So how do we connect are Windows 10 device to Azure AD?
Well the easiest way is to simply login to the device using your company (Azure AD) credentials. If your device is already setup and using a different set of credentials don’t panic, you can still connect your device to Azure AD. Simply open up Settings and head over to System and click Join Azure AD. You will be prompted for credentials and your computer will be joined to the Azure AD. Connecting your device to Azure AD will also automatically set up the built in Mail & Calendar apps to connect to your office 365 account.

Azure AD Join

Now what would I like to see coming?

I believe that the possibility of syncing local AD GPO’s to Azure AD would be a great improvement. And of course managing the GPO through Azure AD and not an MDM product would also vastly improve the products usability.

Either way this is still a great value addition, especially for companies with remote workforce who have PC’s that are not connected the Local Domain and also a great solution for temp workers who just require Mail and SSO capabilities with company products.

Azure AD Connect Now Available

If you remember I blogged a few months ago that Microsoft would be releasing Azure AD Connect, the final replacement for Dirsync.

Well, the product is now out of review and has been released. Along with the release of Azure AD connect Microsoft also released Connect Health.

Azure AD Connect Health is a cloud based service that helps administrators monitor and secure their cloud and on-premises identity infrastructure. In this first release, Azure AD Connect Health provides customers who use ADFS with detailed monitoring, reporting and alerts for their ADFS servers.

As I previously blogged Azure AD Connect replaces both Dirsync and Azure Active Directory Sync. If you our using either of the previous versions, you can perform a simple upgrade to the new Azure AD Connect.

Azure AD Connect has new features that allow you too:

  • Enable your users to perform self-service password reset in the cloud with write-back to on premises AD
  • Enable provisioning from the cloud with user write back to on premises AD
  • Enable write back of “Groups in Office 365” to on premises distribution groups in a forest with Exchange
  • Enable device write back so that your on-premises access control policies enforced by ADFS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
  • Sync custom directory attributes to your Azure Active Directory tenant and consume it from your cloud applications

All this allows easy transition of your services to the cloud. and easy integration of remote work force into you organization.