IT issues and solutions

So this is my first post  about implementing a Hub-Spoke model in Azure IaaS. From my point of perspective this is the only way to go about implementing a scalable infrastructure that's cost effective and won't lock you up with complexity later on. So lets talk about a network implementation called Hub-Spoke. The goal of this model is to have your main generic services centralized and accessible in the Hub (it's own dedicated environment with of course a dedicated HUB network). So what would we define as a generic service? NVA's (Network Virtual Appliances) Barracuda NextGen or CloudGen firewalls for instance, WAF's (Web Application Firewalls) Active Directory Domain Controller(s) Remote Desktop Gateways SecOps appliances such as NextPose or Qualys. Management, Instrumentation and Discovery Services. etc. I'll continue now with describing a basic setup. The first basic step is to define your HUB's networking needs. I'd recom...

Here's a small snippet you can use in multiple ways to bulk create / modify / etc. do stuff against the azure API's in parallel.  The Example below is used against deleting all the resource groups in my subscription. (operation 'Green Field', ;) ) So let me give a little bit of context. When you're working in Azure you will notice doing things in a traditional sense means sequential working. Due to the inner workings of the API.  So instead of sending a job of 10 items i will send 10 times 1 item as separate posts to the API in azure. They will all be handled at once saving me the time of waiting forever....But be warned there is a limit to doing things simultaneously! so be smart about  this because if you lock up the API with bulk posts you could block other users due to the limit set by Microsoft. #Login to Azure to get the profile context ready. Login-AzureRmAccount #Fixed path for writing the profile to. $path = 'c:\temp\AzureRmContext.json' ...

If you have an existing Azure MFA configuration running and you don't want to have the double per user cost you need to change your on premise configuration to match the new Azure SaaS MFA service. In my situation I started to work with "AAD" Premium which automatically also introduced a new MFA provider. Now since i don't want twice the per user fee I decided to reconfigure my existing MFA on premise configuration... First of al, it will look like you need to reinstall everything but this isn't true. Follow the steps below to reconfigure your on premise MFA to a new MFA ID. 1. login to Azure Active Directory (AAD), and go to the configuration tab in the classic portal (this feature isn't integrated yet in the preview AAD pane in ARM). 2. Open up the link for the MFA Service Provider "Manage Service Settings". 3. In the new windows on the bottom of the page hit the link "Go to the Portal"  4. Mean while login to your MFA (serv...

Since Microsoft is slowly building up to AzureStack they have released Nano server which in al likely hood will be the platform on which AzureStack will land. So preparing for it i started taking a look at what Nano has to offer and was pleasantly suprissed. Being that i allready had a Hyper-v machine running it was very nice to see that i could achieve the same thing with Nano i did with a full blown distribution of the GUI/Core installation with even less hassle and overhead. The following things are possible but need a different approach: Nic Teaming --> This is done in hyper-v itself now. Standard teaming isn't supported as in the GUI/Core version. (new-vmswitch -netadaptername nic1, nic2) (you can also add -enableembeddedteaming but this isn't necassary as we added a array at netadaptername) Storage --> Storage Spaces is included Clusterin --> Yup, its there. System Center 2016? Yes, it's even possible to create a vhd with these specific packages in i...

So you've got a bunch of disks and want to create a Storage Space with Parity and journaling? (In case of SharePoint servers this could be very usefull performance wise and integrity wise. Be it for a SharePoint WFE or a Service Tier running Excel services. Here's the script i used. $HDD = Get-PhysicalDisk -CanPool $true | where {$_.mediatype -eq "HDD"} $SSD = Get-PhysicalDisk -CanPool $true | where {$_.mediatype -eq "SSD"} New-StoragePool -FriendlyName 'Data01' -PhysicalDisks $HDD -ResiliencySettingNameDefault Parity -StorageSubSystemFriendlyName "Windows Storage on W2016-HOST02" Add-PhysicalDisk -StoragePoolFriendlyName Data01 -PhysicalDisks $SSD -Usage Journal New-VirtualDisk -FriendlyName "Parity with Journaled Data" `     -StoragePoolFriendlyName "Data01" -NumberOfColumns 3 `      -ProvisioningType Thin -ResiliencySettingName Parity -Size 2TB `     | Initialize-Disk -PassThru -PartitionStyle GPT `     | New-Part...

This post is about configuring a Remote Desktop Gateway in Resource Domain A while consuming the identities from Identity domain B. Setup: - NPS in Domain A  - RDG in domain A - MFA in Domain A Requirements a "TWO-WAY trust" with selective authentication (or wide if you have no security risks) It won't be possible to authenticate users from domain B in Domain A via the RDG until the computer account has gotten the permission "Allow to authenticate" on the domain controllers in Domain B. The simplest way to achieve this is by going to properties on the "Domain Controllers" OU in users and computers in domain B (RSAT tools) and going to the security Tab. (if you don't see the security tab in users and computers then make sure you've enabled "advanced features" under the view selection.) Then when you're in the security tab click the bottom advanced button. This will open the "Advanced Security Settings for Domain...

Microsoft has silently released new network functionality (as of may 201 6 ) for Azure Resource Manager. This new functionality allows you to force tunnel traffic from a VM and to your Appliance in the cloud from a Virtual Network Gateway . (ExpressRoute, IPSEC, vnet to vnet) In previous scenario's we only had the possibility to tunnel traffic from vm's in a subnet to a subnet where an appliance resided in a one way scenario.  You would then use technologies like an IPSEC VPN on your appliance to tunnel your traffic to and from a other datacenter and act as a network overlay to route your traffic according to your wishe s. Now it's possible to force traffic coming from the virtual network gateway be it from the IPSEC VPN connection or the ExpressRoute connection to your appliance in a different v N et (so use the default gateway VPN/Expressroute functionality). You need to add a UDR (User Defined Rule) in the "GatewaySubnet" in your vnet telling th...