Azure Stack Secret/Certificate Rotation

Whoh…! It has been a very long time since I wrote a blog on my site, last blogs were from Ignite, and the 2018 edition is about to start. So time to end the blog silence 🙂

Azure Stack Certificates

Certificates all have there lifetimes fortunately otherwise it will miss it’s goal entirely, so it’s inevitable that we have to rotate some certificates on Azure Stack. I had to rotate the public certificates recently. A public certificate on a multi node Azure Stack POC environment that is of the type Multi SAN Wildcard certificate.  Best practice is to have a separate Wildcard certificate for the different roles of Azure Stack but since this is a POC al names are in one certificate. A lot about the Certificate requirements is describe here.

In this blog I am not explaining how to create the CSR or request the certificate, this is just about testing and rotating the public certificate. More details about generating a CSR can be found here

Prepare Certificate folder

Azure Stack expects a certain folder structure for all certificates and some properties on the .PFX file. The test tool will check for this. There is a powershell file on GitHub called CertDirectoryMaker.ps1 that you could use to create the folder structure. Then add your certificates to the right folder. In this case it was simple 1 certificate in all the folders.

Read more

Ignite 2017 @ Orlando Day 3

The third day at Ignite was kind a hard to start up, it were long day’s and fun long nights but 2 double espresso kind a pushed me out of my morning dip. Ready to start the day!

Azure High Performance Networking:

This sessions was initially not about new stuff. It’s was more to make things more clear about Azure networking. Near the end there was a lot of new stuff about ExpressRoute though!

Public and Microsoft Peering

Earlier I hear some noise from several people that the Office 365 peering, or Public Peering was to be canceled. But now we know that it’s not cancelled but that the 2 peerings have merged. That makes things simpler, but also more complex, because one of the most issue’s I hear customers talking about is that they don’t want to peer with all Azure or Office 365 services and now there is no choice in those either. It’s either none ore all in! But Microsoft must have heard this complaint because the came up with a new feature for ExpressRoute called Route Filters. With the filters you can choose what routes you want advertise to use only the service you want over the ExpressRoute connection. Nicely done! 🙂

Finally monitoring on ExpressRoute!

Read more

Ignite 2017 @ Orlando Day 2

The second day of Ignite i started of with a session on:

Azure Stack servicing and updating.

Updates for Azure stack consist of 2 packages or actually 3, but the third is different and not really clear how that is taking place because it will be the OEM vendor package and all vendors can take care of that in their own way. So the first package is for the OS updates for all the VM’s and hosts in the Azure Stack. The second package is about updating the resource providers in Azure stack. The Azure stack can be updated in a disconnected scenario as long as the bits are downloaded and uploaded in the blob storage through the Admin Portal.

Both are pretty big and not yet cumulative. Meaning that you have to run all the updates to get to the latest and you can’t skip an update or something. Updates will be every month and you should not supposed to fall behind more ten 3 months otherwise you will loss support and have to be current first.

Since the entire stack is locked you cannot login with RDP and go to Windows Update and click install updates. To take care of that Azure Stack has an Update Resource Provider. The resource provider gives an wizard in a set of blades to provide a destination to the update packages and install the update or schedule it.

Read more

Windows Azure Pack Support

Since the announcements and public previews of Microsoft Azure Stack (MAS), everybody including myself  is talking about and testing with MAS. But the reality is that a lot of companies have invested in Windows Azure Pack and were a little surprised that Microsoft announced before this summer that Windows Azure Pack on Windows Server 2012 R2 is supported until July 2017.

azurepacksupport

Several weeks ago Microsoft made another announcement that they are continue to invest and support in Windows Azure Pack (WAP) next to Azure Stack for 11 years! But to use the extended support you need to bring your Azure Pack environment to Windows Server 2016. MAS release is aimed for the summer of 2017 so very likely there will be a gab between end of support of WAP on Server 2012 R2 and any public available MAS appliances from HP, Dell or Lenovo…

From several customers i received questions about the support statement and what needs to be updated. Turns out it’s not that well documented and known. As you can see in the screenshot above, it states Windows Azure Pack (on Windows Server 2012 R2) and Windows Azure Pack (on Windows Server 2016). But as we all know, Windows Azure Pack is a solution based on lots of components from the Windows and the System Center family.

What to upgrade

As i said before Windows Azure Pack leans on a lot of Windows features like a Active Directory domain, IIS and Hyper-V but also on System Center components like VMM and SPF.

Read more

Azure Stack TP2 November refresh

Last week Microsoft published a new release of Microsoft Azure Stack TP2. This release included support for features like SQL RP, MySQL and Azure App Services so a bunch of PaaS services.

First it though yeah.. new features 🙂 !! But then I looked back and though.. o man this is gonna cost me a lot of deployment time again. Considering the previous issue’s I had before which you can read on this blog.

After downloading, extracting, copying and processing (which you can read all about here) i executed my deployment last night (my hosts are in a different time zone, so my last night was not yet server night 🙂 ).

azurestacktp2novemberdeploy

This morning I checked my server to see what the deployment did and I was pleasantly surprised

Read more

Azure Stack TP2 Deployment Issue step 0.20

Last week i finally got my first Azure Stack TP2 deployment completed after weeks of error’s as a blogged before.  After that i needed to redeploy several times and ran into different issue’s every time.

This time it stopped at step 0.20. After retrying the deployment with:


Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 0.20 -Verbose

It stopped at the same error. See below for te error message.

2016-11-08 20:45:06 Verbose  VMs to create: MAS-BGPNAT01
2016-11-08 20:45:06 Verbose  Updating management nodes for HyperConverged deployment.
2016-11-08 20:45:12 Verbose  Skipping deployment of the VM named 'MAS-BGPNAT01'. It is accessible via remote Powershell.
2016-11-08 20:45:12 Verbose  Waiting for the following VMs to be remotely accessible: MAS-BGPNAT01.
2016-11-08 20:45:13 Verbose  The VM 'MAS-BGPNAT01' has successfully started.
2016-11-08 20:45:15 Error    Task: Invocation of interface 'Deployment' of role 'Cloud\Fabric\VirtualMachines' failed:
Function 'Add-GuestVMs' in module 'Roles\VirtualMachine\VirtualMachine.psd1' raised an exception:
The WS-Management service cannot process the request because the XML is invalid.
at Wait-VMPSConnection, C:\CloudDeployment\Roles\VirtualMachine\VirtualMachine.psm1: line 1683
at Add-GuestVMs, C:\CloudDeployment\Roles\VirtualMachine\VirtualMachine.psm1: line 265
at <ScriptBlock>, <No file>: line 18
2016-11-08 20:45:15 Verbose  Step: Status of step '(NET) Deploy BGP VM' is 'Error'.
2016-11-08 20:45:15 Error    Action: Invocation of step 0.20 failed. Stopping invocation of action plan.
2016-11-08 20:45:15 Verbose  Action: Status of 'Deployment-Phase0-DeployBareMetalAndBGPAndNAT' is 'Error'.

The MAS-BGPNAT01 VM was accessible and i didn’t notice any errors in relation to the error above in the eventlogs. After a reboot of the MAS-BGPNAT01 VM I started the deployment from step 1, without the -start parameter:

Read more