Can I restore my Active Directory in Windows Azure?

It seems like I get loads of questions about Windows Azure and the IAAS offering we’re running these days. The last one is about how to get into DSRM (Directory Services Restore Mode), if you’ve been running your AD for a while you remember the old F8 trick during boot but in Windows Azure there’s only RDP access, so no pressing F8 then… Well, there’s a solution for everything and our engineers thought of this too, long before Windows Azure.

One big prereq for this to work out. You must have set your DSRM password to something you remember 😉

Two ways of doing this:

1) Sync with the domain administrator password: http://technet.microsoft.com/en-us/library/jj713556.aspx

2) Set it manually: http://technet.microsoft.com/en-us/library/cc754363.aspx#BKMK_examples

Once that’s done you just use bcdedit to boot into DSRM the next boot, open up CMD and type:

1) bcdedit /set safeboot dsrepair
2) shutdown –r –t 0

Once it has rebooted you can logon to your server by using “hostnameadministrator” with your DSRM password.

When you’re done restoring your AD you’ll need to make sure it boots back to normal. Open up CMD and type:

bcdedit /deletevalue {current} safeboot

On the next boot it’ll boot into Windows normally and you’re hopefully all back to normal operations!

Making a linux VM running in Windows Azure auto-register in internal DNS.

Friday fun with other operating systems! Being a Windows guy with limited knowledge in Linux these things always burns a fuse it seems. Well, I have a customer spawning Linux vm:s in Windows Azure wanting these to automatically register their A-records in DNS just like Windows does. Well, seems there’s no easy way for this, but I’ve found a solution. Keep in mind that there might be an easier solution but for a Windows admin this at least works.

Prereqs for this to work:

  1. Your DNS-zone must accept unsecure updates.
  2. Your Linux machine must have its hostname updated with the FQDN.
  3. You must have a gateway to your internal network configured, not included in this article, no need to look for it. Look under “TV” for a guide on how to set that up.

Solution 1

Make sure your zone allows unsecure updates. Start DNS MMC, right-click your zone, select properties, edit your zone to allow Nonsecure and secure updates.

dns

 

 

 

 

 

 

 

Solution 2

Edit /etc/hostname and add your unqualified hostname:

ns-ub01

Edit /etc/hosts:

sudo vi /etc/hosts

Add an entry of your desired hostname by replacing ns-ub01.labs.nullsession.com ns-ub01 where ns-ub01.labs.nullsession.com is the fully qualified hostname and ns-ub01 is hostname.

127.0.1.1 ns-ub01.labs.nullsession.com ns-ub01

Test your configuration by opening a terminal and enter the below commands:
“hostname<enter”>: This should output ns-ub01

“hostname -f”: This should output ns-ub01.labs.nullsession.com

 

You could also update it with the command hostname servernamn.fqdn which updates it but only lasts until reboot.

 

The script:

#!/bin/bash

_HOST=$(hostname)
_IP=$(ifconfig eth0 | grep ‘inet addr:’ | cut -d: -f2 | awk ‘{ print $1}’)

nsupdate << EOF
server dnsservername.fqdn (dc01.labs.nullsession.com)
zone fqdn (labs.nullsession.com)
update delete $_HOST A
update add $_HOST 86400 A $_IP
send
EOF

 

The easiest way is to schedule the script with cron so that it runs periodically, this also updates the DNS in case the ip changes. The script is only tested on Ubuntu, but should at least get you started on other distros as well.

SWE – Nya och uppdaterade videos

Har uppdaterat och förkortat videon till avsnitt 1, hur man skapar en gateway. Har Ă€ven spelat in en ny som visar hur man installerar en domĂ€nkontrollant i Windows Azure och vad man bör tĂ€nka pĂ„… Om du tar dig igenom en eller bĂ€gge sĂ„ Ă€r feedback supervĂ€lkommet! Du hittar avsnitten under “TV”.

Trevlig helg!

PDT user creator in, hold it… PowerShell!

 

 

Well, I’ve read about it. I’ve tried some. I’ve never written one myself. But it finally happened! Using the PDT (PowerShell Deployment Toolkit) I’ve come to realise that creating the users and groups in my lab Environment takes some time. And what’s better to go PowerShell when it’s time to create a new script, don’t wanna be seen doing old vb-scripts 🙂

If you haven’t tested PDT yet, go do it instantly! It’s written by Rob Willis from Microsoft, and he has saved me at least 200 hours already. Check it out at http://blogs.technet.com/b/privatecloud/archive/2013/02/08/deployment-introducing-powershell-deployment-toolkit.aspx

 

Copy / save as PDTUserCreator.ps1


# Script creates users, ou:s and groups for PDT #
# Created by Joachim NĂ€sslander, Microsoft #
# joachim.nasslander@microsoft.com #
# #
# Script provided as-is #
# #

# Import module and check for write permissions
cls
Import-Module ActiveDirectory
try {
New-ADUser -name TemporaryUser -SamAccountName TemporaryUser
Remove-ADUser TemporaryUser -Confirm:$false
}
catch
{
Write-Host “No write permissions in Active Directory”
Exit
}

# Create arrays, passwords, get domains and stuff
$PDTusers=”!installer”,”!vmm”,”!or”,”!ac”,”!om_saa”,”!om_das”,”!om_dra”,”!om_dwa”,”!sm_s”,”!sm_w”,”!sm_r”,”!sm_a”,”!sql”,”!jd”
$PDTUserPassword=”P@ssw0rd”
$SecurePDTUserPassword=$PDTUserPassword | ConvertTo-SecureString -AsPlainText -Force
$PDTOUs=”Services”,”Servers”,”Groups”,”Users”
$PDTGroups=”AC Admins”, “OM Admins”, “CM Admins”, “SM Admins”, “Orchestrator Admins”, “VMM Admins”, “DPM Admins”, “SQL Admins”
$Domain=Get-ADDomain
$DistName=$Domain.DistinguishedName
$DNSRoot=$Domain.DNSRoot
# Check / create ou’s
if (dsquery ou domainroot -name HQ)
{}
else {
New-ADOrganizationalUnit -Name “HQ” -Path $DistName -ErrorAction SilentlyContinue
}
foreach($ou in $PDTOUs){
if (dsquery ou domainroot -name $ou)
{}
else {
New-ADOrganizationalUnit -Name “$ou” -Path “OU=HQ,$DistName” -ErrorAction SilentlyContinue
}
}
# Check / create groups
foreach($group in $PDTGroups){
if (dsquery group -samid $group)
{}
else {

New-ADGroup -Name $group -GroupScope Global -Path “OU=Groups,OU=HQ,$DistName” -ErrorAction SilentlyContinue
}
}
# Check / create users
foreach ($user in $PDTusers){
if (dsquery user -samid $user)
{}
else
{
New-ADUser -Name “$user” -SamAccountName “$user” -ChangePasswordAtLogon 0 -AccountPassword $SecurePDTUserPassword -Description “PDT created user” -Enabled 1 -Path “OU=Users,OU=HQ,$DistName”
}
}
Add-ADGroupMember -Identity “SQL Admins” -Members “!sql” -ErrorAction SilentlyContinue
Write-Host “PDT users, groups and OU’s created”