jrd1989's questions

My clients domain has various 2012R2, 2016 and 2019 Windows Server versions. Two of the four domain controllers are running Windows 2012R2 and the ADMX files haven't been updated in years. The other two domain controllers are Windows 2019 and they have the FSMO roles assigned to them.

I hope to have all 2012 instances retired for good shortly, including the DC's. Since the ADMX files haven't been updated in years I am unable to apply certain GPO's to the 2016 and 2019 instances which will become a security issue shortly. Since my environment will consist of 2016 and 2019 servers, what is the best policy or method I should use for updating the ADMX files?

From what I've read most people suggest the Central PolicyDefinitions Store option but I wasn't sure if this is a good idea since I'm running multiple OS versions in my environment. Are there any other approaches to updating the ADMX files I should consider considering the make up of my environment?

If I don't use the Central Store option, would I need to download the ADMX files to the C:\Windows\PolicyDefinitions folder locally on each domain controller in order to apply the latest settings to GPO's, or would I have to download ADMX file to C:\Windows\PolicyDefinitions on all domain members/servers in order for servers to receive updated gpo settings?

I've never had to update ADMX files so any advice would be greatly appreciated, thanks!

I have Active Directory Certificate Services installed on a Windows 2016 domain controller. We plan on spinning up Windows 2019 instances to replace our 2016 domain controllers. We have one DC with ADCS services installed, specifically it has the certificate authority role and is set as an Enterprise CA (not stand-alone).

What is the best process for migrating the AD CS services to this new 2019 server and decommissioning the 2016 server hosting AD CS? According to this article it seems like a simple backup, add ADCS role/features and restore somr data but maybe I'm oversimplifying things - https://4sysops.com/archives/migrate-ad-certificate-services-to-a-new-server/.

My concern is what happens to the certificates we've already signed with the existing CA server and that are actively in use? Will they continue to function and/or stay valid if the CA is down, albeit temporarily? The name assigned to the CA is separate from the host name of the server currently hosting AD CS so the 2019 server having a different host name assigned shouldn't be an issue, correct?

If anybody has gone through this before or has some useful suggestions/tips I would greatly appreciate it!

A few servers are getting picked up by security scans with the following message:

The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority. | Subject : CN=serverabc.local | Issuer : CN=serverabc.local

The port referenced in the scan is port 3389 (RDP). The default RDP certs on each server (in the Remote Desktop cert store) are self-signed and still valid.

I think the issue comes down to the cert being self-signed and not being signed by a CA.

Would the following steps resolve this issue?

1. Create an internal Certificate Authority
2. Generate new CSR's for the vulnerable servers
3. Sign newly created CSR's with the mentioned CA
4. Replace current (existing) self-signed RDP certs in the Remote Desktop cert store with the CA signed certs on each vulnerable server

Is there any potential issue/problems with swapping out the existing cert with a CA signed cert?

I'd appreciate any help/guidance with resolving this, thanks.

I have limited knowledge of PowerShell but I'd like to calculate the total size (in GB) of each storage account, or each container in my storage accounts. I have multiple storage accounts and containers in multiple resource groups.

I'm having a hard time putting together a script that pulls all storage accounts and containers since I have more than one resource group. I found the script below that works fine but it requires entering the name of single storage account and resource group.

Ideally, I want to be able to select all storage accounts in my subscription and not be forced to enter individual storage account name and resource groups. I'd appreciate any help/suggestions with this, thanks!

# Connect to Azure
Connect-AzureRmAccount

# Static Values for Resource Group and Storage Account Names
$resourceGroup = "RGP-01"
$storageAccountName = "storagestg3"

# Get a reference to the storage account and the context
$storageAccount = Get-AzureRmStorageAccount `
-ResourceGroupName $resourceGroup `
-Name $storageAccountName
$ctx = $storageAccount.Context

# Get All Blob Containers
$AllContainers = Get-AzureStorageContainer -Context $ctx
$AllContainersCount = $AllContainers.Count
Write-Host "We found '$($AllContainersCount)' containers. Processing size for each one"

# Zero counters
$TotalLength = 0
$TotalContainers = 0

# Loop to go over each container and calculate size
Foreach ($Container in $AllContainers){
$TotalContainers = $TotalContainers + 1
Write-Host "Processing Container '$($TotalContainers)'/'$($AllContainersCount)'"
$listOfBLobs = Get-AzureStorageBlob -Container $Container.Name -Context $ctx

# zero out our total
$length = 0

# this loops through the list of blobs and retrieves the length for each blob and adds it to the total
$listOfBlobs | ForEach-Object {$length = $length + $_.Length}
$TotalLength = $TotalLength + $length
}
# end container loop

#Convert length to GB
$TotalLengthGB = $TotalLength /1024 /1024 /1024

# Result output
Write-Host "Total Length = " $TotallengthGB "GB"

I'm working in a Azure Gov tenant. I created an Azure Automation account so I could use it to scale down web apps on the weekend using a powershell runbook. I'm using the code below to authenticate the run as account but its failing with this error message: "Confidential Client is not supported in Cross Cloud request."

$ConnectionName = "AzureRunAsConnection"

try
{
    
    # Get the connection "AzureRunAsConnection "
    $ServicePrincipalConnection = Get-AutomationConnection -Name $ConnectionName         

    # Logging into Azure
    Add-AzureRmAccount `
                -ServicePrincipal `
                -TenantId $ServicePrincipalConnection.TenantId `
                -ApplicationId $ServicePrincipalConnection.ApplicationId `
                -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
                -EnvironmentName "AzureUSGovernment"
              

    Write-Output "Successfully logged in to Azure." 
} 
catch
{
    if (!$ServicePrincipalConnection)
    {
        $ErrorMessage = "Connection $ConnectionName not found."
        throw $ErrorMessage
    } 
    else
    {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }

}

I tried using a different authentication command with newer powershell modules but I get the same error:

$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

$logonAttempt = 0
$logonResult = $False

while(!($connectionResult) -And ($logonAttempt -le 10))
{
    $LogonAttempt++
    #Logging in to Azure...
    $connectionResult = Connect-AzAccount `
                           -ServicePrincipal `
                           -Tenant $servicePrincipalConnection.TenantId `
                           -ApplicationId $servicePrincipalConnection.ApplicationId `
                           -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

    Start-Sleep -Seconds 30
}

Has anybody run this issue before and found a work around? I'm lost and would appreciate any help/assistance.

I want to restore a bacpac file over an existing Azure SQL database using PowerShell. Past with experience with restoring bacpac files in Azure requires creating a new database altogether when restoring the bacpac file. I'm looking to avoid that and just restore the bacpac file over an existing (empty) database.

Ideally, the bacpac would be stored in a storage account container and I can reference the container and run a powershell command to perform the restore over my existing database. In my search I haven't found anything that'll accomplish this. Has anybody figured this out or something similar to what I described?

Thanks,

Using an ARM Template I want to enable diagnostics settings for my Azure SQL Database and have that data stored in a Log Analytics workspace I created. I want to enable the errors, timeouts, blocks and wait statistics logs and the basic metric option. I was able to get this working with a web app so I took a similar approach but my template fails and throws errors saying the metrics or diagnostic categories I reference don't exist or not supported. Here's some of the resources section my template:

I'm not sure if additional settings need to be enabled or referenced in the template for this to work but I would appreciate any help, thanks!

          "resources": [
                {
                    "type": "databases",
                    "apiVersion": "2019-06-01-preview",
                    "name": "[parameters('sqlDatabase')]",
                    "location": "[parameters('location')]",
                    "tags": {},
                    "dependsOn": [
                        "[parameters('sqlServer')]"
                    ],
                    "sku": {
                        "name": "GP_Gen5_4",
                        "tier": "GeneralPurpose"
                    },
                    "properties": {
                        "startIpAddress": "0.0.0.0",
                        "endIpAddress": "0.0.0.0"
                    }
                },

                {
                    "type": "providers/diagnosticSettings",
                    "name": "[concat('Microsoft.Insights/', parameters('diagnostics-name'))]",
                    "dependsOn": [
                        "[resourceId('Microsoft.Sql/servers', parameters('sqlServer'))]",
                        "[resourceId('Microsoft.Sql/servers/databases', parameters('sqlServer'), parameters('sqlDatabase'))]"
                    ],

                    "apiVersion": "2017-05-01-preview",
                    "properties": {
                        "name": "[parameters('diagnostics-name')]",
                        "workspaceId": "[concat('subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('loganalytics-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspacename'))]",
                        "logs": [
                            {
                                "category": "Errors",
                                "enabled": "true",
                                "retentionPolicy": {
                                    "enabled": "true",
                                    "days": 7
                                }
                            },
                            {
                                "category": "DatabaseWaitStatistics",
                                "enabled": "true",
                                "retentionPolicy": {
                                    "enabled": "true",
                                    "days": 7
                                }
                            },
                            {
                                "category": "Timeouts",
                                "enabled": "true",
                                "retentionPolicy": {
                                    "enabled": "true",
                                    "days": 7
                                }
                            },
                            {
                                "category": "Blocks",
                                "enabled": "true",
                                "retentionPolicy": {
                                    "enabled": "true",
                                    "days": 7
                                }
                            }

                        ]
                    }
                }
            ]
        }
    ]
}

I successfully deployed an app service plan, web application and application insights resources using an ARM Template. The APPINSIGHTS_INSTRUMENTATIONKEY and APPLICATIONINSIGHTS_CONNECTION_STRING app settings have been added to the configuration/app settings.

The issue im noticing is that when I select the 'application insights' option in the menu I'm presented with 'Turn on Application Insights'. I thought adding the app settings above would turn on app insights but apparently not. Is it possible to enable app insights in an ARM Template? I'd like app insights to be enabled by default once the arm template deploys.

I'm trying to use CloudFormation to deploy two Windows Server 2019 EC2 instances and also attach a new volume to each instance (two instances, two volumes total). I get the following error when I deploy:

Value of property Tags must be of type List

From my research, it sounds like the way I'm referencing the volumes I'm trying to create could be the issue but not sure.

Here's some of my template for reference:

Resources:
  rpt04:
    Type: 'AWS::EC2::Instance'
    Properties:
      AvailabilityZone: us-west-1
      InstanceType: t2.large
      ImageId: ami-0cc5ea3dde5301489
      Tags:
        - Key: "Name"
          Value: "RPT-04 (W2K16)"
      KeyName: Key_2020
      SecurityGroupIds: 
        - sg-f2bcJmn9
      SubnetId: subnet-19234d70 
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 100
            DeleteOnTermination: true
      Volumes:
        -
         Device: xvdb
         VolumeId: !Ref rpt04appvolume
    Metadata:
      'AWS::CloudFormation::Designer':
        id: 357656a6-846b-4674-b06a-22901916ff91

   rpt04appvolume:
    Type: 'AWS::EC2::Volume'
    Properties:
      AvailabilityZone: us-west-1
      Size: 100
      VolumeType: gp2
      Tags:
         Key: Name
         Value: RPT-04-APP
    Metadata:
      'AWS::CloudFormation::Designer':
        id: 3340c328-2324-42e5-bd11-b3c1d1f41a09

I'd appreciate any help/assistance on this. I'm new to CloudFormation and stuck on this one.

I have an instance of SCOM 2012 R2 running in a client environment. We are currently monitoring 2008 R2 and 2012 R2 servers with it. We had to migrate two of the 2012 servers to fresh instances of server 2016. The scom agent is running on both of these 2016 instances but nothing is returned in the monitoring - windows server state section about these new servers.

Is it possible to monitor servers running windows 2016 with SCOM 2012R2? I don't have a lot of experience using SCOM so this is all kind of new to me. I'd appreciate any help/assistance.

Thanks

Could somebody please explain the difference between build and release agents in the simplest of terms? This relates to Azure DevOps. I find info on build agents from Microsoft but I haven't found anything specifically for release agents. I'm not a developer by trade so if somebody could clear this up I would appreciate the help.

I'm trying to specify an app setting in my ARM template that points to a specific folder location where the web application I'm deploying should store log files, ex: D:\folder\logs. When I specify the folder location though it complains about the value being empty. If I add a double slash (\) the errors go away but it fails to deploy.

I've tried adding these specific app settings, ones with folder locations, as parameters and reference them like so in the template.json file - [parameters('log-folder')] but it fails and says it can't locate the specified parameter. I would appreciate any help. I've posted some of the parameters and template json files I'm working with below:

**template.json file**
--------
"properties": {
                "name": "[parameters('name')]",
                "siteConfig": {
                    "appSettings": [
                    {
                        "name": "CACHE",
                        "value": "[parameters('cache')]"
                    },

**parameters.json file**
--------
"parameters": {
"cache": {
            "value":"D:\\home\\filevault\\cache"
        },
}

I'm looking for a way to set the quota size (ex, 100gb) for the file share I am deploying using Azure ARM Templates. As of now when I deploy it defaults to 5TB which is not ideal. Ideally I would just add a setting to my template.json or parameter.json files that would adjust this setting but I haven't come across anything yet. I'd appreciate any help/guidance on this.

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "location": {
            "type": "string"
        },
        "storageAccountName": {
            "type": "string"
        },
        "fileShareName": {
            "type": "string",
            "minLength": 3,
            "maxLength": 63
        },
        "fileShareName1": {
            "type": "string",
            "minLength": 3,
            "maxLength": 63
        },
        "fileShareName2": {
            "type": "string",
            "minLength": 3,
            "maxLength": 63
        },
        "accountType": {
            "type": "string"
        },
        "kind": {
            "type": "string"
        },        
        "accessTier": {
            "type": "string"
        },
        "supportsHttpsTrafficOnly": {
            "type": "bool"
        }
    },
    "variables": {},
    "resources": [
        {
            "name": "[parameters('storageAccountName')]",
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2018-02-01",
            "location": "[parameters('location')]",
            "properties": {
                "accessTier": "[parameters('accessTier')]",
                "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]"
            },
            "dependsOn": [],
            "sku": {
                "name": "[parameters('accountType')]"
            },
            "kind": "[parameters('kind')]",
        "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/fileServices/shares",
            "apiVersion": "2019-04-01",
            "properties": {
                "shareQuota": "100"
            },
            "name": "[concat(parameters('storageAccountName'), '/default/', parameters('fileShareName'))]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
            ]
        },

        {
            "type": "Microsoft.Storage/storageAccounts/fileServices/shares",
            "apiVersion": "2019-04-01",
            "properties": {
                "shareQuota": "100"
            },
            "name": "[concat(parameters('storageAccountName'), '/default/', parameters('fileShareName1'))]",
            "shareQuota": "100",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
            ]
        },

        {
            "type": "Microsoft.Storage/storageAccounts/fileServices/shares",
            "apiVersion": "2019-04-01",
            "properties": {
                "shareQuota": "100"
            },
            "name": "[concat(parameters('storageAccountName'), '/default/', parameters('fileShareName2'))]",
            "shareQuota": "100",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
            ]
        }

    ]
}
    ],
    "outputs": {}

}

I want to deploy a VM in Azure and store the local admin password in Keyvault. I was wondering if it is possible to do the deployment through the Azure Portal? I've added the required info to my parameters file but I'm still being forced to manually enter the admin password. I haven't seen any sites mention deploying through the portal so I was wondering if its even possible.

There is loads of content on how to deploy using powershell and AzureCLI but I'd like to avoid these since I'm uhanding over the install process to a client and I want it to be as simple as possible.

My team has a .NET (4.7) web application running in Azure. Right now there are three directories being creations on the web in the D drive - cache, temp and root. Log files are dumped here. My concern is that these log files will take up space and crash the app.

Is it possible to store these apps in blob container instead of on the web application? I created a storage account with three containers (cache, temp, root), used Storage Explorer to create shared access signatures (SAS's) on each container, and then pasted the URL generated for the SAS in the app settings for the web app. I restarted the app no files are being dumped in the container.

Is there something I'm missing to get this working? I'm not a developer so I'm not sure if something would need to be set in the code for this to work. I noticed in the web.config a D:\home...... location was specified so I assumed adding the container location would work but I guess not. Any thoughts or suggestions would be greatly appreciated.

I've got 5-6 Azure SQL Databases running. They run in the Basic and Standard pricing tiers. From what I've read backups run by default which allow for the Point in Time restore options to work.

These are my questions:

• Where are these backups stored?
• Other than the default backups that run, is it possible to use the recovery services vault to back up Azure SQL Databases? I've tried setting something up but I don't get an option for Azure SQL DB's, only Azure VM's and fileshares.

I'm new to Solaris 11 and I have to apply updates. I read that you can create a ZFS snapshot -- apply updates -- then revert the snapshot if things break. I also read that you can create a backup of your boot environment (BE).

What is the difference between taking a ZFS snapshot versus creating a BE backup? Are certain files/directories backed up by one and not the other?

Clarification on the two and a recommendation on which to use for patching (or best practices) would be greatly appreciated.

I'm running java 7 on one of my Solaris servers. We need to run updates but when we do java 8 tries to install itself. This wouldn't be a big deal but it conflicts with another application we have running for some reason. Therefore, I am stuck using java 7 for the time being.

Is it possible to ignore java updates when I run pkg update? I am new to solaris and any help would be appreciated.

I recently installed the free version of xenserver 6.5. Right now I can run updates through xencenter which is simple and easy. I've been reading though and I've come across a few articles mentioning that the free license expires after 30 days which then prevents you from updating through xencenter.

Can anybody confirm this with xenserver 6.5 free edition? And if that is true, how do you go about running updates?

I'm looking to convert about 50 esxi vm's to xenserver 6.5. I am running the free version of xenserver 6.5. I've seen posts for the citrix xen converter tool and I've tried out the VMware OVF Conversion Tool with some vmdk/vmx files but did not have any luck. I also know that you can export VM's from vsphere as OVF file formats and then import into xencenter but it takes a very long time.

Has anybody done this before and had any luck with specific tools/applications?