Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for June 2020

Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

Last Updated on August 6, 2021 by Dishan M. Francis

In an on-premises Active Directory environment, there can be application or service which required integration with Active Directory. With AD integration, the application can search for AD users, allow login, assign permissions, etc. This integration part is usually done using the Lightweight Directory Access Protocol (LDAP). By default, traffic over LDAP is not encrypted. Due to the vulnerabilities, Microsoft now recommends only to use secure LDAP (LDAPS, LDAP over SSL) connections to Domain Controllers. Azure Active Directory Domain Services (Azure AD DS) also support for secure LDAP connections. Most of the time the LDAP connection to Azure AD DS will be initiated over the public internet. So, it is important to have encryption in place to prevent man-in-the-middle attacks.

In this post, I am going to demonstrate how to enable secure LDAP for Azure AD DS. Before we start make sure you have the following prerequisites in place.

1. Valid Azure Subscription
2. Valid Azure Active Directory Domain Services

Azure Directory Domain Service instance is using default Microsoft domain name rebeladmlive.onmicrosoft.com. So, I have to use a self-sign certificate for it. To generate a self-sign certificate, we can use the following PowerShell commands. This can be run from any PC.

$domainname=”rebeladmlive.onmicrosoft.com”
$certlife=Get-Date
New-SelfSignedCertificate -Subject *.$domainname -NotAfter $certlife.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.$domainname, $domainname

create self sign certificate powershell

In above, replace rebeladmlive.onmicrosoft.com with your Azure Active Directory Domain Service instance name. As we can see, it created a wild card SSL for rebeladmlive.onmicrosoft.com under Computer account.

SSL certificate mmc

We need to export this certificate as .PFX file with private key to,

1. Use it during the secure LDAP setup and upload it to Azure
2. Import it to any other PC which like to initiate secure LDAP connection (The certificate must be imported into Computer Account\Personal\Certificates as well as Trusted Root Certification Authorities\Certificates. This is because the certificate is self-sign cert and it doesn’t have trusted root certificate)

To export certificate,

1. Right-click on the certificate and go to All Tasks | Export

export ssl certificate

2. It will open up the certificate export wizard, click on Next to start the process.

export certificate wizard screen 1

3. In the next window select Yes, export the private key, and click on Next.

export certificate wizard screen 2

4. In the Export file format window, match the following selection, and click on Next.

export certificate wizard screen 3

5. In the next window, define the password for the export file and click on Next.

export certificate wizard screen 4

6. Then, select the file path for the output and click on Next.

export certificate wizard screen 5

7. In the next window, click on Finish to complete the Export process.

export certificate wizard screen 6

Now we have the .PFX file. The next step is to import it again to Trusted Root Certification Authorities\Certificates. This is required as we are using a self-sign certificate for the exercise. [Read more…] about Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

Step-by-Step Guide: Reduce Latency between Azure VMs by using proximity placement group (PowerShell Guide)

Last Updated on August 14, 2020 by Dishan M. Francis

The latency between two servers located in two regions is normally higher than the latency between two servers located in the same data center or the same rack. High latency between application servers has a direct impact on the overall performance of the application. By placing applications servers in the same physical location, we can reduce the latency. When it comes to Azure VMs, we can reduce the latency between servers by placing those in the same Azure region or in the same availability zone. But this doesn’t mean the servers are running from the same data center. As Azure grows a region can have multiple data centers. But now with proximity placement group, we can co-locate Azure VMs to the same data center.

The proximity placement group can have stand-alone VMs, VM scale sets or VM availability sets. Once the proximity placement group is created, we can deploy new servers to it or move existing servers to it. It is recommended to use accelerated networking with the virtual machine in proximity placement group to further reduce the latency. Also, if possible, use one VM template for virtual machines in the same proximity placement group. This is because some datacentres only support certain VM SKUs and sizes.

In this demo, I am going to demonstrate how we can create a proximity placement group and deploy a virtual machine to it. I also going to demonstrate how to move the existing virtual machine to the proximity placement group.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find here.

Create proximity placement group

Let’s start the configuration process by creating a new resource group.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount as Global Administrator

2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

create azure resource group

In the above, REBELRG1 is the resource group names and East US is the Azure region.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

create virtual network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines

4. As the next step of the configuration, let’s go ahead and create proximity placement group using,

New-AzProximityPlacementGroup -Location “East US” -Name rebelpggrp01 -ResourceGroupName REBELRG1 -ProximityPlacementGroupType Standard

create proximity placement group

In the above, I created a ppg called rebelpggrp01. The group type is set to standard. [Read more…] about Step-by-Step Guide: Reduce Latency between Azure VMs by using proximity placement group (PowerShell Guide)

Step-by-Step Guide: Create Azure Windows Virtual Machine from a Snapshot (PowerShell Guide)

Last Updated on August 14, 2020 by Dishan M. Francis

Virtual Machine Snapshots are the quickest way to recover a virtual machine from a disaster. Snapshot is a copy of the virtual machines’ disk file at a given point of time. There are situations where we may need to get certain data out from snapshot without restoring a complete virtual machine. The best way to do that is to create a virtual machine from the snapshot and then retrieve the relevant data. The same method also can use to test application upgrades or risky changes without affecting production servers. In this demo, I am going to demonstrate how we can create an Azure windows virtual machine from a snapshot.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it available on this link.

As part of the configuration, I am going to do following,

1. Create a new resource group
2. Create a new virtual network
3. Create Azure windows virtual machine
4. Log in to the new virtual machine and create few test files
5. Create snapshot
6. Create another virtual machine using the snapshot
7. Log in to this new Azure windows virtual machine and verify it has the test files created in original VM.

Create new Azure windows virtual machine

Let’s start the configuration process by creating a new resource group.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount as Global Administrator
2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

create new azure resource group

In the above, REBELRG1 is the resource group names and East US is the Azure region.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”

New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

create new azure virtual network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines

4. As the next step of the configuration, I am going to create a new virtual machine under REBELRG1 resource group. This will be used for testing purposes.

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG1 -Name “REBELTVM01” -Location “East US” -VirtualNetworkName “REBELVN1” -SubnetName “vmsubnet” -addressprefix 10.0.2.0/24 -PublicIpAddressName “REBELVM01IP1” -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

create new Azure windows virtual machine

In the above, I am creating a virtual machine called REBELTVM01 in East US Azure region. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, it uses REBELVN1 virtual network and subnet 10.0.2.0/24. [Read more…] about Step-by-Step Guide: Create Azure Windows Virtual Machine from a Snapshot (PowerShell Guide)