Error creating WVD hostpool – validation failed


azure

Error trying to create a new VWD hostpool in WVD v2 (spring update)
(Resolution at the end)

WVD spring update, create new hostpool from the Azure Portal – you fill in all the information about the setup, and when you run the validation on the last step, it fails with the shady error message:
‘Validation failed. Required information missing or invalid.’

All the properties are filled in correctly, no ‘red dot’ is shown to indicate what is wrong.

The details of the error are:

ERROR TYPE
ERROR DETAILS
The template deployment failed with multiple errors. Please see details for more information.
—-

WAS THIS HELPFUL?

Well, not that helpful. In the scenario I was in when this occurred, the company had given up on the spring update due to this. No error, no indication…
The facts of the setup is, the environment where the hosts where to reside are in West Europe, and in WVD, you can only select US for the hostpool(The service/metadata), so we went with East US (Closest to Europe).
So, all hosts to be created in West Europe and Hostpool in East US (Can be any of the US options available)

Resolution:
We found a similar issue after some time with Google, in that scenario, after trying a number of suggestions, the users found that they had a Azure policy attached to the subscription selected. It only allowed a few select regions, the East US was not one of them.
Same for us, when having a look at the policy on the subscription, it only had West Europe, North Europe, France and Global.
Adding East US to the allowed regions and hitting save immediately solved the problem.

Go to the subscription where you are creating your WVD hostpool, under ‘Settings’ you will find ‘Policies’

Locate a policy that has a ‘Location restriction’

Open it, click ‘Edit assignment’ at the top, then ‘Parameters’. In the dropdown, check the US region where the hostpool is to be created. Click on ‘Review + Save’ at the bottom. (This may require the owner role).
(Disclaimer – if the policy is a centralized policy, you may have to go the the owner of the policy to have it edited, like if it is applied to a management group)

Now, you can retry the ‘Validation’ of the creating of the Hostpool. If nothing else, the policy and location restriction will not be an issue any more.

References

https://docs.microsoft.com/sv-se/azure/virtual-desktop/create-host-pools-azure-marketplace

Thanks to:


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

 

Enable Azure Update Management in Azure Firewall


azure

When you have Windows VM’s in an Azure network and internet traffic is routed through your Azure Firewall, and you need to allow them to update, either with Automatic updates, or Azure Update management. There are a few things you need to allow to get through your FW.
Add the following rules and you will have it up and running in no time.

Go to the Azure Firewall in the Azure portal.
Rules -> Application Rule Collection
+ Add application rule collection

Rule 1
Name: Windows_Update (No whitespace)
Priority: 2000 (A number between 100-65000)
Action: Allow
Rule, FQDN Tags:
Name:Windows Update
Source Type: IP Address
Source: Prefix of vNet/Subnet or host, ex. 10.1.0.0/22
FQDN tags: WindowsUpdate (Select in the dropdown)

Rule 2
Name: Monitoring_Agent (No whitespace)
Priority: 2100 (A number between 100-65000)
Action: Allow
Rule, Target FQDNs:
Name:OMS Agent
Source Type: IP Address
Source: Prefix of vNet/Subnet or host, ex. 10.1.0.0/22
Protocol:Port: https:443
Target FQDNs: *.ods.opinsights.azure.com,*.oms.opinsights.azure.com,*.blob.core.windows.net

Rule 3
Name: Hybrid_Runbook_Worker (No whitespace)
Priority: 2200 (A number between 100-65000)
Action: Allow
Rule, Target FQDNs:
Name:Hybrid Runbook Worker
Source Type: IP Address
Source: Prefix of vNet/Subnet or host, ex. 10.1.0.0/22
Protocol:Port: https:443
Target FQDNs: *.azure-automation.net

 

References

FQDN tags overview
https://docs.microsoft.com/en-us/azure/firewall/fqdn-tags

Connect Operations Manager to Azure Monitor
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/om-agents

Hybrid Runbook Worker overview
https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

 

Thanks to:
Joakim Gräns – Asurgent AB


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

 

Azure Firewall and DNS forward timeout – SNAT UDP utilization at 100%


azure

Issue:

External DNS queries dropped causing timeouts and unresponsive services, web-browsing, Office 365, Windows Virtual Desktop(WVD), etc.

(Resolution at the end…)

Azure based environment.
Classic AD with a few VM based Domain controllers in Azure.
DC’s are acting as the primary DNS service for all servers, services and clients in the environment.
Azure firewall is configured as the primary firewall solution for the Azure based environments.
The subnet(s) where the DC’s are located are routed (UDR) to use the Azure Firewall for outgoing internet traffic
The DC’s IP are the added as the primary and secondary DNS for all vNets in Azure, for office subnets, VPN, etc.
DNS service on the DC’s are configured to forward external DNS queries, as is the default, either a custom Forwarder, or the DNS hints.

As the workload increases, you may notice a congestion in the Azure Firewall, at a certain amount of external forwarded DNS queries, the Azure Firewall will choke at 100%.
You may notice this as a user, when simple internet pages in a browser no longer opens, if you use WVD, the environment may stop responding all together due to the lack of DNS service in the WVD hostpool.
As an admin, you may see that a repeated number of NSLOOKUP to an external address, will result in intermittent timeouts.

Azure Firewall.
A part of the DNS service is that it uses UDP, and Azure Firewall uses SNAT for address translation from every internal source, resulting in every UDP request from one IP to an external provider (8.8.8.8, 8.8.4.4, 1.1.1.1 etc.) will use one port out of the 65.000 available in the TCP protocol for that unique destination. When the number of DNS requests to the same address (say google.com) gets repeated, every request gets its own port, and after a while, all 65.000 are taken. Causing congestion in the Firewall and it starts to drop requests. Two requests to google.com and two to microsoft.com will thus result in 4 ports being used, while single requests to 1000 different addresses will only use the one port.

In our case, we saw that during office hours, after enough users and systems were migrated, the Firewall reached 100% in UDP SNAT utilization, causing timeouts on our DNS servers (DC’s) causing services and systems to fail.

Issue can clearly be seen starting at the beginning of day on Thursday July 2nd, then on Friday July 3rd, stopped over the weekend, then up again on Monday July 6th. The graph also shows that we have users in Europe as well as in America, which prolongs the period a bit.

After some t-shooting, severity A case with Microsoft premier support and help from Microsoft FastTrack, we had two ways to quickly mitigate the problem and get the services operational again.

Resolution

  1. For us, the fastest we could implement, was to add a second public IP on the Azure Firewall, doubling the amount of ports used for SNAT to 130.000 (65.000 x2). REMEMBER, you cannot control what goes to what port, so if any of your internal servers or systems connect to an external service, and the Azure Firewalls public IP is whitelisted, you have to add this second IP to the whitelist as well. Every place that has it whitelisted. This because Azure Firewall randomly selects the public IP to use for outgoing traffic.
    This immediately reduced the UDP SNAT util from 100%+ to 60-70%

    The utilization quickly dropped, to about 60-70%
  2. The best solution, which we implemented a few minutes later, is to add Microsofts Azure ‘public’ DNS IP as the forward DNS server on our DNS servers (the DC’s). This is an Azure Datacenter service, and as such, it will be recognized and accesses using the Azure backbone and never going through the Azure Firewall at all. This reduced the load from 60-70% on UDP SNAT to 0%!
    The IP to use is: 168.63.129.16 (This will only be accessible from Azure environments, do NOT use on onprem DNS servers!)

    The utilization here dropped completely to 0%, since all DNS queries now go to the Azure ‘internal’ DNS

Microsoft Azure DNS IP: 168.63.129.16

 

Azure Firewall SNAT private IP address ranges
https://technet.microsoft.com/en-us/library/mt683473(v=office.16).aspx

Deploy an Azure Firewall with multiple public IP addresses using Azure PowerShell
https://docs.microsoft.com/en-us/azure/firewall/deploy-multi-public-ip-powershell

Thanks to:
Thomas Vuylsteke – Microsoft Azure Fasttrack team
Microsoft Premier Support
Akelius Residential Property AB (Martin Supan, Mattias Segerström)


___________________________________________________________________________________________________

Enjoy!

Regards

 Thomas Odell Balkeståhl on LinkedIn

 

TCP/IP Ports of SharePoint 2016


SharePoint 2016 huh?!
(Long time since I last posted anything real here…)

Actually, this post is by popular demand 🙂 This is the 2016 version of the post a wrote when SHarePoint 2013 was new, as you can see, not much has changed…I have updated a few lines with what I know now that I did not know then, thats it. Please let me know if I missed something.

The recommended approach is to create a GPO with these firewall rules and apply that rule to the SharePoint servers in your farm. Add all of them, best that way to avoid extreme t-shooting in the future.

Another but related recommendation is to configure the Loopback check funktion in Windows server to allow the FQDN’s of your web applications (Use the Loopback check tool).

List of ports used by SharePoint 2013 and its related services.
Reference links at the end.

Protocol Port Usage Comment
TCP 80 http Client to SharePoint web server traffic
(SharePoint – Office Online Server/Office Web Apps communication)
TCP 443 https/ssl Encrypted client to SharePoint web server traffic
(Encrypted SharePoint – Office Online Server/Office Web Apps communication)
TCP 1433 SQL Server default communication port. May be configured to use custom port for increased security
UDP 1434 SQL Server default port used to establish connection May be configured to use custom port for increased security
TCP 445 SQL Server using named pipes When SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP port 445
TCP 25 SMTP for e-mail integration Cannot in 2016 be configured (Use SMTP ports other than the default (25).)
TCP 16500-16519 Ports used by the search index component Intra-farm only
Inbound rule Added to Windows firewall by SharePoint. (GPO may override this change)
TCP 22233-22236 Ports required for the AppFabric Caching Service Used by the Distributed Cache…
TCP 808 Search – Query processing component
Windows Communication Foundation communication
Search – Query processing component
(WCF)
TCP 32843 Communication between Web servers and service applications http (default) To use custom port, see references section
Inbound rule Added to Windows firewall by SharePoint
TCP 32844 Communication between Web servers and service applications https
Inbound rule Added to Windows firewall by SharePoint
TCP 32845 net.tcp binding: TCP 32845 (only if a third party has implemented this option for a service application)  Custom Service Applications
Inbound rule Added to Windows firewall by SharePoint
TCP 32846 Microsoft SharePoint Foundation User Code Service (for sandbox solutions)  Inbound on all Web Servers
Inbound rule Added to Windows firewall by SharePoint
Outbound on all Web and App servers with service enabled.
TCP 636 User Profile Synchronization Service/Active Directory Import Synchronizing profiles between SharePoint 2016 and AD using SLDAP (Secure LDAP)
TCP 5725 User Profile Synchronization Service Synchronizing profiles between SharePoint 2016 and Active Directory Domain Services (AD DS)
TCP + UDP 389 User Profile Synchronization Service LDAP Service
TCP + UDP 88 User Profile Synchronization Service Kerberos
TCP + UDP 53 User Profile Synchronization Service DNS
UDP 464 User Profile Service Kerberos change password
TCP 809 Office Online Server/Office Web Apps Office Online Server/Office Web Apps intra-farm communication.

References:

Security for SharePoint Server 2016
https://technet.microsoft.com/en-us/library/mt683473(v=office.16).aspx

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

 


___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 News – OneDrive for Business now supports 10GB files and much more


 Office365logo       SP2013logo

Short story: The OneDrive for Business improvements are here!

This was promised to us a long time ago, and it has now finally come to be. At the same time, the 20.000 file limit from before has also been removed (Improved)
Here is the proof:

Proof

The file was in addition, uploaded using the new OneDrive sync client!
(Dropped the file in the local cache and let the sync do its stuff)

  • The OneDrive for Business Next Generation Sync Client is available for Windows 7, 8 and 10 (8.1 support will be added in the first quarter of 2016) and Mac OS X 10.9 and above.
  • Storage, rolling out is an increase from 1TB to 5TB, upon request, more will be made available until unlimited is achieved? (Valid for: Enterprise E3, E4 and E5, Government E3, E4 and E5, Education, OneDrive for Business Plan 2 and SharePoint Online Plan 2)
  • 10GB filesize limit
  • No more 20.000 file limit
  • !! With this first release of several, the Next Generation Sync Client supports OneDrive for Business only, but we will add support for SharePoint document libraries in future releases. (This is the best news in a long time)
  • In the interim, if customers require sync for both OneDrive for Business and SharePoint document libraries, the Next Generation Sync Client is designed to work side-by-side with the existing sync client.
  • the OneDrive for iOS app will support offline storage. You can selectively flag files for local availability and open them when disconnected
  • For developers: https://dev.onedrive.com/ (OneDrive developer portal)

References:

Read the official story on the Office 365 blog about the (then upcoming) news here:

OneDrive for Business update on storage plans and Next Generation Sync Client
https://blogs.office.com/2015/12/16/onedrive-for-business-update-on-storage-plans-and-next-generation-sync-client/

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint Online – Missing Web Parts with custom script disabled


 Office365logo       SP2013logo

Missing Web Parts with custom script disabled…

AdminThe Custom Script setting (Default disabled)

As I have posted about before, during the end of 2014, beginning of 2015, a new security feature in SharePoint Online has been rolled out. The feature in itself is a great security feature if that is what you want.

Missing example:

WebpartsMissing

Expected webparts:

WebpartsThere

Note: changes to this setting might take up to 24 hours to take effect.

In my previous post on this setting, I listed the missing features, however this is not all that will go missing. In addition, quite a few webparts will be gone from your SharePoint Online environment. This may or may not be expected by you and your users/editors/developers…
Below is the list of webparts that you will not find with the Custom script setting off/disabled.

Web part category Web part
Blog Blog Archives

Blog Notifications

Blog Tools

Business Data Business Data Actions

Business Data Item

Business Data Item Builder

Business Data List

Business Data Related List

Excel Web Access

Indicator Details

Status List

Visio Web Access

Community About This Community

Join

My Membership

Tools

What’s Happening

Content Rollup Categories

Project Summary

Relevant Documents

RSS Viewer

Site Aggregator

Sites in Category

Term Property

Timeline

WSRP Viewer

XML Viewer

Document Sets Document Set Contents

Document Set Properties

Forms HTML Form Web Part
Media and Content Content Editor

Script Editor

Silverlight Web Part

Search Refinement

Search Box

Search Navigation

Search Results

Search-Driven Content Catalog-Item Reuse
Social Collaboration Contact Details

Note Board

Organization Browser

Site Feed

Tag Cloud

User Tasks

Find Microsofts support article on the setting here:
Turn scripting capabilities on and off (Microsoft support article)
https://support.office.com/en-us/article/Turn-scripting-capabilities-on-and-off-1f2c515f-5d7e-448a-9fd7-835da935584f?ui=en-US&amp

The complete list of settings affected and webparts missing: Save Site as Template, Save document library as template, Solution Gallery, Web Designer Galleries, Theme Gallery, Help Settings, Sandbox solutions, the Blog Archives, Blog Notifications, Blog tools Blog Webparts, the Business Data Actions, Business Data Item, Business Data Item Builder, Business Data List, Business Data Related List, Excel Web Access, Indicator Details, Status List, Visio Web Access Business Data Webparts, the About This Community, Join, My Membership, Tools, What’s Happening Community Webarts, the Categories, Project Summary, Relevant Documents, RSS Viewer, Site Aggregator, Sites in Category, Term Property, Timeline, WSRP Viewer, XML Viewer Content Rollup Webparts, the Document Set Contents, Document Set Properties Document Sets Webparts, the HTML Form Webpart, the Content Editor, Script Editor, Silverlight Webpart Media and Content Webparts, the Refinement, Search Box, Search Navigation, Search Results Search Webparts, the Catalog-Item Reuse Search-Driven Content Webparts and the Contact Details, Note Board, Organization Browser, Site Feed, Tag Cloud, User Tasks Social Collaboration Webparts.

References and Credits

None at this time…

Credits & many thanks to

Everyone!   SP2013logo _________________________________________________________ Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Office 365 support for older Apple iOS devices degraded


Apple logo

(I never saw this logo ending up in my blog…)

Office365logo

Office 365 experience on iOS7 devices is changing

In case you have not seen this small note, it may not affect a lot of people but for those of you out there on older iOS devices or that supports those units in your organizations, it may be important.

Details (Official Microsoft statement):
Microsoft are making some changes to the Office apps on iOS 7 devices. Beginning when Apple releases iOS 9, they will release updates to Microsoft Word, Excel, and PowerPoint that will only work on iOS 8 and above. Word, Excel, PowerPoint, and OneNote will no longer receive updates on iOS 7, but will continue to function with a degrading experience over time.
Microsoft strongly suggest communicating to your end users and recommend upgrading to iOS 8 or above.

Credits

Myself, I get all the credit this time! 🙂

References

Did not find this statement at any official sites, this was announced in the Office 365 Message Center

Office365logo _________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint News – Download SharePoint Server 2016 preview now


microsoft_logo_56x56

SharePoint Server 2016 Preview

Yes! SharePoint Server 2016 has finally been released as a preview installation

Long awaited for, longed for by many, feared by the competition…

On  the 24th of august, Microsoft released a preview of the next generation of SharePoint onprem, SharePoint Server 2016. Last I Heard, the release is due sometime Q1 – Q2 of 2015.
Make sure that you have room, the ISO alone is 2.84GB in size…

DOWNLOAD
(Or go straight to the ISO download)

Prerequisites, it will run on

•Windows Server 2012 R2
•Windows Server Technical Preview 2

About the Product from Microsoft

SharePoint Server 2016 IT Preview has been designed, developed, and tested with the Microsoft Software as a Service (SaaS) strategy at its’ core.
Drawing extensively from that experience, SharePoint Server 2016 IT Preview is designed to help you achieve new levels of reliability and performance, delivering features and capabilities that simplify administration, protect communications and information, and empower users while meeting their demands for greater business mobility.
You can choose from a traditional on-premises deployment, a hosted service with Microsoft Office 365 sites powered by Microsoft SharePoint Online, deployment in Azure Infrastructure as a Service (IaaS), or a mix of these options with a hybrid approach, enabling you to enrich traditional on-premises scenarios with the innovation in the cloud.
Need more information about SharePoint Server 2016 IT Preview? See the  product details page.SharePoint Server 2016 IT Preview builds on the investments of previous SharePoint releases to help:
1.Lower IT costs with a cloud inspired infrastructure and scalable collaboration platform
2.Better manage risk by safeguarding your business with secure and reliable capabilities
3.Deliver modern collaboration experiences across devices and screens’

To install SharePoint Server Preview

1.Review SharePoint Server 2013  system requirements
2.Download and install full-featured software for a 180-day trial
3.When prompted, use the following product key: NQTMW-K63MQ-39G6H-B2CH9-FRDWJ

 

References and Credits

Myself, I get all the credit this time as well! 🙂 

   _________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn