everything you explained unknotted my brain and cleared up so many questions and confusion about the labs I was doing. i didn't know the why, and i didn't know the what. now i do. Thanks Dean!
FYI If trying to set NTFS permissions but the PS is failing and share won't mount the network drive - the Test-NetConnection fails trying to reach my mylab.file.core.windows.net - "TCP Connect to mylab.file.core.windows.net:445 failed....ping --status TimedOut". When I review the Private DNS Zone list - all 3x spokes are listed, but the Hub is missing - add the Hub connection manually and this will fix it. I have been following the videos to the tee so not sure how this occured! Sharing here to help others :)
Haven’t had an issue with this. The private link is configured in such a way to ONLY allow access from the region and subnet where the storage and host are located. So if you are trying to access from the hub…you would need rules to make that happen
excellent video as always, also looks like SMB multichannel seems to being pushed out to more and more regions lately. I especially appreciated the "do not click this" on AADDS, very common mistake since most people are extending AD from onprem and the fact that AADDS is really only meant for legacy LDAP/Kerberos applications. otherwise its just a watered down version of AD with delegated admin rights.
Ran into one snag on the AD connect script: Connect-AZAccount : InteractiveBrowserCredential authentication failed: A window handle must be configured. To fix it: run the folowing ps> Update-AZConfig -EnableLoginByWam $false then can run > Connect-AZAccount
It's so amusing that you released this video 2.5 weeks ago, as I set this up initially for a client back in November. Glad I got i all configured in the same way as above, but it took me way longer than the 18 minutes in this video haha! Loving the videos, definitely going to be taking the AZ-140 when your series is over. Do you have an idea of how many more videos you'll be making and an ETA on the whole series being done by chance? Not that I'm trying to rush the process haha
@@AzureAcademy Amazing, stoked for them all, keep up the great work man! I'll smash out the exam when done with your videos and refreshing with the Microsoft Learn Path
I think a critical piece of information that has always concerned me is the fact that the computer account password, in this case the domain-joined storage account, will update after x number of days. I've always used the method where I placed the domain-joined storage account in its own OU and configured a policy to not require the password to be updated...which I believe is frowned upon. The other option is rotating the keys on the storage account and then performing an update. I am pretty decent with powershell, I am just not sure how I could make that a scheduled tasks. Curious about your thoughts Dean.
You can use PowerShell to generate new storage account keys - docs.microsoft.com/en-us/azure/storage/scripts/storage-common-rotate-account-keys-powershell#sample-script Then use PowerShell to update the SMB storage account password with - Update-AzStorageAccountAuthForAES256 Found here - docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#run-join-azstorageaccountforauth
First of all I love your academy. It's awesome. I am able to get fslogix to work with azure. Any guidance to speed up the performance at login? it seems like when logon, the fslogix app services is taking 2 minutes vs local user profile only took 10 seconds.
Thanks Andy! 2 MINUTES!!! Yikes, that is a very long time! Here are some things to check 1. Are we talking 2 minutes to CREATE a new profile or 2 minutes for existing profile to log in? 2. How is FSLogix configured VHD LOCATION or Cloud Cache? 3. What is the storage you are using for the profiles file share and how late is it? 4. How many users are sharing this file share 5. Do you have multiple host pools? 6. Are they all using the same file share or 1 share for each host pool?
@@AzureAcademy It seems to be better when i added a storage onto the vm instead of using the storage account. it is currently stored on a vhd location. currently this is a poc so there's only 3 users on it. This only has 1 pool for 3 users. They all using the same vhd location.
Great video - very concise and to the point!. I've worked thru this configuration and am at the point where I am unable to access the File Share via the Azure Portal from my onprem machine (we have site to site VPN Gateway ), or from a VM on the same VNet as the PE. We don't currently have any Network Security Group as this is the first deployment in Azure. I'm confused between setting up a Network Security Group to allow access as you show in the video vs the Firewall settings within the Storage Account itself - allow access from selected networks (which currently has none listed). How would we achieve access from both locations?
Hey Cathy! Thanks for watching. The benefit of the storage account firewall is endpoint control. The NSG benefit is port traffic control. Storage account have endpoints that face the internet as well as Internal Azure endpoints. The Storage account Firewall can disable the Internet endpoint, so nothing from the internet can get to it. i.e. better security. You can find this in the storage account / Networking blade. When you change the default of "All Networks" to selected networks you are telling Azure that ONLY the selected Azure VNETs and other IPs you specify can access the storage account. Take this all 1 step further by setting up a Private Endpoint...and we can add Port traffic control from our NSGs into the mix for even better security, following the Least Privilege Security Model. Now You can control not only which network can access storage, but which Ports and protocols. Let me know if this helps clear it up! #HappyLearning
@@AzureAcademy Yes thank you - the difference between the two make sense. So, we have a Private Endpoint set up on our storage account and I'm looking to add our OnPrem network to the Storage account Firewall settings, however it will only let me select an existing Virtual Network, add a new Virtual Network or add public IP addresses. I don't see a way to add OnPrem networks. OnPrem is connected via a site to site VPN. Can you point me in the right direction?
The storage account firewall only accepts Azure IPs or internet IPs into the Firewall. So if you want to do it this way you would add your onprem Public IP Address, then it would allow communication from your on prem storage into Azure storage.
See them...I think so...do anything with them, NO Also, I would NOT have the user profiles setup like mapped drives that users could navigate to...there is no benefit to it. Only the registry needs to be configured on the session hosts for FSLogix to work
Great thought…very few by comparison I am sure…but there’s still a lot of them, and if you know how to keep a large environment humming along, you can do it in a smaller one as well…but the reverse is not always true.
stuck here when it comes to AD. I already have an existing on-premise AD that is doing a sync to AAD from previous labs that i did. Can I use that instead of the two AD that was built by your template? what do you recommend?
Data corruption won’t be helped by replication. If a user profile is corrupted and you are replicating to another storage account you are replicating corrupted data. The way to protect against corruption is with backups. Protect the share with Azure Backup, which should run at least once a day to protect from data corruption. Replication is done for disaster recovery, legal reasons etc. I hope this helps
Hi Dean.. thanks for the video... i have been running into an issue.. i have setup file share and given elevated smb contributor access to an user account.. am able to mount the share with the user account.. but not able to provide access to other users or see the user account in the file share permission... but whrn i mount the share with storage account, i can give access to other users ... any thoughta
The permissions must match exactly. If you grant permissions in Azure to group 1 then you must also grant NTFS permissions to the same group, not users who are in that group. Or The AD authentication is not working properly.
@@AzureAcademy thanks Dean.. if I grant smb elevated contributor to USER1 from the azure side and mount the file share as USER1, i should be able to see the USER1 in file share security right and also be able to grant permission to other users ..... or is it the other way that i need to first mount the file share with syorage account and then add the USER1 fin the security for NTFS permission..because if i give from azure side, its not reflecting in the ntfs side
Create file share Set file share permissions in azure Log in to vm in your domain as user 1 Mount the share with a storage account key to a free drive letter Setup Active Directory authentication for that share Set the NTFS permissions for AVD Users Now AVD users can access the share
@@AzureAcademy getting FSLogix cannot find the storage path. Trying to move away from profiles on Azure VMs and direct to Azure File Services. I can browse to it from the VM itself, but FSlogix, logging in as system cannot find it.
Thanks Dean for a great video. I have got a scenario where we need to migrate WVD users from South Central US to Asia East Their .VHDX FsLogix User Profile is in a storage account in South Central US region. We need to migrate their data from that storage account to a new one in Asia East region, so the users will keep their data and permissions. + How can we achieve this migration? Because I did a test copying the .VHDX User Profile from the SouthCentral US storage account to the new storage account, login with a test user on a new VM (Configured with WVD and FSlogix) in Asia East Region but it didn't get their profile from the .VHDX in the new Storage Account (I've set up the FSLogix with the new path). We still using the same AADDS, the new VM was created in Asia East region and it is part of the same Host Pool that the South Central VM. I really appreciate your comments on this challenge. Thank you.
To do this you have 2 options 1. A manual /scripted copy of all the profiles from the US storage to the Asia storage 2. Use FSLogix Cloud Cache. Cloud cache will connect to both storage accounts and replicate the profiles for you. The downside is that the session host does the work which might impact performance to a small extent...but this is a background process so it should not be too bad. The additional downside is that it will increase the wait time to log in by a few seconds... This is because the session host needs to connect to storage in both locations
@@AzureAcademy Hi Dean, thanks for your help. I've used azcopy to move all the profiles from South Central storage account to the Asia East storage account, I've setup the flags to copy the ACL permissions after that it worked. Thank you!
everything you explained unknotted my brain and cleared up so many questions and confusion about the labs I was doing. i didn't know the why, and i didn't know the what. now i do. Thanks Dean!
Thanks for the feedback
Dean, You hit it iver the fence with this.vifeo. I'm gonna spent quite a bit of time trying to catch a glince of ir. Bro, UR a monster!!!!!!!
Wow...Thanks! If you think this was good...also check out my 2 most recent videos on FSLogix. really helping people to "do it right"
Another amazing and comprenhensive episode dedicated to AVD storage. I had to watch it several time, to be honest. Regards!
Nice
Great Vidoes Man... You are helping in a great way, please keep it up
👍👍 let me know what other videos I can make for you
FYI If trying to set NTFS permissions but the PS is failing and share won't mount the network drive - the Test-NetConnection fails trying to reach my mylab.file.core.windows.net -
"TCP Connect to mylab.file.core.windows.net:445 failed....ping --status TimedOut".
When I review the Private DNS Zone list - all 3x spokes are listed, but the Hub is missing - add the Hub connection manually and this will fix it. I have been following the videos to the tee so not sure how this occured! Sharing here to help others :)
Haven’t had an issue with this. The private link is configured in such a way to ONLY allow access from the region and subnet where the storage and host are located. So if you are trying to access from the hub…you would need rules to make that happen
+David B since port 445 is failing, it sounds like your NSG is blocking it
excellent video as always, also looks like SMB multichannel seems to being pushed out to more and more regions lately. I especially appreciated the "do not click this" on AADDS, very common mistake since most people are extending AD from onprem and the fact that AADDS is really only meant for legacy LDAP/Kerberos applications. otherwise its just a watered down version of AD with delegated admin rights.
Multi-channel is very cool...happy to provide the tips, no extra charge ☺️
And you put AADDS limitations very well...I will use that ☺️
Ran into one snag on the AD connect script:
Connect-AZAccount : InteractiveBrowserCredential authentication failed: A window handle must be configured.
To fix it:
run the folowing
ps> Update-AZConfig -EnableLoginByWam $false
then can run > Connect-AZAccount
Never happened in my environment, nor does that happen by default so I must assume there was something causing it in your deployment
It's so amusing that you released this video 2.5 weeks ago, as I set this up initially for a client back in November. Glad I got i all configured in the same way as above, but it took me way longer than the 18 minutes in this video haha!
Loving the videos, definitely going to be taking the AZ-140 when your series is over. Do you have an idea of how many more videos you'll be making and an ETA on the whole series being done by chance? Not that I'm trying to rush the process haha
I just answered that in the latest video.
I am shooting for 20 videos or less in the whole series
@@AzureAcademy Amazing, stoked for them all, keep up the great work man! I'll smash out the exam when done with your videos and refreshing with the Microsoft Learn Path
Will do!
Good stuff 🤩😍😍
Thank you
Good stuff!
👍👍
I think a critical piece of information that has always concerned me is the fact that the computer account password, in this case the domain-joined storage account, will update after x number of days.
I've always used the method where I placed the domain-joined storage account in its own OU and configured a policy to not require the password to be updated...which I believe is frowned upon.
The other option is rotating the keys on the storage account and then performing an update. I am pretty decent with powershell, I am just not sure how I could make that a scheduled tasks.
Curious about your thoughts Dean.
You can use PowerShell to generate new storage account keys - docs.microsoft.com/en-us/azure/storage/scripts/storage-common-rotate-account-keys-powershell#sample-script
Then use PowerShell to update the SMB storage account password with - Update-AzStorageAccountAuthForAES256
Found here - docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#run-join-azstorageaccountforauth
First of all I love your academy. It's awesome. I am able to get fslogix to work with azure. Any guidance to speed up the performance at login? it seems like when logon, the fslogix app services is taking 2 minutes vs local user profile only took 10 seconds.
Thanks Andy! 2 MINUTES!!! Yikes, that is a very long time! Here are some things to check
1. Are we talking 2 minutes to CREATE a new profile or 2 minutes for existing profile to log in?
2. How is FSLogix configured VHD LOCATION or Cloud Cache?
3. What is the storage you are using for the profiles file share and how late is it?
4. How many users are sharing this file share
5. Do you have multiple host pools?
6. Are they all using the same file share or 1 share for each host pool?
@@AzureAcademy It seems to be better when i added a storage onto the vm instead of using the storage account. it is currently stored on a vhd location. currently this is a poc so there's only 3 users on it. This only has 1 pool for 3 users. They all using the same vhd location.
What do you mean you added storage to the VM?
What is in the VHDLocation setting?
Great video - very concise and to the point!. I've worked thru this configuration and am at the point where I am unable to access the File Share via the Azure Portal from my onprem machine (we have site to site VPN Gateway ), or from a VM on the same VNet as the PE. We don't currently have any Network Security Group as this is the first deployment in Azure. I'm confused between setting up a Network Security Group to allow access as you show in the video vs the Firewall settings within the Storage Account itself - allow access from selected networks (which currently has none listed). How would we achieve access from both locations?
Hey Cathy! Thanks for watching. The benefit of the storage account firewall is endpoint control. The NSG benefit is port traffic control. Storage account have endpoints that face the internet as well as Internal Azure endpoints.
The Storage account Firewall can disable the Internet endpoint, so nothing from the internet can get to it. i.e. better security. You can find this in the storage account / Networking blade. When you change the default of "All Networks" to selected networks you are telling Azure that ONLY the selected Azure VNETs and other IPs you specify can access the storage account.
Take this all 1 step further by setting up a Private Endpoint...and we can add Port traffic control from our NSGs into the mix for even better security, following the Least Privilege Security Model.
Now You can control not only which network can access storage, but which Ports and protocols.
Let me know if this helps clear it up!
#HappyLearning
@@AzureAcademy Yes thank you - the difference between the two make sense. So, we have a Private Endpoint set up on our storage account and I'm looking to add our OnPrem network to the Storage account Firewall settings, however it will only let me select an existing Virtual Network, add a new Virtual Network or add public IP addresses. I don't see a way to add OnPrem networks. OnPrem is connected via a site to site VPN. Can you point me in the right direction?
The storage account firewall only accepts Azure IPs or internet IPs into the Firewall.
So if you want to do it this way you would add your onprem Public IP Address, then it would allow communication from your on prem storage into Azure storage.
Hi quick question could I use my Azure AD Domain services instead for authentication to the file share?
Yes you can
FSLogix can do
AD Auth
Azure AD Auth
Entra Cloud Auth
Is it possible today to get storage working with AzureAD only scenario?
YES check this out 👉 ruclips.net/video/suvDH-yNL88/видео.html
When we set fslogix. Will user1@ be able to navigate the fslogix folder and see profile files for user2@ ?
See them...I think so...do anything with them, NO
Also, I would NOT have the user profiles setup like mapped drives that users could navigate to...there is no benefit to it.
Only the registry needs to be configured on the session hosts for FSLogix to work
I wonder how many times someone is actually involved in a 5000 endpoint deployment of AVD compared to the number of people who study how to do it
Great thought…very few by comparison I am sure…but there’s still a lot of them, and if you know how to keep a large environment humming along, you can do it in a smaller one as well…but the reverse is not always true.
stuck here when it comes to AD. I already have an existing on-premise AD that is doing a sync to AAD from previous labs that i did. Can I use that instead of the two AD that was built by your template? what do you recommend?
disregard. I got it to work on-prem. yeah!
Yes you can
Awesome
Thanks for nice info. quick question, how we can replicate the CIFS share to other storage account. Please advise.
the more important question is what is your use case for doing so?
Exactly Right Bill 👍👍
Like Bill said...what is your use case for doing the replication?
@@AzureAcademy we will use this cifs for romaing profiles and want to replicate on different storage account in case of data corruption
Data corruption won’t be helped by replication.
If a user profile is corrupted and you are replicating to another storage account you are replicating corrupted data.
The way to protect against corruption is with backups. Protect the share with Azure Backup, which should run at least once a day to protect from data corruption.
Replication is done for disaster recovery, legal reasons etc. I hope this helps
Hi Dean.. thanks for the video... i have been running into an issue.. i have setup file share and given elevated smb contributor access to an user account.. am able to mount the share with the user account.. but not able to provide access to other users or see the user account in the file share permission... but whrn i mount the share with storage account, i can give access to other users ... any thoughta
The permissions must match exactly. If you grant permissions in Azure to group 1 then you must also grant NTFS permissions to the same group, not users who are in that group.
Or
The AD authentication is not working properly.
@@AzureAcademy thanks Dean.. if I grant smb elevated contributor to USER1 from the azure side and mount the file share as USER1, i should be able to see the USER1 in file share security right and also be able to grant permission to other users ..... or is it the other way that i need to first mount the file share with syorage account and then add the USER1 fin the security for NTFS permission..because if i give from azure side, its not reflecting in the ntfs side
Create file share
Set file share permissions in azure
Log in to vm in your domain as user 1
Mount the share with a storage account key to a free drive letter
Setup Active Directory authentication for that share
Set the NTFS permissions for AVD Users
Now AVD users can access the share
@@AzureAcademy thanks a lot..
Any time
You missed the part for FSLogix.... Stuck now after this...
What part did I miss?
@@AzureAcademy getting FSLogix cannot find the storage path. Trying to move away from profiles on Azure VMs and direct to Azure File Services. I can browse to it from the VM itself, but FSlogix, logging in as system cannot find it.
How are you authenticating to the Azure Files storage? And have you enabled FSLogix policies?
@@AzureAcademy Looks like the issue was with DNS. Private link was still resolving to public Azure Address and not the private link IP.
Ah...yup, if something goes wrong...It's Always DNS 🤣
Thanks Dean for a great video.
I have got a scenario where we need to migrate WVD users from South Central US to Asia East
Their .VHDX FsLogix User Profile is in a storage account in South Central US region. We need to migrate their data from that storage account to a new one in Asia East region, so the users will keep their data and permissions.
+ How can we achieve this migration?
Because I did a test copying the .VHDX User Profile from the SouthCentral US storage account to the new storage account, login with a test user on a new VM (Configured with WVD and FSlogix) in Asia East Region but it didn't get their profile from the .VHDX in the new Storage Account (I've set up the FSLogix with the new path). We still using the same AADDS, the new VM was created in Asia East region and it is part of the same Host Pool that the South Central VM. I really appreciate your comments on this challenge. Thank you.
To do this you have 2 options
1. A manual /scripted copy of all the profiles from the US storage to the Asia storage
2. Use FSLogix Cloud Cache.
Cloud cache will connect to both storage accounts and replicate the profiles for you.
The downside is that the session host does the work which might impact performance to a small extent...but this is a background process so it should not be too bad.
The additional downside is that it will increase the wait time to log in by a few seconds...
This is because the session host needs to connect to storage in both locations
@@AzureAcademy Hi Dean, thanks for your help. I've used azcopy to move all the profiles from South Central storage account to the Asia East storage account, I've setup the flags to copy the ACL permissions after that it worked. Thank you!
Great!