3. Module overview
You can operate and maintain Azure Stack hyperconverged infrastructure (HCI) by using the same tools you
use in traditional on-premises deployments. You can also leverage the extensibility and feature set offered
by Windows Admin Center, including integration with Azure-based services, such as Azure Monitor, Azure
Backup, Azure Site Recovery, and Update Management. In this lesson, you’ll learn about these tools.
• Lessons:
o Implementing and managing workloads on Azure Stack HCI
o Maintaining Azure Stack HCI
5. Lesson 1 overview
Azure Stack HCI is designed to optimize performance, resiliency, and scalability of specific types of
workloads. In this lesson you will learn about implementing these workloads:
• Topics:
o Implement guest clustering with shared disks
o Demonstration: Implement guest clustering with shared disks
o Implement shielded VMs
o Implement VDI workloads
o Implement containerized workloads
o Implement Azure Network Adapter
o Demonstration: Implement Azure Network Adapter
o Implement Azure File Sync
o Demonstration: Implement Azure File Sync
o Manage Azure Stack HCI workloads with Azure Arc
6. Implement guest clustering with shared disks
• VHD Set files in Azure Stack HCI scenarios offer many benefits:
o Allows for sharing virtual disks across Microsoft Hyper-V VMs
o Leverages Cluster Shared Volume (CSV)
o Supports Hyper-V Replica and host-level backup
• To implement VHD Set files in Azure Stack HCI:
1. Create VHD Set files by using:
• Failover Cluster Manager (New Virtual Hard Disk Wizard)
• Hyper-V Manager
• The New-VHD PowerShell cmdlet
2. Attach the VHD Set to a SCSI controller of VMs hosting cluster nodes:
• Failover Cluster Manager (VM Settings)
• Add-VMHardDiskDrive PowerShell cmdlet with the -SupportPersistentReservations parameter
8. Implement shielded VMs (1 of 6)
Shielded VMs have a number of dependencies, including:
• Guarded fabric infrastructure managed by fabric admins, and consisting of:
o A Host Guardian Service (HGS) host or cluster
o Guarded Hyper-V hosts
• Shielding data file (.pdk file) encrypted by tenants, which contains:
o Tenant secrets (admin passwords, RDP certificates)
o Digital signatures of template disks available in the guarded fabric
o One or more key protectors, designating trusted guarded fabrics
9. Implement shielded VMs (2 of 6)
• To implement guarded fabric:
o Deploy an HGS cluster:
1. Install Windows Server 2019 on servers that will become HGS hosts
2. Join the servers to a dedicated, single-domain AD DS forest
3. Obtain signing and encryption certificates that will be used by guarded Hyper-V hosts
4. Initialize HGS hosts by configuring the attestation mode
10. Implement shielded VMs (3 of 6)
o Deploy guarded Hyper-V hosts:
1. Configure DNS name resolution between the HGS cluster and Hyper-V hosts
2. Configure attestation:
a. For TPM-trusted attestation:
▫ Capture TPM IDs
▫ Create a CI policy
▫ Establish a TPM baseline
b. For host key attestation
▫ Create a host key pair
▫ Store the private key on the Hyper-V hosts
▫ Copy the public key to the HGS hosts
11. Implement shielded VMs (4 of 6)
• There are two main scenarios that result in a deployment of a shielded VM into guarded fabric:
o Provisioning a shielded VM from a disk template within a guarded fabric on guarded Hyper-V
hosts
o Shielding an existing VM provisioned outside a guarded fabric or shielding a VM based on a
non-shielded disk template
12. Implement shielded VMs (5 of 6)
• Provisioning a shielded VM from a disk template:
1. The tenant or the guarded fabric admin creates a template disk that will be used to provision a
new shielded VM (the Template Disk Wizard in the Shielded VM Tools available as part of
Remote Server Administration Tools)
o The disk must be digitally signed and encrypted with BitLocker Drive Encryption
2. The tenant retrieves the HGS metadata that designates the target guarded fabric
3. The tenant creates a shielding data file (the Shielding Data File Wizard, with the Shielding data
for Shielded templates option)
4. The tenant provides the shielding data (and, if applicable, the template disk) to the guarded
fabric admin
5. The tenant creates a shielded VM from a template within the guarded fabric
13. Implement shielded VMs (6 of 6)
Shielding an existing VM provisioned outside a guarded fabric or shielding a VM based on a non-shielded
disk template:
1. The tenant retrieves the HGS metadata that designates the target guarded fabric
2. The tenant creates a shielding data file (the Shielding Data File Wizard, with the Shielding data
for existing VMs and non-Shielded templates option)
3. The tenant creates a helper VHDX, which will be used to convert the existing VM into shielded
VM (on a Hyper-V host with the Shielded VM Tools installed):
a. The tenant provisions a Gen 2 VM with a fixed or dynamically expanding disk running
Windows Server 2019
b. The tenant shuts down the OS and initializes the VHDX as a VM-shielding helper disk (the
Initialize-VMShieldingHelperVHD PowerShell cmdlet)
4. The tenant enables BitLocker on all disks attached to the VM to be shielded
5. The tenant exports the VM to be shielded and provides it to the fabric administrator along with
the helper VHDX and the shielding data file
6. The fabric administrator uses the shielding data file and the helper VHDX to convert the existing
VM into a shielded VM
14. Implement VDI workloads
• VDI is one of the recommended workloads to be hosted on Azure Stack HCI, with Microsoft RDS or
equivalent third-party offerings serving the role of a virtual desktop broker:
o Customers should consider using Microsoft RDS
• To implement guarded fabric:
1. Determine the preferred licensing model and procure enough RDS CALs
2. Obtain SSL certificates for the RD Gateway and RD Connection Broker servers
3. Deploy RDS infrastructure components into Azure Stack HCI
4. Configure high availability of the RD Connection Broker and RD Gateway
5. Create session collections that will contain VMs you intend to make available to VDI users
(managed pooled, unmanaged pooled, managed personal, or unmanaged personal)
6. Use Storage Spaces Direct to store UPDs
7. Integrate VDI instances with Azure Update Management and Azure Security Center by using
Windows Admin Center
8. If necessary, deploy Remote Desktop client to client devices
15. Implement containerized workloads
• Kubernetes v1.14 and later supports Windows Server 2019 as cluster nodes and container images
• Azure Stack HCI further enhances the agility and resiliency inherent to Kubernetes deployments
• Implementation of Kubernetes on Azure Stack HCI typically involves the use of third-party tools
• Windows Admin Center includes the Containers extension, which simplifies:
o Assessing health status of containers running within the Azure Stack HCI
o Troubleshooting performance and stability issues
16. Implement Azure Network Adapter
• Azure Network Adapter is a convenient tool to:
o Provision an Azure VPN gateway resource in an Azure virtual network
o Establish a P2S VPN connection to that gateway
• To implement Azure Network Adapter:
1. Create an Azure virtual network or identify an existing one
2. Register Windows Admin Center with Azure:
a. Create and register an Azure AD app directly from within Windows Admin Center
b. Pre-create an Azure AD app and use it during registration
3. Windows Admin Center will automatically:
a. Create GatewaySubnet within the virtual network (if needed)
b. Provision a VPN gateway of the SKU you select
c. Configure the VPN gateway for P2S VPN with the client IP address space you designate
24. Implement Azure File Sync (7 of 7)
• To implement Azure File Sync:
1. Create an Azure file share in the same Azure region where you want to deploy Azure File Sync
2. Deploy the Storage Sync Service
3. Install the Azure File Sync agent
4. Register Windows Server with Storage Sync Service
5. Create a sync group
6. Add on more server endpoints
• Windows Admin Center simplifies Azure File Sync deployment by managing:
• Creation of a Storage Sync service
• Creation of a storage account with an Azure file share
• Download and installation of Azure File Sync agent
• Registration of the managed Windows Server with the Storage Sync Service
• Creation of a sync group
• Configuration of cloud tiering
26. Manage Azure Stack HCI workloads with Azure Arc (1 of 2)
• Azure Arc assigns a resource ID and an Azure resource group to each non-Azure computer
• This assignment serves as the basis for the following functionality:
o Azure Policy guest configuration, which supports:
• Auditing of the operating system, applications, and environment settings
• Configuring the time zone on the Windows operating system
o Resource-context access to Log Analytics data, enabling you to control access to logs collected
from on-premises computers the same way as for Azure resources, by using:
• Access mode (workspace-context and resource-context)
• Access control mode (require workspace permissions, use resource or workspace permissions)
o Installation of Azure VM extensions:
• Windows OS (CustomScriptExtension, DSC, Log Analytics Agent, Microsoft Dependency agent)
• Linux OS (CustomScript, DSC, Log Analytics Agent, Microsoft Dependency agent)
27. Manage Azure Stack HCI workloads with Azure Arc (2 of 2)
To implement the Azure Arc functionality in Azure Stack HCI:
• Install Azure Connected Machine agent on VMs you intend to manage
o For smaller scale deployments use:
▫ Windows Installer package available from Microsoft Downloads
▫ An onboarding script available from the Azure portal
▫ Windows Admin Center
o For larger-scale deployments, use:
▫ PowerShell DSC and an Azure AD service principal
▫ TCP Port 443 for outbound connectivity to Azure
• Create and assign an Azure policy definition containing Azure Policy Guest Configuration settings
• Configure and assign an Azure VM extension
28. Lesson 1: Test your knowledge
Refer to the Student Guide for lesson-review questions
30. Lesson 2 overview
• You can optimize maintenance of Azure Stack HCI by leveraging services that simplify and streamline
traditional maintenance tasks, such as monitoring, backups, or patching. Some of these services, such as
Azure Monitor, Azure Backup, Azure Site Recovery, and Azure Update Management are cloud-based,
while others such as Cluster-Aware Updating, were designed specifically for on-premises scenarios.
• Maintenance tasks also include adding and removing nodes of an Azure Stack HCI cluster:
o Topics:
• Implement Azure Monitor
• Demonstration: Implement Azure Monitor
• Implement Azure Backup
• Implement Azure Site Recovery
• Implement the Update Management solution in Azure Automation
• Deploy updates by using Cluster-Aware Updating
• Add and remove nodes in an Azure Stack HCI cluster
31. Implement Azure Monitor (1 of 2)
• Azure Monitor provides three main benefits:
o Monitoring and metrics dashboard
o Querying and analyzing logs
o Alerting and remediation
• Azure Monitor delivers focused, in-depth monitoring capabilities:
o Deep infrastructure monitoring
o Deep application monitoring
32. Implement Azure Monitor (2 of 2)
To implement the Azure Monitor functionality in Azure Stack HCI:
• In Azure:
1. Create a Log Analytics workspace and configure data collection
2. If needed, create and configure additional services such as Azure Automation or monitoring
solutions such as Change tracking and inventory
• On Azure Stack HCI (cluster nodes and/or VMs):
1. Install the Log Analytics agent (available for download directly from the Azure portal)
2. Run:
• Manually (specify workspace ID and one of two workspace-specific keys)
• Unattended or automated by using Azure Automation PowerShell DSC
• Using Windows Admin Center to automatically enable:
▫ Azure Monitor for VMs, including trending performance charts and dependency map
▫ Windows Server 2019 Health Service telemetry collection
3. Install additional monitoring solutions and if applicable, additional agents
34. Implement Azure Backup (1 of 5)
• Azure Backup offers the following backup options:
o Local file, folder, and system state backups by using Azure Backup on a Windows Server
o Long-term storage of backups by using Microsoft Azure Backup Server
o Long-term storage of backups by using System Center Data Protection Manager (DPM)
35. Implement Azure Backup (2 of 5)
To implement backups of Azure Stack HCI workloads with Azure Backup on a Windows Server:
• Use Windows Admin Center–guided procedure:
1. Sign into the Azure subscription that will host backups
2. Run the Set up Azure Backup step:
• Select the target Azure region, resource group, and vault (Windows Admin Center
automatically provisions Recovery Services vault if one does not already exist)
3. Run the Select Backup Items and Schedule step:
• Select data to back up, which might include local files, folders, volumes, and system state
• Specify frequency of backups and their retention period
4. Run the Enter Encryption Passphrase step:
• Specify a string of characters to be used for encrypting backups
• The passphrase is also required to recover data to a different server from the one where the
backup was performed
• Use the Azure portal, scripted, or template-based implementation to customize the configuration
(for example, alter default frequency or retention period of backups)
36. Implement Azure Backup (3 of 5)
To implement backups of Azure Stack HCI workloads with Microsoft Azure Backup Server:
1. Create an Azure Recovery Services vault
2. Set storage replication of the vault
3. Identify the server that will host Azure Backup Server
4. Download and extract Azure Backup Server binaries
5. Download the vault credentials
6. Install Azure Backup Server binaries
• Use the local Microsoft SQL Server instance included with the installation or specify an
existing one
• Provide the downloaded vault credentials to register the local Azure Backup Server with the
Azure Recovery Services vault
7. Configure storage pools and disks, which provide short-term storage for backups
8. Install Data Protection Manager protection agent on target servers that will be backed up by
using the Azure Backup Server
9. Configure protection settings for the target servers
37. Implement Azure Backup (4 of 5)
On-Premises
Azure Stack HCI
SQL
Server
VM
Windows Server VM
with Microsoft Azure
Backup server
Azure
(primary
region)
Azure Import/Export
Azure
(secondary
region)
Azure
Storage
Azure
Recovery
Services vault
Azure Active
Directory
Domain
controller
VM
Linux VM
Linux VM
38. Implement Azure Backup (5 of 5)
To implement backups of Azure Stack HCI workloads with System Center DPM:
1. Create an Azure Recovery Services vault
2. Set storage replication of the vault
3. Download and install Recovery Services Agent on the DPM server
• Provide the downloaded vault credentials to register the DPM Server with the Azure Recovery
Services vault
4. If needed, configure storage pools and disks which provide short-term storage for backups
5. Install DPM protection agent on target servers that will be backed up by using the DPM server
6. Configure protection settings for the target servers
39. Implement Azure Site Recovery (1 of 6)
Azure Site Recovery supports the following use cases:
o Failover and failback between two on-premises sites
o Failover and failback between an on-premises site and an Azure region
o Failover and failback between two Azure regions
The choice of protection mechanism provided by Azure Site Recovery depends on:
o Location of the recovery site (on-premises or Azure)
o Type of computer to protect (physical or virtual)
o Virtualization platform (Hyper-V or VMware ESXi)
o Virtualization management software
o Replication mechanism
In the context of Azure Stack HCI, the following two disaster recovery scenarios are relevant:
o Disaster recovery of Hyper-V VMs not managed by SCVMM to Azure
o Disaster recovery of Hyper-V VMs managed by SCVMM to Azure
40. Implement Azure Site Recovery (2 of 6)
Azure Site Recovery architecture:
• Disaster recovery of Hyper-V VMs not managed by SCVMM to Azure:
o Azure components:
• An Azure Site Recovery vault serving as the central management point for disaster recovery–
related replication and orchestration
• An Azure general purpose, LRS or GRS Standard SKU storage account hosting replicated disks
• An Azure virtual network for a planned or unplanned disaster recovery event
• An Azure virtual network for a disaster recovery test
o On-premises components:
• Windows Server 2019 Hyper-V servers hosting the protected VMs
• Protected Hyper-V VMs
• Azure Site Recovery Provider running on each Windows Server 2019 Hyper-V host
41. Implement Azure Site Recovery (3 of 6)
On-Premises
Azure Stack HCI
Windows
Server VM
Hyper-V Server
Azure
(primary
region)
Azure
(secondary
region)
Azure
Storage
Azure
Recovery
Services vault
Azure Active
Directory
Linux VM
Orchestration
Replication
Linux VM
Windows
Server VM
42. Implement Azure Site Recovery (4 of 6)
Azure Site Recovery architecture:
• Disaster recovery of Hyper-V VMs managed by SCVMM to Azure
o Azure components: the same as with the disaster recovery of Hyper-V VMs not managed by
VMM to Azure (listed on previous slide)
o On-premises components
• Windows Server 2019 Hyper-V servers hosting the protected VMs
• Protected Hyper-V VMs
• A SCVMM 2019 deployment hosting one or more private clouds and logical networks
• VMM virtual machine networks linked to logical networks associated with the SCVMM clouds
▫ You map these networks to Azure virtual networks when creating a recovery plan
• The Azure Site Recovery Provider running on the SCVMM server
▫ The provider manages communication with the Recovery Services vault
• The Azure Site Recovery Services agent running on Hyper-V hosts
▫ The agent is responsible for replication of disks of protected VMs
43. Implement Azure Site Recovery (5 of 6)
• Implement Azure Site Recovery for Azure Stack HCI VMs:
o By using a guided procedure on the Azure Site Recovery vault blade in the Azure portal:
• Run the Prepare infrastructure step:
▫ Select protection goal
▫ Confirm deployment planning
▫ Designate source and a target
▫ Configure replication settings
• Run the Replicate Application step:
▫ Designate source
▫ Select VMs
▫ Configure replication settings
44. Implement Azure Site Recovery (6 of 6)
• Run the Manage Recovery Plans step:
▫ create and configure recovery plans
▫ A recovery plan identifies protected VMs and dictates the order of individual steps during
failover and a failback. You have the option of automating these steps by using Azure
Automation scripts and workflows.
o By using a guided procedure in Windows Admin Center:
▫ Enable VM protection functionality on the cluster (Set up VM protection)
▫ Select VMs to protect (Protect VM)
▫ For any subsequent steps, including creating a recovery plan, performing a failover, and
monitoring replication, use the Azure Site Recovery vault blade in the Azure portal
45. Implement the Update Management solution in Azure Automation
(1 of 2)
• Update Management provides the following benefits:
o Delivers status of updates on managed servers
o Automates update deployments based on compliance status or group membership:
• Groups can be defined by:
▫ Using Log Analytics queries
▫ Imported using Windows Server Update Services (WSUS)
▫ Imported using Microsoft Endpoint Configuration Manager
o Supports update-specific searches of Azure Monitor logs collected from managed servers
46. Implement the Update Management solution in Azure Automation
(2 of 2)
Implement Update Management on Azure Stack HCI:
• By using the Azure portal:
1. Create a Log Analytics workspace and an Azure Automation account:
• Ensure that the Azure regions you choose match those documented by Microsoft
2. Enable the Update Management solution (from the Azure Automation blade in the Azure portal):
• Select the corresponding Log Analytics workspace
3. Onboard the on-premises VMs by installing the Log Analytics agent
4. Select the VMs to manage
5. Schedule updates (servers can obtain updates from any location supported by the operating
system, including WSUS and Endpoint Configuration Manager)
• By using Windows Admin Center (Set up Azure Update Management):
o Ensures correct choice of regions for Log Analytics workspace and an Azure Automation account
o Doesn’t automatically onboard managed servers into Update Management:
• You can use the Azure portal to complete the implementation
47. Deploy updates by using Cluster-Aware Updating (1 of 3)
• Cluster-Aware Updating (CAU) eliminates overhead associated with installing updates on cluster nodes
• CAU updates individual nodes, performing the same sequence of steps on each:
1. Placing a node into maintenance mode
2. Moving any clustered roles hosted on the local node to another one
3. Installing updates
4. Performing a restart if required
5. Terminating the maintenance mode on the local node
6. Moving clustered roles back to the local node
48. Deploy updates by using Cluster-Aware Updating (2 of 3)
CAU can operate in one of two modes:
• Self-updating mode:
o CAU is implemented as a clustered role within the managed cluster
o Details of update operations, such as scheduled times, are based on Updating Run profiles
o When an Updating Run initiates, it triggers creation of the CAU Update Coordinator process
on the cluster node currently hosting the CAU clustered role
o The CAU role orchestrates orderly updates on all cluster nodes
o When it’s time to update the node hosting the CAU role, CAU initiates failover to another node
and continues the updates
• Remote-updating mode:
o Requires use of CAU admin tools from a computer that is not part of the target cluster to
invoke deployments
o Provides more visibility into status of Updating Runs
o Requires an administrative action to trigger updates
49. Deploy updates by using Cluster-Aware Updating (3 of 3)
To implement CAU on Azure Stack HCI, use either:
• Self-updating mode:
o Manual process:
1. Install the Failover Clustering Tools on all cluster nodes
2. Start the Cluster Aware Updating tool
3. Configure Updating Run profiles according to your requirements.
o Automated process:
▫ Use the Add-CauClusterRole PowerShell cmdlet
• Remote-updating mode.
1. Install the Failover Clustering tools on a remote computer with direct connectivity to the
cluster nodes
2. Invoke CAU from the remote computer
• Windows Admin Center supports CAU management, but this requires enabling the CredSSP-
based authentication and providing explicit credentials to connect to the cluster nodes
50. Add and remove nodes in an Azure Stack HCI cluster
• To add a new server to an Azure Stack HCI cluster:
1. Obtain a physical server with matching hardware from the same Azure Stack HCI vendor
2. Set up the server within your data center infrastructure:
o Details are hardware specific, but this typically involves rack mounting, cabling, establishing
network connectivity, configuring out-of-band management controllers, applying the latest
firmware, and running OEM validation tests
3. Configure the OS to comply with your standards and join it to the AD DS domain
4. Add the server as an additional node to the Azure Stack HCI cluster:
o Use the Add server(s) to the cluster pane in Windows Admin Center
5. Run cluster validation
• To remove a server from an Azure Stack HCI cluster:
1. Use the Add server(s) to the cluster pane in Windows Admin Center
2. Specify whether to remove the server's disks from the storage pool
3. Run cluster validation
51. Lesson 2: Test your knowledge
Refer to the Student Guide for lesson-review questions
52. Instructor-led lab:
Using Windows
Admin Center in
hybrid scenarios
Provision the lab environment
Integrate hyperconverged infrastructure with
Azure services
Review Azure integration functionality
Manage updates to hyperconverged
infrastructure
Deprovision the Azure environment
53. Lab scenario (1 of 2)
Contoso, Ltd. is a medium-size financial services company with its headquarters in London, England. It’s
currently operating almost entirely on-premises, with most if its compute environment running on the
Windows Server platform, including virtualized workloads on Windows Server 2012 R2 and Microsoft
Hyper-V hosts in Windows Server 2016. Its internal IT staff is well-versed in Microsoft technologies,
including its virtualization and software-defined datacenter offerings.
In recent months, as part of datacenter consolidation and modernization initiatives, Contoso IT migrated
some of its applications to a range of Azure infrastructure as a service (IaaS) and platform as a service (PaaS)
services. However, several highly regulated workloads have to remain in the on-premises datacenters.
Two of these workloads present a challenge due to their performance and resiliency requirements. The first
workload is a group of heavily utilized Microsoft SQL Server instances hosting transactional databases for
Contoso’s loan origination department. The second workload is an isolated Virtual Desktop Infrastructure
(VDI) farm for users in Contoso’s securities research department, which is supposed to replace an aging
Windows Server 2012 R2–based Remote Desktop Services (RDS) deployment.
54. Lab scenario (2 of 2)
Contoso’s Chief Information Officer (CIO) realizes that implementing these workloads will require additional
investment in hardware. Before making the investment, she wants to verify that the extra expense will help
the IT organization deliver a modern technological solution and accelerate the datacenter consolidation
initiative. She also wants to make sure that it helps ensure a consistent management approach that
leverages existing IT skills, and if possible, integrates with some of the cloud services that Contoso is already
benefiting from, such as Azure Monitor. It’s also critical that the new solution provides multiple levels of high
availability and resiliency thereby protecting them from localized failures and facilitate disaster recovery to
another on-premises location.
IT management has started its search for solutions that would satisfy these requirements. As lead system
engineer, they have asked you to assist with the search and implement a proof-of-concept environment that
would help identify the most viable candidate.
To address the requirements for deployments of highly regulated workloads, you'll provision the core
compute and networking components of the lab environment and then test integration of hyperconverged
infrastructure with Azure services, including Azure Monitor and Azure Automation. You'll also test Cluster-
Aware updating.
55. Lab: Using Windows Admin Center in hybrid scenarios
Exercise 1: Provision the lab environment by using PowerShell
Exercise 2: Integrate hyperconverged infrastructure with Azure services
Exercise 3: Review Azure integration functionality
Exercise 4: Manage updates to hyperconverged infrastructure
Exercise 5: Deprovision the Azure environment
Lab setup:
To connect to the lab VM, follow the steps the lab hosting provider provides you
56. Module-review questions (1 of 2)
1. Which two of the following components are required to shield an existing virtual machine (VM)
provisioned outside of guarded fabric?
a. TPM 2.0
b. VHD Set
c. Helper VHDX
d. .pdk file
e. .vmcx file
2. Which of the following components of Azure File Sync do you need to create first?
a. Storage Sync Service
b. Sync group
c. Cloud endpoint
d. Server endpoint
57. Module-review questions (2 of 2)
3. Which of the following tasks can be performed on Azure Stack HCI-hosted virtual machines running
Windows Server 2019 by leveraging Azure Arc functionality?
a. Install an Azure VM extension
b. Install a Windows Server role
c. Configure DNS settings
d. Configure the time zone
4. Which two Azure services are required to implement Azure Update Management of Azure Stack HCI-
hosted virtual machines running Windows Server 2019?
a. Azure Security Center
b. Azure Monitor
c. Azure Automation
d. Azure Sentinel
e. Azure Key Vault
58. Module-review answers
1. Which two of the following components are required to shield an existing virtual machine (VM)
provisioned outside of guarded fabric?
c. Helper VHDX
d. .pdk file
2. Which of the following components of Azure File Sync do you need to create first?
a. Storage Sync Service
3. Which of the following tasks can be performed on Azure Stack HCI-hosted virtual machines running
Windows Server 2019 by leveraging Azure Arc functionality?
d. Configure the time zone
4. Which two Azure services are required to implement Azure Update Management of Azure Stack HCI-
hosted virtual machines running Windows Server 2019?
b. Azure Monitor
c. Azure Automation
Prerequisites:
WSLab S2D Converged scenario implemented according to the instructions provided in WSLab/Scenarios/S2D Converged/ .
Demonstration steps:
On the lab VM, from the Server Manager window, select Tools and, in the drop-down menu, select Failover Cluster Manager.
In the Failover Cluster Manager window, in the tree pane, select Roles.
In the Failover Cluster Manager window, in the Actions pane, select Virtual Machines and, in the cascading menu, select New Hard Disk.
In the New Virtual Hard Disk window, ensure that the first cluster node is selected and select OK.
Step through the New Virtual Hard Disk Wizard and specify the following settings (leave all others with their default values):
Setting Value
Choose Disk Format VHD Set
Choose Disk Type Dynamically expanding
Virtual disk file name shared1.vhds
Virtual disk file location C:\ClusterStorage\MyVolumeonHDDs1\testvmmyvolumeonhdds1_1\virtual hard disks\
Create a new blank virtual 127 GB
hard disk size
Back in the Failover Cluster Manager window displaying the list of roles, right-click or access the context menu on TestVMMyVolumeonHDDs1_1 and select Settings.
In the Settings window, select SCSI Controller, next select Shared drive, and then select Add.
In the Shared Drive pane, select Browse, in the Open window, navigate to the C:\ClusterStorage\MyVolumeonHDDs1\testvmmyvolumeonhdds1_1\virtual hard disks\ folder, and select shared1.vhds.
Back in the Settings window, select OK.
Back in the Failover Cluster Manager window displaying the list of roles, right-click or access the context menu on TestVMMyVolumeonHDDs1_2 and select Settings.
Repeat the same sequence of steps to attach the same shared disk to the second VM.
Indicate that the process of deploying shielded VMs is considerably simplified when using System Center Virtual Machine Manager.
Indicate that there is no standardized way of deploying Kubernetes clusters, which is the reason that any detailed coverage of implementing Kubernetes on Azure Stack HCI is outside of the scope of this course. Typically, such deployment involves using third-party tools and the Azure Stack HCI hardware vendor provides the deployment procedure.
As of May 2020, Azure Network Adapter is in preview. Verify whether the service has reached general availability.
On the lab computer, open Microsoft Edge based on Chromium and navigate to https://localhost.
On the Windows Admin Center page, in the Tools section, select Networks and, in the Networks pane, select + Add Azure Network Adapter (Preview).
When prompted, in the Add Azure Network Adapter window, select Register Windows Admin Center to Azure and then select Register.
In the Get started with Azure in Windows Admin Center pane, follow instructions to register the Windows Admin Center with Azure:
Copy the code.
Enter the code.
Connect to Azure Active Directory.
Select Create new Azure Active Directory application.
Select Connect.
Grant permissions in Azure:
Select App permissions in the Azure portal.
Under Grant consent, select Grant admin consent and, when prompted, select Yes.
Return to the browser window displaying Windows Admin Center and refresh the page.
Navigate back to the Windows Admin Center page, in the Tools section, select Networks and, in the Networks pane, select + Add Azure Network Adapter (Preview).
In the Add Azure Network Adapter pane, select the Create a new Virtual Network in Azure portal link. This will automatically open a new browser tab displaying the Create Virtual Network blade.
Create a new virtual network by following steps described in Quickstart: Create a virtual network using the Azure portal.
Back in the Add Azure Network Adapter pane, specify the following settings (leave other settings with their default values)
Setting: Value
Location: the name of the Azure region in which you created the virtual network
Virtual network: the name of the virtual network
Gateway Subnet: the default value
Gateway SKU: VpnGw1
Client Address Space: 10.0.0.0/24
Do not select Create since provisioning of the VPN gateway might take about 45 minutes.
Close the Add Azure Network Adapter pane.
Use the first slide to describe the Azure File Sync architecture and its components. Explain the primary benefits of Azure File Sync. Note that each benefit is illustrated by a separate slide.
The diagram depicts how Azure File Sync is implemented.
The Windows Server in this diagram has Azure File Sync agent and is registered with Azure File sync.
There are two sync groups: Accounting and Sales. Accounting sync group has D:\Accounting as the server endpoint and the Sales sync group has D:\Sales as the server endpoint.
Each sync group has a two-way interaction with the cloud endpoint, which symbolizes that the server endpoint syncs its content with the content of the cloud endpoint (Azure file share is the cloud endpoint).
Both cloud endpoints have a two-way interaction the same Storage Sync Service. The Storage Sync Service is used by Azure File Sync.
Storage Sync Service has a two-way interaction with the Azure storage account, which symbolizes that the cloud endpoints (Azure file shares) are created in the Azure storage account.
Storage account has a two-way interaction with Azure Backup, which symbolizes that the Azure storage account can be backed up by using Azure Backup.
The diagram depicts how Azure File Sync is used for multi-site sync.
Users and applications accessing two Windows Server servers, marked as HQ file server, by using SMB and NFS protocols.
Both file servers have two-sided arrow to the Azure file share, which symbolizes that file servers are syncing content with Azure file share. If a file is modified on one file server, the change get first synchronized to Azure file share, and from there it gets synced to other file server.
The diagram depicts how cloud tiering works.
Two Windows Server servers, marked as HQ file server and branch file server. Users and applications access two Windows Server servers, marked as HQ file server and branch file server. Users access HQ file server by using SMB and NFS protocols. Both file servers have a two-way interaction with the Azure file share, which symbolizes that the file servers are syncing content with Azure file share.
The diagram depicts that cloud tiering is configured for a branch file server. Files are assigned "heat map", based on how recently they were accessed. Based on that map, some files are cached locally on the branch file server, while other files are tiered to Azure file share, and their data is not stored locally: only their metadata is.
The diagram depicts two Windows Server servers, marked as HQ file server and branch file server. Users and applications access two Windows Server servers, marked as HQ file server and branch file server. Users access HQ file server by using SMB and NFS protocols. Both file servers have a two-way interaction with the Azure file share, which symbolizes that the file servers are syncing content with Azure file share.
The diagram also depicts that Azure file share can also be backed up by Azure Backup. If needed, the backup can be restored back to Azure file share.
This diagram is a continuation of the diagram in the previous slide. The only difference is that in this diagram, the file server failed. For example, its hard drive fails.
The diagram depicts how a file server can be quickly recovered. After you install Azure File Sync agent on a new file server, file server contacts Azure file share and syncs its namespace and metadata. This is called rapid disaster recovery, and it ensures that the folder structure and files are quickly visible on the new file server. Users can access them, while in the background, the file data is syncing from the Azure file share.
On the lab VM, open Microsoft Edge based on Chromium and navigate to https://localhost.
On the Windows Admin Center page, in the Tools section, select Azure File Sync and, in the Azure File Sync Overview pane, select Setup.
If prompted, sign into the Azure subscription by using the account with the Contributor or Owner role in the Azure subscription.
In the Set up Azure File Sync pane, review the Azure settings and Azure File Sync agent section. The first one allows you to specify an existing or a new resource group that should contain the Storage Sync Service instance, along with the target region and the name of the Storage Sync Service to provision. The second one contains settings of the Azure File Sync agent, including its installation location and update schedule.
Select the target Azure region closest to the location of your lab VM, in the Resource group section, select Create new and type the name demosyc-RG, accept all other default values, and select Set up.
In the Setting up Azure File Sync pane, monitor the progress of the installation and select Close once the installation completes.
Back in the Azure File Sync pane, select Sync a folder and specify the following settings:
Setting Value
Local folder name C:\WindowsAzure
Tier the least-accessed files to the cloud enabled
Minimum volume free space % 20
Sync group demosyncgroup1
Azure file share to sync with demosyncfileshare1
Resource group demosync-RG
Storage account Create new
Storage account name any unique string of between 3 and 24 letters and digits, starting with a letter
Storage performance Standard
Data replication Locally-redundant storage (LRS)
Wait for the operation to complete, then open another browser tab, navigate to the Azure portal, search for the newly created Storage Sync Service, and review its settings to verify that its configuration matches the one you set up from the Windows Admin Center.
Create a file in the C:\WindowsAzure folder and verify that it replicates to cloud endpoint.
Determine if students are familiar with Azure Policy, and if not, provide a brief explanation regarding its features.
Explain the significance and correlation between access mode and access control mode.
As of May 2020, Azure Arc is in preview. Verify whether the service has reached general availability and identify any additional features that it might support.
As of May 2020, Azure Monitor integration with Windows Admin Center is in preview. Verify whether the service has reached general availability and identify any additional features that it might support.
Indicate that using Windows Admin Center to implement Azure Monitor on Azure Stack HCI automatically configures the collection of telemetry generated by the Health Service, which improves the day-to-day monitoring and operational experience for clusters running Storage Spaces Direct.
On the lab computer, open Microsoft Edge based on Chromium and navigate to https://localhost.
On the Windows Admin Center page, in the Tools section, select Azure Monitor select Set up.
If necessary, register Windows Admin Center with Azure using the same credentials you used to sign in to the Azure portal by following the steps described in Configuring Azure integration.
In the Windows Admin Center interface, on the Set up Azure Monitor pane, specify the following settings (leave other settings with their default values):
Setting Value
Azure subscription The name of the target Azure subscription
Resource group Create new
Resource group name demo0203-RG
Resource group region The name of the Azure region closest to the location of your lab computer
Log analytics workspace Create new
Log analytics workspace name demo0203-workspace
Select Set up.
Wait for the operation to complete, then open another browser tab, navigate to the Azure portal, search for the newly created log analytics workspace, and review its settings to verify that the configuration matches the one that you set up from the Windows Admin Center.
The diagram depicts how Azure Backup Server is used to protect virtual machines running on Azure Stack HCI. Windows Server with Microsoft Azure Backup server performs local backups, which subsequently are uploaded to Azure Recovery Services vault and, optionally, replicated to another Azure region. Azure Import/Export provides the option to upload initial backup to an Azure Storage account.
Indicate that Azure Site Recovery-based disaster recovery of Hyper-V VMs to a secondary on-premises site is scheduled to be deprecated in March 2023, which is the reason for excluding it from more detailed coverage in this topic.
Indicate that Azure Site Recovery-based disaster recovery of Hyper-V VMs to a secondary on-premises site is scheduled to be deprecated in March 2023, which is the reason for excluding it from more detailed coverage in this topic.
Always end the presentation with the Thank You slide. Do not remove.