Page 2 of 3

Passing The Azure AZ-302 Exam

Firstly apologies for the radio silence on my blog, it’s been a hectic couple of months for me as I’m getting married in April; time free at the weekends is very sparse at the moment. But fear not I have a list of items to blog about and a new method to attack writing them faster, so watch this space.

Anyway on with the topic for today’s blog!

So nearly a month ago now I passed the Azure AZ-302 exam to complete the requirement for the Azure Certified Solutions Architect Expert badge.

Now it was my 2nd attempt that I passed on, but failing exams is not something to be ashamed of at all. Putting yourself up against a test is a sign of courage and confidence in my eyes. We can only learn from failure; so that’s a massive positive in my eyes! It took me a while to realise this in my career after failing a CCNP exam by 3 points years ago!

Before I continue I feel it is important to reiterate a couple of points that I made in my post about passing the 70-535.

You can only take the AZ-302 if you have passed the 70-535 exam. Also the transition exam, AZ-302, is only available to take until the 30th June 2019 before it is retired!

Preparation – What To Study

As I have said in my previous post, you must first understand what the exam is going to be testing you on before you can decide your plan of attack for studying the exam objectives.

As always Microsoft has published the exam objectives and breakdown on the AZ-302 web page.

However please note that a change document was posted on the web page that changes some of the exam objectives and section percentages; it’s located just above the exam objectives as a note.

One thing I feel is important to say about the stated exam objectives for the AZ-302 is that they look at first glance to be quite a wide range of topics and it can feel overwhelming.

From taking the exam twice I honestly feel that the exam objectives aren’t very accurate at all. So much so that I actually filled out parts of the feedback at the end of my 2nd exam.

So my advice would be to review the objectives on the web page and in the change document and make notes of things you need to revise more heavily than others. But then take the following tips from my experiences:

  • You don’t need to know how to be a full on developer for this exam. An understanding of programming languages and being able to read them at a high level will suffice.
    • It’s more important to understand what service is best for each use case for different development functions (i.e. Azure Functions/Azure Web Jobs etc…)
  • Know your SLAs for different services and features (Availability Sets 99.95% vs Availability Zones 99.99% etc…)
  • Invest more time on Azure Site Recovery & the different Azure Backup products/features
  • Be prepared to be quizzed on some preview features, so don’t disregard those sections of the Azure Docs

Preparation – Revision Tools & Resources

I find videos are easier to watch on the train when travelling into London and back home as I can’t always get my laptop out to make notes; getting a seat is generally a challenge!

So with that in mind I started off with the Scott Duffy AZ-302 course on Udemy.

This course is very high level and doesn’t have a lot of walkthroughs/labs/demos so it’s certainly not going to be enough for you to pass the exam. But it’s quite good for the theory side of things around determining requirements and when to use a pilot instead of a POC.

Then I normally like to read a book to reinforce the videos but as this exam is only a transition exam there isn’t one available and I can’t really see anyone thinking about making one as it’s such a niche gap in the market.

So instead I headed to the Azure Docs! Especially from my last experience with the 70-535, these really are awesome for all aspects of learning Azure. From how to’s to overviews, they cover it all and are super up-to-date thanks to them being open the community to recommend updates via the github repo where the content is hosted.

I also make sure I check the Azure Blog daily at least twice. Once when I get up and again before I call it a day. This helps to keep on top of new feature releases etc…

I cannot stress enough of also using the Azure portal itself daily and just getting comfortable with it and it’s behaviour. Also any hands on time with AZ CLI would be a very handy.

Finally I checked all of the following great blogs from some people in the community to make sure I had covered all the correct objectives and pick up any tips they have given in their posts:

Preparation – Method

My method to revise for this exam was very similar to how I approached the 70-535 apart from I spent much more time actually deploying and configuring things in the Azure portal and with AZ CLI.

A high level overview of my approach per objective/topic is below:

  • Watch any videos available for the objective/topic
  • Deploy it and configure it if possible and understand how it really works in Azure
  • Read at least the overview page on the Azure Docs website for the objective/topic but also try to follow some of the how to’s through
  • Make notes along the way of key facts like SLAs, tiers & pricing etc…

The Exam

The exam itself was a new one on me for Microsoft exams with the introduction of hands-on labs!

Yes that’s right, actual labs where you have to perform tasks in the Azure portal and using AZ CLI/PowerShell. I had 2 labs that contained about 10 tasks each! And being perfectly honest, I really enjoyed them as i use the portal daily testing features & services out so it didn’t phase me.

I can only assume that these are marked by Microsoft reviewing the JSON of the subscription you are given access to to perform the tasks on and they look for the specific values you have been asked to configure/change. Very cool!

There was also the normal multiple choice questions along with a couple of case studies with 5 questions or so each in them.

A top tip of mine would be to make sure you don’t waste all your time in the labs as my case study questions appeared after I completed the labs; just when I was starting to put my feet up!

Summary

All in all I really enjoyed the exam; enough to take it twice in fact!

The introduction of labs was odd for an architecture exam but I’m a big believer of being able to actually configure/deploy something before suggesting it in a HLD as how can you know it really the works they way it says it does!

Hopefully the above gives you an insight to my experiences for this exam and helps you pass it before the retirement date in June.

Until next time… Like, Comment & Share!

AD DS DC’s In Azure

This week I received a couple of queries from clients around Active Directory in Azure and more specifically how they should handle/manage their Domain Controller IaaS VMs in Azure.

Now I have seen hundreds of IaaS VMs in Azure as Domain Controllers, it’s something that goes into the majority of my designs for clients today; it’s like a natural reaction/muscle memory for me.

However, these questions from my client made me take a step back and take a deep dive into Active Directory again, something I haven’t done in a few years, and review the recommendations and best practices for running DCs in Azure.

The Questions…

There were only 2 questions that got me thinking about this topic, they were:

  1. Should we place the Active Directory installation (database, logs & SYSVOL) on a separate data disk with caching disabled?
  2. Can we shut down the DC IaaS VM from the portal using the stop button as we do for other IaaS VMs?

The Answers…

So some of you may be thinking that these questions are pretty simple to answer and to some extent you are correct. However taking the time to check and investigate the answers to these questions and application specific best practices from time to time is never a bad idea.

Below I’ll answer each question and break it down as to what you should/shouldn’t do.

Question 1 – Separate Data disk For AD Data WITH No Caching

Now this topic isn’t actually specifically related to Azure only, it actually applies to any virtualisation platform (vSphere, Hyper-V, Xen Server, AWS EC2, etc…).

In short the answer is yes, store the AD data on a separate data disk and disable read and write caching.

The why is actually more to do with the caching element of the question. The theory being that if write caching is enabled at the hypervisor level for the data disk (or any disk where AD data is stored for that matter) there is a chance that if the VM is powered off abruptly for any reason, some changes are still waiting to be written/committed to the disk and therefore this can lead to issues like USN rollbacks.

So I would add an additional data disk to your Azure IaaS DC VMs when building them to place the AD install upon.

Create Managed Disk

Attach Disk To VM & Disable Caching

If you have already deployed your DCs and promoted them etc… I would suggest building new ones in Azure with the additional data disk and just following the process to promote/demote DCs. You can migrate the database etc… manually but, why I add the risk when it’s so easy to just build new and promote/demote.

Question 2 – SHutting down DC IaaS VM Via Portal stop button

So this one is a little more interesting and again isn’t exclusively related to Azure and applies to any virtualised DC depending on the hypervisor platform it runs upon.

However keeping this strictly Azure focused, Microsoft advise explicitly on the docs website that you should NOT shut down IaaS DCs via the portal. You can check that Microsoft page here.

Shutting down the VM via the portal causes a chain of events to occur when that VM is eventually powered back on.

The first thing that happens is the VM-Generation ID is reset/changed. The VM-Generation ID is stored as an attribute of the DCs computer object within the AD database called msDS-GenerationID upon promotion.

When a DC is started up and AD is starting up, it checks the VM-Generation ID against the msDS-GenerationID that it has stored in it’s database against the DCs computer object. If that value is not the same, the DC resets the Invocation ID and discards its RID pool; adding to the chain reaction!

Thankfully since Windows Server 2012 the VM-Generation ID is supported and stored as an attribute as explained above. So now AD knows exactly what to do when the VM-Generation ID changes to prevent a USN rollback and/or give out duplicate SIDs etc… Clearly none of us want these things to happen, so lets all take a moment and thank Microsoft for this feature since Windows Server 2012.

Anyway, now that AD has detected the VM-Generation ID and reset the Invocation ID it will clear the DCs RID pool and update the msDS-GenerationID on the DCs computer object with the new  VM-Generation ID. It will also perform a non-authoritative restore on the affected DC to replicate the SYSVOL and other information from another DC within the domain.

This all happens automatically to ensure that the integrity of the domain stays in tact and no duplicate SIDs are given out and also to keep the replication topology in tact.

Regardless that this all happens automatically, it’s still not a healthy thing to be happening to a DC and it is certainly something that can be avoided

So to avoid it all that you need to do is shut down the DC IaaS VM via the guest OS instead of clicking stop in the Azure portal. That’s honestly it. However you can sleep easily knowing that if your DC is at least Windows Server 2012 it will protect you if the VM gets shut down abruptly!

One thing to be aware of when shutting any VM down via the guest OS instead of stopping it via the Azure portal is that the VM will not enter the deallocated state once its shut down. It will just show a status of stopped. This will mean that you will still be charged for the VM compute costs etc… as if the VM was still powered on.

Although this does mean that the VM-Generation ID will not change when you start the VM back on!

Another point to consider is that your VM is unlikely to be turned off abruptly and even so you should be deploying at least 2 DCs in an Availability Set using managed disk to give your AD services the best SLA possible from Azure.

Summary

Again there is a lot of information to take in here. But I feel it’s a vital topic to cover as nearly every deployment will have a IaaS DC in it somewhere. Also to be prepared for the questions above from a client, your boss or an AD specialist is always best, rather than having to research the answer when asked.

Any questions on this topic please leave a comment or drop me a tweet and I’ll happily get back to you.

Tag All Resources Based On Resource Type In Resource Group

Recently I’ve been working closely with a few of our Azure Consultants in our delivery team around defining best practices and how we can speed up/automate as much of our deployment standards on a clients Azure environment.

At the moment we are focusing a lot on governance standards, these encompass features like:

  • Azure Policy
  • Resource Tags
  • Management Groups
  • etc…

Resource Tags are an essential part of any Azure environment. My take on them is the more there are the better! (As long as keys are consistent across resources of course)

The Problem…

We do a lot of retro-tagging on resources in our clients Azure environments to assist in bringing them inline with our standards. And also to enable their Azure subscriptions to slot into our management tools, which we use tags heavily for to control certain things etc…

One problem we face quite regularly is that some resources have started to of been tagged, whilst others haven’t. Normally we find the tags that have made their way onto resources is actually down to a deployment template from a marketplace resource. like Jenkins Server, rather than being manually created and set by an IT admin.

This normally means that scripting tag creation/setting on resources with most of the existing PowerShell scripts we have and are also available over the internet are unusable. This is because these scripts generally just replace the tags, if any are in place already; not ideal at all!

The Solution…

So with the above problem becoming ever more a time consuming block for our teams internally, I decided to get my head down in VS Code and write a new PowerShell script that will overcome this issue!

I’m glad to say that after about 3/4 hours of work and constant testing with different environment scenarios, I accomplished it!

The script is available on my ‘PublicScrips’ GitHub repository here!

Please feel free to download, use, edit, alter and report any issues with the script either below in the comments or via GitHub directly and I will do my best in my spare time to resolve any issues reported.

Obviously as with any script you find on the internet, please test it on a subset of resources before letting it loose on your entire environment. Whilst I have tested this script over 50+ times and on different environments to ensure if handled all possible scenarios, I cannot guarantee that to anyone that it is 100% error free (although I don’t think its bad, even if I do say so myself 😀 ).

Summary

Enjoy the script! And please do let me know of any issues you find.

Also let me know of any future feature requests or other common scripting issues you face that you may like me to tackle in the future, in the comments below or via Twitter!

Azure Subscription Migrations

** UPDATE – 04/09/2019 – Version 6 of the Azure Resource Migration Support Tool released – Click on link below to get a copy of it or here. **

Recently I have had an abundance of requests from our sales teams & account managers regarding Azure Subscription migrations. Whether it be from PAYG (Pay-As-You-Go) to CSP, EA to CSP, CSP to PAYG or just PAYG to PAYG.

Whatever the source and destination subscription model is, the answer I give is the same!

Every migration for each customer is going to be different 99% of the time and in the majority of cases is not as simple as the click of the migrate button from within the portal and away you go. Perhaps one day it will be; I’ll be a very happy man that day for sure!

So in this post I will share with you how I approach these requests and a tool I have developed to help speed the assessment process up significantly.

Please note this article will focus on subscription level migrations, however the tool accommodates for Resource Group level migrations as well!

Before you even think about migrating…

There are a few key points of information that you need to gather/understand when starting with one of these requests.

  1. Why does the customer want to migrate subscriptions?
  2. What subscription model are the source and destination subscriptions using; or going to use?
    1. PAYG
    2. CSP
    3. EA
    4. Other… (MSDN, BizSpark etc…)
  3. An export of all resources from all of the source subscriptions.
  4. Timescales for migration completion.

All of these questions are important to have an answer for before beginning your approach to the migration.

Questions 1 and 4 are more to help understand the “why” from the customer and to set expectations early on timescales. Because we all know sometimes timescale expectations can be unrealistic and it’s important for us to reset them accordingly if so.

Questions 2 and 3 will help define some technical paths you will need to follow and various limitations that each combination may have.

Subscription Migration Support Matrix

I feel know is a good time to lay out all of the combinations for subscription migrations and what initial approach should be taken.

Apologies for the length of this table but there are a lot of possible different combinations!

Source
Subscription
Model
Destination
Subscription
Model
Migration
Supported
Migration
Approach
Notes
PAYGEAYesJust a back-end Azure billing change.
No downtime
PAYGCSPYesResources must be migrated between subscriptions.
Possible downtime & limitations.
Check services are available in CSP.
No classic (ASM) resource supported in CSP.
PAYGMSDN/BizSparkYesResources must be migrated between subscriptions.
Possible downtime & limitations.
PAYGPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
EAPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
EACSPYesResources must be migrated between subscriptions.
Possible downtime & limitations.
Check services are available in CSP.
No classic (ASM) resource supported in CSP.
EAMSDN/BizSparkYesResources must be migrated between subscriptions.
Possible downtime & limitations.
EAEAYes/No/Not NormalIf different Azure AD Tenant same as EA to PAYG.
If same Azure AD Tenant, why are you migrating as you can just change subscription owner instead.
N.B. this not a migration I have ever come across to date.
MSDN/BizSparkEAYesJust a back-end Azure billing change.
No downtime
MSDN/BizSparkPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
MSDN/BizSparkCSPYesResources must be migrated between subscriptions.
Possible downtime & limitations.
MSDN/BizSparkMSDN/BizSparkYesResources must be migrated between subscriptions.
Possible downtime & limitations.
CSPMSDN/BizSparkYes/Not NormalResources must be migrated between subscriptions.
Possible downtime & limitations.
CSPEAYes/No/Not NormalBelieve this would have to be treated as if it were PAYG to PAYG as CSP subscription has some back-end billing differences. Therefore doubtful that EA subscription import/billing change process will not work.
Resources must be migrated between subscriptions.
Possible downtime & limitations.
CSPPAYGYesResources must be migrated between subscriptions.
Possible downtime & limitations.
CSPCSPYesBack end billing change but must be requested in certain way and currently no automated way to do this.
See: https://docs.microsoft.com/en-us/azure/cloud-solution-provider/customer-management/switch-subscription-to-different-csp-partner

Assessing Resource Migrations Between Subscriptions

As you have seen in the table above, the majority of migrations require you to migrate the actual Azure resources between subscriptions. As mentioned before and in the table rows, this sometime incurs downtime and also there are various limitations per Azure resource type (VM’s, NSG’s, App Services etc…).

Now there used to be a handy little tool that someone created for CSP migration assessments called the “Azure CSP Assessment”. This was an Azure hosted web app located here: https://azurecspassessment.azurewebsites.net/ but as you can see the site is now longer up and running 🙁

However using the tool was always a risk as the list of resources that support subscription migration and the various limitations changes at quite a pace; as does everything in the Azure world, right!

So it used to mean that I get an export of the customers source Azure subscription resources and resource types using the below PowerShell command:

Get-AzResource | Export-Csv PATHTOFILE.csv

Then using the exported CSV file I would use Excel and the following below pages on Azure Docs to go through each resource type and check its compatibility and limitations:

  1. https://docs.microsoft.com/en-gb/azure/azure-resource-manager/move-support-resources
  2. https://docs.microsoft.com/en-gb/azure/azure-resource-manager/resource-group-move-resources
  3. https://docs.microsoft.com/en-us/azure/cloud-solution-provider/overview/azure-csp-available-services – Only when migrating to CSP

To say this was long winded and painful is an understatement certainly!

Azure Resource Migration Support Tool

So that’s why I have created a handy Excel Workbook that does all the work in comparing against the information in links 1 and 2 above with a simple copy and paste of specific columns from the exported CSV.

I also thought it would be a shame not to share this tool so here it is available for any of you reading this to use for free!

Azure Resource Migration Support Tool V2

Azure Resource Migration Support Tool V4

Azure Resource Migration Support Tool V5

Azure Resource Migration Support Tool V6

All instructions on how to use the tool are on the “Intro Page” sheet within the workbook/spreadsheet.

I will be periodically checking the Azure Docs pages and updating any changes to resources that are now supported for migration to this tool and i will update this page with the latest version of the tool.

What do I do once I’ve used the tool to assess my resources…

Well firstly, please comment below or get in touch with me via Twitter, LinkedIn or e-mail me with any feedback or features you would like in newer releases of the tool.

Once you’ve done that and used the tool to assess your resources in your source subscription, it is highly likely you have a good idea about how you need to proceed.

I strongly suggest running this as a project within your company as it is not as simple as clicking a migrate button. I’ve even called it a “Virtual Data Centre Move” as it really can have the same potential devastating unplanned outages if you don’t treat it with the correct attention and detailed planning.

Personally I suggest building a project plan, if you have a Project Manager to help you, even better. Detail every task you are going to need to do before, during and after the migration, some examples below:

  • Create destination subscription
  • Attach destination subscription to existing (same as source subscription) Azure AD tenant – THIS IS MANDATORY AT THIS TIME, BOTH SUBSCRIPTIONS MUST BE IN THE SAME AZURE AD TENANT
  • Change Public IP SKUs for Resources: X, Y & Z
  • etc…

Once you have your plan built, start raising RFC/Changes (if required) to get this work completed. Some of this work may even require re-provisioning resources to get them on the correct SKUs etc… so it would also be prudent to get any other internal teams involved to assist with testing etc… if you aren’t able to do this yourself during your changes.

Nobody likes the dreaded out of hours phone call when something you couldn’t test doesn’t work after a change.

Once you’ve made all of the prerequisite changes, its now time to probably download the latest version of the tool, export all your resource into a CSV again and check for any additional changes that you may need to make as things may of changed from the Azure side.

If nothing has then that’s great news as you haven’t got to go back through the whole process again. You should now make sure that all Resource Providers in use in the source subscription are registered in the destination subscription.

To check the Resource Providers in use in the either subscription use the following PowerShell command (please note you’ll need to change subscriptions within your PowerShell session using the first 2 commands in the below block):

##Find Subscription ID##
Get-AzSubscription

##Change Subscription Within PowerShell Session##
Select-AzSubscription -SubscriptionId 'PASTE ID HERE'

##Check Resource Providers For Selected Subscription##
Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState

You should get the below output for the Resource Provider command. (I’m using CloudShell, check it out if you aren’t already):

Compare both subscription outputs against each other, using Export-Csv may be your friend here. And then register any providers in the destination subscription that are registered in the source subscription but not in the destination.

To register Resource Providers use the below command (again please note you’ll need to make sure you’ve changed your sessions selection to the correct subscription again using the above commands):

##Register Resource Provider##
Register-AzResourceProvider -ProviderNamespace 'PROVIDER NAMESPACE PLEASE CHANGE'

You should get the below output when registering a provider:

Once you have registered all the required providers run one last comparison check and then you can proceed to actually pushing that ‘Move to another subscription’ button on your resources/resource groups as per your plan.

Summary

As you can see by the length of this article the process is not always straight forward and can be quite a long process from start to finish.

Please let me know your feedback for the tool via any method that I mentioned above.

And more importantly I hope this article helps you plan your migration to be successful.

Passing The Azure 70-535 Exam

A few weeks ago I sat and passed the Architecting Microsoft Azure Solutions (70-535) exam at a test centre near me; yes I still prefer going to a test centre rather than doing an online proctored exam.

This exam was probably one of the toughest I have taken and certainly one of the hardest in terms of studying and preparing for. The breadth of topics, features and services to cover are vast!

So in this post I thought I would share my experience from studying to taking the exam. Even though this exam retires on the 31st December 2018, the techniques and material will still be valid for the new AZ-300/301/302 exams and certification path.

Please note you can only take the AZ-302 if you have passed this exam (70-535)!

Preparation – What To Study

As with every exam I take it is important to understand what the exam will actually test you on; learning material that you wont be tested on maybe fun and enjoyable, but it won’t help you pass the exam.

To do this I used the exam overview page here.

Using this web page I review the “Skills measured” section with great detail looking for various pieces of vital information.

Firstly the section explaining the areas and the split of them in the exam:

I note down on a OneNote page each service/feature/topic mentioned so I ensure I revise each of them.

I also lookout for exam updates, these are normally just in normal text (not highlighted or in red) and normally look something like the below:

These are very important to find if they exist for your chosen exam; they normally do for older exams! They provide an update on the “Skills measured” section/topic splits alongside new features/services to study etc… and also ones to now ignore as they have been retired/replaced.

Preparation – Revision Tools & Resources

For this particular exam I used several tools to help me study all of the required material.

Firstly I purchased Scott Duffy’s course on Udemy for the exam; link here.

I also purchased the Microsoft Official Exam Ref guide book for the exam.

And finally I use the Microsoft Azure Docs as these are now community driven and therefore usually very accurate and up-to-date. Alongside Microsoft Channel 9 videos.

Preparation – Method

As for my revision approach I do the following, however everybody learns differently so this may not work for you.

Firstly I watch all of the videos for a particular feature/service from either Scott Duffy’s Udemy Course or Microsoft Channel 9. And whilst watching I jot down rough notes in OneNote.

Once I’ve watched the videos I then further detail and refine my notes by using the relevant pages on Microsoft Azure Docs.

And then either in the evening before going to sleep or early in the morning as I eat breakfast I read the same section in the Exam Ref guide book.

This means I will of read the information 3 times, so hopefully some of it has stuck in my brain by now!

One important thing to note is that I never revise for more than 20 minutes straight. After 20 minutes has elapsed I find the quality of information being taken in by my brain is not as good and only leads to me re-revising.

After I have done this for all of the topics/features/services I need to revise I then review my notes for a specific area each day (mainly the ones I don’t use on a daily basis)

The Exam

The exam is the same style as most Microsoft exams I have taken in the past, multiple choice with different style questions like drag and drop and scenario based etc…

One thing I cannot stress enough is to book the exam at least a month before you wish to take the exam, this will force you to revise daily.

The questions I had in my exam were exactly as expected based on the exam overview page, however it was more up-to-date on features and services than I expected.

For example some of the networking questions mentioned Azure VWAN and ExpressRotue Direct, luckily I check the Azure blog at least daily for new features of note for my daily job role.

As the exam will retire I won’t mention much more about the exam in this post. Apart from it really was quite tough and revision of all topics mentioned is definitely recommended.

Summary

Hopefully my preparation steps and advice will help a lot of you pass any exam you are about to take as these skills are universal across pretty much any exam and vendor.

If you do have any specific questions around what to look out for for Azure Architecture exams then feel free to comment below or reach out to me on Twitter.

Until next time… Like, Comment & Share!

© 2019 Jack Tracey

Theme by Anders NorénUp ↑