Microsoft Azure AZ-801 — Section 18: Troubleshoot Windows Server on-premises and hybrid networking
110. Troubleshoot hybrid network connectivity
Let’s get into the concepts now of troubleshooting hybrid installations.
So, in this situation, you want to think about the fact that you’ve got your on-premises network, maybe, Microsoft Domain, you’ve connected into Azure with Azure AD Connect and, maybe, there are some synchronization issues. You’ve got users that aren’t synchronizing into Azure AD Connect.
In this case, I have my Azure AD Connect has been disabled and I want to show you some different errors and things like that. We’re going to look at these errors and we’re going to talk about what’s going on and see what kind of log information Azure is going to generate for us. All right. So that we can troubleshoot. So, here we are on portal.azure.com. I’m going to click the menu button and go to Azure Active Directory. All right. And we’re going to scroll down here and go to Azure AD Connect all right. So, you can see that I’ve had I’ve had Azure AD Connect working, but it does say it’s been more than a day since synchronization has occurred.
What you really want to focus on when troubleshooting a hybrid synchronization issue of some sort is to go to this right here, Health and Analytics. So, we’ll go to Azure AD Connect Health and we can click on Sync errors. Now, we can see there’s one error right here. But you can see there’s various things that could go wrong. But in this particular sense, there’s duplicate attribute.
One thing right out of the gates here, it’s telling me is that there is a duplicate user that’s already in my environment named Jane Doe. And I tried to synchronize an on-premises user name to Jane Doe to the Azure environment. Right.
So, I clicked on that, that entry that it gave me. And I just want you to see all this information that it provides, right? So it says we detected an object with the user principal name, Jane Doe, yadda yadda, yadda cannot be synchronized because another object already has the same value of Jane Doe as the user principal name. To resolve the conflict, you need to determine which of these two objects should be using the user principle name. The next step is to update the other object to change or remove the conflicting value. So, it’s essentially telling you that you need to change a value on the user name and then it will no longer conflict. All right.
Again, what’s great about this is it is providing you some good information. There is a troubleshoot button that you can click on, and if you click that it says to fix this issue, you need to modify or remove the conflicting attribute one of the object. If both objects exist in your on-premises Active Directory, you will need to make a change there to find the previous ST object still exists. Please execute the following PowerShell commands so it even provides you with a PowerShell command that can assist you in troubleshooting. All right.
So, I think Microsoft’s done a pretty good job there as far as providing that information. Let’s go back. And the next thing I want to look at is Sync Services. And this is going to let us know that right now my synchronization service is unhealthy, which makes perfect sense because it’s disabled at the moment. If I click on my exam lab practice information here, it says that we have an alert, it’s unhealthy. I click on that alert, says that synchronization has stopped for at least 24 hours. Health service data is not up to date.
So, my synchronization service from NYC-SVR1 that was there is no longer synchronizing. Okay. Last detected. It tells you the date that it was raised. And I can click on that. And this is what I really love, the fact that it tells me all this information. What’s going on in the synchronization to the Azure Active Directory appears to have been stopped for at least 24 hours. And then there’s a latency in processing. But what I like about this though too, is it tells me what I could do to fix it, right. And to me this is one of the most valuable things about the way we’ve kind of moved into the cloud with Azure is that they can always provide you with updated information how you could fix it. A lot of times the help documentation that we’ve had in our server operating systems in the past weren’t always very up to date. Microsoft would make some kind of a change or fix, and then their help documentation will contain some older information. This way we’ve got updated information exactly what we could do to resolve this problem. All right. So, it’s definitely something to check out.
The other thing, if you’re getting an error of some kind, check out their help documentation. They’ve also got some other information related links, troubleshooting connectivity issues with Azure Connect. So, you can click on that and it’ll take you to one of their learn documents for troubleshooting. So, you could go deeper into what could potentially be going on. Perhaps, maybe, there’s a firewall that’s blocking some ports or something like that, blocking some URLs, and you’d want to make sure that wasn’t happening. All right. All right.
So, that is a big part of troubleshooting. One last thing I want to mention here. We’ll go back over to let’s go back to Azure AD Connect Health again and something you can do to further strengthen helping your environment with health is that by default, Azure AD Connect, when you install it on a server, it only installs one health agent. And it’s monitoring just the synchronization stuff. That’s all, it’s monitoring. But you’re going to notice a there’s three different health agents here. All right. This is the only one. This middle one right here is the only one that gets installed in your domain by default. And it happens just automatically when you set up Azure Connect. However, if you are using a federated server at FS in your environment, you could install that on your FS server and that’ll help with AD FS related issues, Active Directory, Federated Services issues. And then finally you can install. And to me, this is one of the more valuable ones you can install the Azure AD connect health agent for AD DS. And this will give you it’ll communicate with Active Directory on more than just sync issues. It’ll let you know if Active Directory has got any issues and that stuff will get logged as well and you’ll be able to view that right here. Your ad FS information would be viewed right here.
So, this information you see here relates to this agent, this middle one, this relates to this top agent, which is not installed by default and this is related to the bottom agent, which is also not installed by default. So, those are some things that you can also do to assist you in troubleshooting hybrid based environments. All right. So, those are the things that you want to always look at. If you’re having issues in a hybrid environment, you want to check, check your log information, check errors, and then go through the fix options that are available to you. And of course, you can always do a little further digging. They do provide you with other documents that could assist in this type of problem.
111. Troubleshoot on-premises connectivity with Azure
Let’s talk about troubleshooting connectivity issues between our on-premises environment and Azure.
Now, the first thing you want to think about here is that there’s three primary ways that we interact with Azure from on-premises. The first way is exactly what I’m doing on the screen right now. You just access Azure through the portals and you create things and do things through the portals. You really don’t need a lot of ports open on your firewall for that port. Four, four, three. Essentially, you make sure that you’re not blocking any of the Azure URLs. And as long as you got an Internet connection, you should be solid and you should be able to get into and interact with the Azure services. And if you’re wanting to connect into a virtual machine or something like that, you could use RDP or SSH. If it’s Linux, there’s various things you can do, right? As long as your firewall is not blocking any of it, you should be fine. You should be able to make those connections.
Now, the disadvantage to that is normally when you’re interacting with virtual machines, it’s not a great idea to just expose those to the to the cloud. In fact, even if I go right now and I’ll look at my virtual machines, I do have one virtual machine that I’ve set up called one, Server two. And if I go and look, let’s look at networking. All right. And we can see that RDP is open right now for this public address. And it’s got a warning message next to it. Right. And one is to have a warning message. It says RDP Port 33 nine is exposed to the Internet. This is only recommended for testing for production environments. We recommend using a VPN or private connection. Okay, so that brings me to the other two ways that you would generally interact with services in Azure. One would be to use a VPN gateway. The other would be to use a private connection known as ExpressRoute.
Now, VPN Gateway is going to be the cheaper method ExpressRoute would be you would actually be setting up a telecommunications environment or I’m sorry, a telecommunications connection between you and a telecommunications provider.
When you do ExpressRoute, you can actually contact a telecommunication provider. In fact, you can actually go to when you. You go here in Azure, you can put in ExpressRoute, for example. It’s a little bit slow today for some reason, but I can go to ExpressRoute and I can tell it to create an ExpressRoute connection.
Granted this is just the creating the resource and azure, you actually have to get the equipment and all of that. But if we come over here to configuration, you can look at the various providers that are available and if you click on a provider, it’ll even tell you like what areas are available to you. Like New York, for example, you can contact that telecommunications provider and they will assist you in. They’ll come and put the equipment in your office and they can connect you directly into Azure through a private connection.
So, what you have to think about there would be if you actually your company did have a fresh route connection, you would need to make sure that ExpressRoute equipment was working properly. You might have to contact the company that put it in for you because they might have to troubleshoot it.
The other method that was mentioned there was VPN, right? VPN Gateway. So, if I go to all services here and I’ll just do a search for VPN Gateway. A VPN gateway. You’ll see it. There it is, Virtual network Gateway. So, if we click on that virtual network gateway, that is something we could create as well. Now, with the virtual network Gateway, your company has a VPN router on-premises that supports the VPN Gateway feature. You’d have to look that up and buy that type of equipment. There’s various equipment. You can actually do a quick Google search for VPN Gateway supported by Azure, and you can find list of these pieces of equipment that are supported out there, but you can set that up and from there. You. You’ll have a virtual private network connection over the Internet.
So, with ExpressRoute, you can see that a VPN gateway can utilize, can go through ExpressRoute as well, add an additional layer of encryption. But with ExpressRoute, you’ve got a private connection. You’re not going across the Internet for this. It’s a dedicated connection with VPN Gateway. You are you are using a virtual private network connection.
What you’d have to do is you’d have to troubleshoot that equipment, that VPN router. If you lost connectivity for some reason, you would need to troubleshoot that VPN gateway and find out what was going on.
It could just be that you’re not able to interact with your virtual machines., maybe, you got some virtual machines in the in Azure, maybe, you got an Internet connection and, maybe, you’re communicating with some Azure connections, but you’re not communicating with your virtual machines.
In that case, Azure has some troubleshooting tools you can use. What you can do is go here to the menu button, go to all services. In search for something called the Network Watcher. Network Watcher. And the network watcher is a service that as soon as you set up a any vignettes on your network, you automatically have this watcher turned on for whatever location, whatever region you have vignettes on.
So, I didn’t have to do anything special. I’ve got a vignette because I’ve got the virtual machine set up and it’s already monitoring us. And you have you have all these tools to help you. For example, I have a topology generator here. And I can select the resource group and virtual network. And it’ll give you a visual.
So, as I got wind server two here connected with a V-NIC, it’s connected to a VNET known as the default here. And I’ve got or I’m sorry, a subnet called default and the VNET is right here. And then I have an SSG network security group that’s monitoring, that’s managing an IP filtering and all that. And here’s my public address. The other thing you can do is kind of neat about that is you can click on each one of these, it’ll take you straight to it. Thi topology generator especially helpful for troubleshooting. If you’ve got a pretty large environment of V net information, you’ve also got some other tools like IP flow. Verify this will check if a packet is allowed or denied to or from a virtual machine.
So, if you’re doing this from an on-premises standpoint, you’re trying to troubleshoot, you can actually you could put in the IP address of a virtual machine here and you could you could click check to make sure there’s connectivity. You’ve also got SSG Diagnostics for Troubleshooting Network Security Group.
So, if it’s a network security group related problem, you could use this for troubleshooting it. You have next hop, which will show you this is for routing issues, especially if you’re routing a bunch of traffic through a bunch of vignettes or subnets in your environment, you could troubleshoot with that. You can look at effective security rules involving in SSG. Here is VPN troubleshooting.
This is one of the ones I really wanted to show you. If you do have a VPN gateway set up in your environment, you could use this for troubleshooting that. All right, you can even do packet capturing.
Now, you will need to download something like Wireshark because when you turn on packet capturing, it’s going to capture traffic, but it doesn’t let you view that traffic. You have to have Wireshark to do it or something like Wireshark, which you can download Wireshark for free if you’re not familiar with it. And then finally you have a connection troubleshoot.
So, it tells you here this is going to provide a capability to check a direct TCP connection from a virtual machine to a VM, fully qualified domain URL IP4 address. So, you could use this for troubleshooting from an on-premises based connection as well.
I encourage you, if you haven’t already, I encourage you to play around with some of these little tools and get a feel for using these because they’re pretty easy to use, but they definitely can come in handy. All right.
Those are the things that I would consider when you want to think about troubleshooting a an on-premises connection with Azure. Those are the types of things that I would have at the forefront of your mind.