Azure 70-533 Exam Experience

On Saturday I passed the 70-533 –¬†Implementing Microsoft Azure Infrastructure Solutions.

The exam itself I found challenging but no where near as difficult as I had primed for. I have been working with Azure on and off for around 2 years now and thought it was about time I stamped my Linkedin page with the 70-533 exam. For clarification and refinement, i used Videos on udemy followed by a ton of reading on the Microsoft pages.

But my main stress came from before the exam with the At home proctored exam that Pearson Vue are now offering. It started fine with me needing to look directly at the webcam, then provide my driving license as identification. Then comes the room sweep. You have to move your webcam slowly around the room so that the agent can see what is in the room. I was using my Laptop, but was forced to unplug screens (that were not connected to anything the other end). Have my phone in the room but not in arms reach. Move Credit Cards and other paperwork that I had deliberatly stored underneeth my printer behind my screens, out of arms reach. And put that on the floor.

The doors had to be closed, and I had to keep my face in view at all times of the exam. Problem being, my Dell XPS 13 web cam sits in the bottom left of the screen. The screen has to be tilted back massively for me to fit in the screen (poor design on Dells part). In all. The experience took me about 25 minutes of constantly going over areas to prove that it was clear and that no one else was in the room. I wish I had braved the Christmas Shopper rush to my nearest Test Center which is in the heart of my nearest city right next to the shopping center.

WSUS Tidy – Powershell

I normally set the below script on a weekly schedule. If you haven’t run this for a long period of time. It may crash out, but you’ll find that the cleanups are going through and eventually it will complete.
The stats write to a log file.

#Variables
$DateFormat = Get-Date -format yyyymmdd
$Logfile = "C:\Source\wsuslogs\$Dateformat.log"

# WSUS Cleanup
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates | Out-File $Logfile

Find Stale AD Computers

Active directory can often be neglected and orphaned computer objects can get out of control. The below script will query your domain (remember to provide your FQDN in the variable at the top) for computers that have not spoken on the domain for 90 days.

By default, Active directory looks to change computer object passwords every 30 days. If you have a large mobile workforce that may not be connecting into the network for a long period of time, you may way to extend this. I find that 90 days works well for us.

NOTE: Be careful when using this on environments that have clusters. SQL Clusters for example, have a AD joined computer object for the name of the cluster. This does not update its lastlogonstamp and therefore gets caught by this script.

import-module activedirectory  
$domain = "domain.local"  
$DaysInactive = 90  
$time = (Get-Date).Adddays(-($DaysInactive)) 
  
# Get all AD computers with lastLogonTimestamp less than our time 
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp | 
  
# Output hostname and lastLogonTimestamp into CSV 
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv c:\source\OLD_Computer.csv -notypeinformation

 

Active Directory Sites – Powershell Site Links

My current client has asked me to look at tidying up their Active Directory, they have 3 environments that all should look identical but as with everything, time permits and changes can skip a environment.

Due to their sector, sites are constantly opening and closing, at any one time they can have over 70 sites. The previous fix to this was to push all the subnets into a single AD replication site and this connect back to the head office (where their domain controllers sit). After having Microsoft in for the day to go over a number of things, Microsoft advised that all sites should be separated as per best practice terms..

Our SCCM boundaries are also based off these Sites, so removing them is not a option.

I spoke to the networks team and got a list of all the subnets and their corresponding sites and started to build each site/subnet/AD site link. It wasn’t long before I wanted to pull my hair out! So i scrapped the manual creation and put together the script below. I have also included the part where I can pull out the information to a CSV that I can then take to the next environment and run to build. This way, i build the environment once in a offline area. and the import across the other environments.

# Run this on server to pull out records - then remove all quotations from CSV
# Get-ADReplicationSiteLink -filter * | Select Name | export-csv C:\source\ADsites.csv -notypeinformation

$Sites = get-content C:\source\Input\ADsites.csv
Foreach ($Site in $Sites) {
New-ADReplicationSite -Name $site -Description "Imported via Script"
}
$sitelinks = Get-ADReplicationSite -filter * 
ForEach ($sitelink in $sitelinks) {
New-ADReplicationSiteLink -Name $sitelink.Name -SitesIncluded $sitelink,10-Eaton-Court -Cost 100 -ReplicationFrequencyInMinutes 30 -InterSiteTransportProtocol IP
}

# Run this on server to pull out all Subnets and sites - then clean down CN= information either side of the site name
# Be careful of subnets specfic to Dev/UAT environment
# Get-ADReplicationSubnet -filter * | Select Name, Site | export-csv C:\source\ADSubnets.csv -notypeinformation

Import-csv C:\Source\Input\ADSubnets.csv | ForEach-Object{New-ADReplicationSubnet -Site $_.Site -Name $_.Subnet}

Azure Resource Manager to ASM (Classic) vnet peering

A client I’ve been carrying out some Azure work for over the past few months has a split environment between Azure Resource Manager (ARM) & Azure Service Manager (Classic and/or ASM). Their ADFS infrastructure and System centres all currently live in ASM and there was no direct connection through to ARM meaning without some funky routing via the VPNs through the Head Office.

The fix is to setup vnet peering through the portal. This is done via the virtual network > Peering > Create

You’ll need to fill in the following details:

I then got this error:

Failed to add virtual network peering ‘<peering name>’. Error: Subscription <ID> is not registered with NRP.

It was quite difficult to find information on this error message and initally I thought it was due to lack of permissions.

However, the following script fixed the issue (Note: It can take a bit of time for this to go through as it registers extensions with your subscription).

Afterwards you should be able to to create your vnet peering across subscriptions.

Import-Module azurerm
Login-AzureRmAccount

Get-AzureRmProviderFeature -FeatureName AllowClassicCrossSubscriptionPeering -ProviderNamespace Microsoft.Network

#Register the preview capability in your Azure subscription
Register-AzureRmProviderFeature -FeatureName AllowClassicCrossSubscriptionPeering -ProviderNamespace Microsoft.Network
Get-AzureRmProviderFeature -FeatureName AllowClassicCrossSubscriptionPeering -ProviderNamespace Microsoft.Network
 
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
Get-AzureRMResourceProvider -ProviderNamespace Microsoft.Network

Find and Disable Empty GPO Sections

The below script can be used to go query your GPO’s and find empty sections (computer or user), and disable them. This improves the speed of processing GPOs as machines will not look to disabled sections.

This was a recommendation from Microsoft during a recent RAP as a service that I consulted on.

Get-gpo -all | foreach {


    [xml]$GPOAsXML = Get-GPOReport -Guid (Get-GPO -Name $_.DisplayName).Id -ReportType Xml

    If(($GPOAsXML.DocumentElement.Computer.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.Computer.InnerText.Length -eq 6))
    {
        (Get-GPO -Name $_.DisplayName).gpostatus = "ComputerSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " Computer section now disabled!"
        
    }
   
    If(($GPOAsXML.DocumentElement.User.Enabled -eq $true) -and ($GPOAsXML.DocumentElement.User.InnerText.Length -eq 6))
    {
        (Get-GPO -Name $_.DisplayName).gpostatus = "UserSettingsDisabled"
        $_.DisplayName.ToString().PadRight(60) + " User section now disabled!"
    }
   
}