Upgrade SCCM 1610 – A Comprehensive Guide

Upgrade SCCM 1610 – A Comprehensive Guide

by | Nov 24, 2016 | Features, Fixes, How To, SCCM

How to upgrade SCCM 1610​

SCCM 1610

Microsoft has recently released SCCM 1610, the much-awaited upgrade to their System Center Configuration Manager. This upgrade includes new features and enhancements in Office 365 management, application management, Windows 10, client management, end-user experience, and new functionality for customers using Intune with SCCM. In this article, we will discuss how to upgrade to SCCM 1610 and its new features and enhancements.

A quick overview of these enhancements are;

  • Windows 10 Upgrade Analytics integration allows you to assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.
  • Office 365 Servicing Dashboard and app deployment to clients features help you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.
  • Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.
  • Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the ConfigMgr console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.
  • Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.
  • Enhancements in Software Center including customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.
  • New remote control features including performance optimization for remote control sessions and keyboard translation.

and if you use SCCM with Microsoft’s Intune you get the following new features;

  • New configuration item settings and improvements now only show settings that apply to the selected platform. We also added lots of new settings for Android (23), iOS (4), Mac (4), Windows 10 desktop and mobile (37), Windows 10 Team (7), Windows 8.1 (11), and Windows Phone 8.1 (3).
  • Lookout integration allows to check device’s compliance status based on its compliance with Lookout rules.
  • Request a sync from the admin console improvement allows you to request a policy sync on an enrolled mobile device from the Configuration Manager console.
  • Support for paid apps in Windows Store for Business allows you to add and deploy online-licensed paid apps in addition to the free apps in Windows Store for Business.

SCCM 1610 FAQs

Question Answer

What is SCCM 1610?

 SCCM 1610 is the upgrade to Microsoft’s System Centre Configuration Manager.

What new features are included in SCCM 1610?

 SCCM 1610 includes new features and enhancements in Office 365 management, Windows 10, application management, client management, end user experience, and new functionality for customers using Intune with SCCM.

What is Windows 10 Upgrade Analytics integration?

 Windows 10 Upgrade Analytics integration allows you to assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.

What is the Office 365 Servicing Dashboard?

 The Office 365 Servicing Dashboard is a feature that helps you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.

What is the Software Updates Compliance Dashboard?

 The Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.

What is the Cloud Management Gateway?

 The Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the ConfigMgr console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.

What is Client Peer Cache?

 Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.

What are the enhancements in Software Center?

 The enhancements in Software Center include customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.

What are the new remote control features?

 The new remote control features include performance optimization for remote control sessions and keyboard translation.

What new features are available if you use SCCM with Microsoft’s Intune?

 If you use SCCM with Microsoft’s Intune, you get new configuration item settings and improvements, Lookout integration, Request a sync from the admin console improvement, and support for paid apps in Windows Store for Business.

How do you upgrade to SCCM 1610?

 To upgrade to SCCM 1610, you need to follow several steps, including checking to see if SCCM 1610 has downloaded, enabling the Fast Ring, forcing a check for the update, and downloading and installing the SCCM 1610 update.

Upgrade to SCCM 1610

Now to upgrade your SCCM to version 1610, follow the following steps;

Check to see if SCCM 1610 has downloaded.

Open your SCCM console, and go to Administration, expand Cloud Services, then Updates and Servicing.

no sccm 1610

As in the picture above, you can see that the update to SCCM 1610 has not downloaded as yet. You can choose to right click and check for updates, but as Microsoft are slowly rolling out this update over the next few weeks it may not download. If you cannot wait for it to download itself, you can force the update to do so by running the following Powershell script located here https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9

Download SCCM 1610 Fast Ring

If you have waited quite sometime and SCCM 1610 hasn’t downloaded, then you need to download the EnableFastRing.Exe to do this for you. Once downloaded. launch the file and extract the powershell script and follow these steps.

SCCM 1610 Fast Ring

  • Launch an elevated command prompt
  • Run PowerShell
  • Run the EnableFastUpdateRing1610.ps1 script
    • EnableFastUpdateRing1610.ps1 where SiteServer refers to the CAS or standalone primary site server
  • Force a check for the update.
    • If you are upgrading from version 1602 or higher go to Administration, Overview, Cloud Services, Updates and Servicing and click “Check for Updates”.  You may need to try “Check for Updates” more than once if the package is not downloaded on the first try.
    • If you are upgrading from version 1511, restart the SMS_Executive.
  • The new 1610 Update should now be available in the Configuration Manager Console.

Download SCCM 1610 update

Now that Fastring has been enabled, go back to your SCCM console and right click the Updates and Servicing node and click check for updates.

sccm-1606-check-for-updates

Give SCCM sometime to start the download of SCCM 1610. Refresh the console to see the status and then proceed to install when downloaded.

sccm 1610 downloading

 SCCM 1610 Downloaded

Now hopefully your SCCM 1610 update has downloaded and is now available in your console.

sccm 1610 downloaded

Select the Configuration Manager 1610 update, right click and choose Run prerequisite check.

sccm 1610 prerequisite check

SCCM will now check your environment is ready for the upgrade to SCCM 1610.

sccm 1610 prerequisite checks

Let SCCM complete the check, refresh the console to see when it has completed.

 sccm 1610 prerequisite check complete

SCCM 1610 Update Installation

Now that the prerequisites have been checked and passed, you can now start to install the upgrade to SCCM 1610. Right click the update and choose Install Update Pack.

sccm 1610 install update pack

SCCM 1610 Update Installation – General Tab

The General Tab starts off the installation of the SCCM 1610 update. Click Next when you are ready to install.

sccm 1610 update 1

SCCM 1610 Update Installation – Features Tab

On the Features tab, you can select which options you wish to install. Click Next when ready to proceed.

sccm 1610 update 2

SCCM 1610 Update Installation – Client Update Options Tab

Next is the Client update options Tab, you can choose on this tab to upgrade without validating or validate the upgrade in a pre-production collection. As this is one of our lab environments, I have chosen to upgrade without validating. If this is your production environment, it always pays to be mindful of any upgrades, SCCM included so it may be worth you choosing the other option and validating the upgrade against a test collection.

Choose the option you wish and click Next.

sccm 1610 update 3

SCCM 1610 Update Installation – Licensing Terms Tab

Accept the license terms and privacy statement and click Next.

sccm 1610 update 4

SCCM 1610 Update Installation – Summary Tab

On the Summary Tab, confirm the options you have chosen are correct and then click on Next to continue.

sccm 1610 update 5

SCCM 1610 Update Installation – Progress Tab

The update to SCCM 1610 will now install.

sccm 1610 update 6

SCCM 1610 Update Installation – Completion Tab

Hopefully all went with your installation of SCCM 1610 and you should see a screen similar to the one below. Click now on Close and SCCM will continue updating in the background.

sccm 1610 update 7

SCCM 1610 Update Installation – Update Log

To view the installation logs, go to your C Drive of your SCCM server and locate the ConfigMgrSetup.log. If you have Trace32 installed, double click the log file to see the installation status.

sccm 1610 update log

Refreshing the console shows that the SCCM 1610 update is installing. Depending on your infrastructure, this could take some time.

sccm 1610 update 8

Monitor the SCCM 1610 upgrade – Installation Status

You can additionally monitor the status of the installation of SCCM 1610 in your console. Go to the Monitoring tab, then Updates and Servicing Status where you can see the updates you have applied. Highlight the Configuration Manager 1610 update and right click and chose show status.

sccm 1610 update 9

sccm 1610 update 10

Also, the cmupdate.log contains more details of the installation progress.

sccm 1610 update 11

You should see after quite sometime that your SCCM version is now showing as version SCCM 1610

sccm 1610 installed

You can finally go and party like its 1999. Dont forget since you are here, to check out our many software products that help make an Administrators life easy.

sccm 1610 finally upgraded

MICROSOFT’S November 2016 PATCH RELEASES

MICROSOFT’S November 2016 PATCH RELEASES

by | Nov 13, 2016 | Deployment, Patch Management, Patch Releases, SCCM, Security

MICROSOFT’S November 2016 PATCH RELEASES

Make Patching Great Again

Microsoft have released 14 new Patch Tuesday releases for deployment this month of November.

See how you can remove the risk of patch deployment by adding SnaPatch to your SCCM patching infrastructure?

MS16-129 – Critical

Cumulative Security Update for Microsoft Edge (3199057)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-130 – Critical

Security Update for Microsoft Windows (3199172)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a locally authenticated attacker runs a specially crafted application.

MS16-131 – Critical

Security Update for Microsoft Video Control (3199151)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

MS16-132 – Critical

Security Update for Microsoft Graphics Component (3199120)
This security update resolves vulnerabilities in Microsoft Windows. The most severe being of the vulnerabilities could allow a remote code execution vulnerability exists when the Windows Animation Manager improperly handles objects in memory if a user visits a malicious webpage. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.

MS16-133 – Important

Security Update for Microsoft Office (3199168)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-134 – Important

Security Update for Common Log File System Driver (3193706)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit these vulnerabilities by running a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context.

MS16-135 – Important

Security Update for Windows Kernel-Mode Drivers (3199135)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

MS16-136 – Important

Security Update for SQL Server (3199641)
This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The security update addresses these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

MS16-137 – Important

Security Update for Windows Authentication Methods (3199173)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first need to authenticate to the target, domain-joined system using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then install programs; view, change or delete data; or create new accounts. The attacker could subsequently attempt to elevate by locally executing a specially crafted application designed to manipulate NTLM password change requests.

MS16-138 – Important

Security Update to Microsoft Virtual Hard Disk Driver (3199647)
This security update resolves vulnerabilities in Microsoft Windows. The Windows Virtual Hard Disk Driver improperly handles user access to certain files. An attacker could manipulate files in locations not intended to be available to the user by exploiting this vulnerability.

MS16-139 – Important

Security Update for Windows Kernel (3199720)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information. A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application. An attacker can gain access to information not intended to be available to the user by using this method.

MS16-140 – Important

Security Update for Boot Manager (3193479)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy.

MS16-141 – Critical

Security Update for Adobe Flash Player (3202790)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

MS16-142 – Critical

Cumulative Security Update for Internet Explorer (3198467)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Now that you have made it this far, a quick shameless plug for our software portfolio. 🙂

SnaPatch – Patch Management Addon for Microsoft’s SCCM.

SnapShot Master – Take control of your virtual machine snapshots, works with both Hyper-V and Vmware.

Azure Virtual Machine Scheduler – Save money and schedule the shutdown and power on of your virtual machines within Microsoft’s Azure Cloud.

Azure Virtual Machine Deployer – Deploy VMs to Microsoft’s Azure cloud easily, without the need for powershell.

Configuration Manager 1606 Hotfix KB3180992

Configuration Manager 1606 Hotfix KB3180992

by | Oct 23, 2016 | How To, Patch Releases, SCCM

Configuration Manager 1606 Hotfix KB3180992

If you’re using System Center Configuration Manager (SCCM) and haven’t updated to build 5.00.8412.1204 yet, it’s time to do so. Microsoft has released a hotfix KB3180992 to fix various issues with SCCM. In this article, we’ll guide you through the installation process and explain how to fix the known issues that this hotfix addresses.

What’s New in SCCM 1606 Hotfix KB3180992

This hotfix addresses several known issues with SCCM, including:

  • An exception error that occurs when selecting the “Update all clients in the hierarchy using production client” option on the Client Upgrade tab of Hierarchy Settings Properties.
  • Software update installation freezing on SCCM clients.
  • Inaccurate client counts on the Production and Preproduction Client Deployment dashboards.
  • Incorrectly showing a state of Compliant on the Device Compliance section of the Software Center application.
  • Incorrectly showing an error state that indicates the role is not available on the Service Connection Point after upgrading to version 1606.
  • The SMS Agent Host process consuming excessive CPU resources on Pull Distribution Points after updating to version 1606.
  • The ccmexec.exe process stopping responding when distributing a software update package containing many updates to a Pull Distribution Point.

SCCM 1606 Hotfix FAQ

Question Answer

What is System Centre Configuration Manager?

 System Centre Configuration Manager (SCCM) is a software management tool that allows administrators to manage large numbers of computers and devices from a single location.

What is Configuration Manager 1606 Hotfix KB3180992?

 Configuration Manager 1606 Hotfix KB3180992 is an update for SCCM that fixes various issues identified with SCCM, including a freeze during software update installation and inaccurate client counts.

How do I install Configuration Manager 1606 Hotfix KB3180992?

 To install this update, go to Administration, then expand Cloud Services and highlight Updates and Servicing. In the main console window, you should see the SCCM 1606 Hotfix has downloaded and is available for deployment. Highlight the update (KB3180992), right-click, then run the prerequisite pack. This will now check that your SCCM meets the prerequisites for this update. Once the prerequisite check has completed, highlight the update once again, right-click, and choose Install Update Pack.

What should I do if the Service Connection Point incorrectly shows an error state after upgrading to version 1606?

 If the Service Connection Point is already showing an error state after upgrading to version 1606, you need to change the Availability State registry value from 1 to 4 under HKEY_LOCAL_MACHINE-SOFTWARE-Microsoft-SMS-Operations Management-SMS Server Role-SMS Dmp Connector, then restart the SMS Executive service on the site server.

How do I validate the client update on my preproduction SCCM members?

 On the Client Update Options Tab of the Configuration Manager Updates Wizard, you have the chance to validate the client update on your preproduction SCCM members. Simply select the checkbox next to “Validate in pre-production collection” and choose the pre-production collection to use for validation.

How long does it take to install SCCM 1606 Update 1?

 Installation of SCCM 1606 Update 1 may take some time, as it installs in the background. Keep refreshing the window to see when KB3180992 shows a status of installed.

How to upgrade SCCM

To install this update, go to Administration, then expand Cloud Services and highlight Updates and Servicing.

SCCM 1606 Update 1

In the main console Window, you should now see the SCCM 1606 Hotfix has downloaded and is available for deployment.

SCCM 1606 Update 1 - 2

Highlight the update (KB3180992), Right Click then Run Prerequisite Pack. This will now check that your SCCM meets the prerequisites for this update.

SCCM 1606 Update 1 - 3

This may take some time, so be patient and be sure to refresh the console to make sure the prerequisite check has been successful.

SCCM 1606 Update 1 - 4

Now that the prerequisite check has completed, highlight the update once again, right click and choose Install Update Pack

SCCM 1606 Update 1 - 5

Next you are presented with the Configuration Manager Updates Wizard. Click on Next to start the installation.

SCCM 1606 Update 1 - 6

On the Client Update Options Tab, you have the chance to validate the client update on your preproduction SCCM members. In this example, I am upgrading without validation.

SCCM 1606 Update 1 - 7

Click Next to continue.

Accept the License Terms and click Next.

SCCM 1606 Update 1 - 8

Review you are happy with the options you have selected on the Summary Tab, then click Next.

SCCM 1606 Update 1 - 9

Installation of the SCCM 1606 Update 1 will now occur. If all goes well, you should see the Completion Window as below. SCCM will install this in the background, so it may take some time. Keep refreshing the Window, to see when KB3180992 shows a status of installed.

SCCM 1606 Update 1 - 10

70-534 – Maintaining the Azure Cloud

70-534 – Maintaining the Azure Cloud

by | Oct 19, 2016 | 70-534, Azure, Cloud Computing

70-534 – Maintaining the Azure Cloud

Azure Hand Cloud

Azure Overview

As explained in the previous post around the Azure Datacentres, Microsoft’s Azure offerings have to be reliable, have high performance and be incredibly resilient. Therefore maintaining the Azure Datacentres can be quite a complex procedure. Microsoft has to have a plan in place for the two possible scenarios of maintenance, planned and the unplanned. Planned maintenance happens on a schedule, while unplanned maintenance occurs in response to an unexpected event, normally due to a hardware failure.

Azure Planned Maintenance

Microsoft routinely schedule maintenance of their hosting hardware. Whether these are a firmware update or applying a security patch to the underlying hypervisor. While most of these will not effect the virtual machines you have running on this infrastructure, there are some circumstances which may cause your VMs to shutdown and restart. Obviously Microsoft providing a multi-tenanted environment, it would be near impossible to schedule the downtime of all their customers servers that would be effected by the maintenance, so hence this may occur to your VMs

Azure Stop

Azure Availability Sets

So how do you avoid this and ensure your application keeps on going? Well Microsoft have an Service Level Agreement (SLA) in place only for multi instance VMs in the same logical group, which is called an availability set. When Microsoft performs maintenance, they ensure that not all the virtual machines within the same availability set will be restarted at the same time. So to give your applications the best chance, ensure that you have at least two virtual machines performing the same function (perhaps clustered for example) within the one availability set. Always remember that a single virtual machine will not have an SLA available and could be restarted at any time. During an Azure datacentre maintenance, the single instance VMs are brought down in parallel, then upgraded and restarted in no particular order. So if you have your applications on single instance Virtual Machines, they will naturally be unavailable during the maintenance window. Microsoft does send customers an email prior to any scheduled maintenance, detailing the date and time the outage is to be expected, but this is only for planned maintenance. Unplanned maintenance you will of course not be notified.

Azure Availability Sets

Azure Resilience

As shown in the example picture above, we have two Front End servers for the application within their own availability set, with the corresponding database servers also in their own one. AppSrv1 will be on a different host, and perhaps even rack to AppSrv2. Should the host running AppSrv1 have an issue and have the need to restart all the virtual machines running on that host, then this will not effect AppSrv2. Same thing goes for the database servers. It is best practice to also separate your application databases and other roles and have them in their own availability sets.

Where possible, always create multiple instances of your virtual machines and have them within the same availability set. If you do this you will then qualify for the Microsoft SLA.

Azure Update Domains

Azure Update Domains (sometimes these maybe called Upgrade Domains) are utilised for planned updates to the Azure Cloud service. The default number of Update domains is five with a maximum of twenty available to each availability set. Your virtual machines are spread across update domains to avoid outages to your applications and as Microsoft rolls out updates to their infrastructure, they will only ever update one update domain at any time. This will avoid unnecessary outages to your system

Azure Update Domains

Azure Unplanned Maintenance

So what happens when there is unplanned maintenance I hear you ask? As I am sure you are quite aware, problems with hardware can be a regular occurrence at times. Failures with the network, server issues and even total rack failures can and do happen. Azure detects these failures automatically and will migrate your virtual machines to another host that is healthy.

Azure Fault Domains

Azure fault domains are a boundary between the infrastructure within the same datacentre to help prevent issues caused by unplanned outages. Multiple virtual machines that are deployed in the same availability set are also allocated to different fault domains.  Fault Domains can be on separate racks, separate power supplies, different switches and sometimes even cooling systems. Fault Domains within Azure are assigned in a pattern, FD0, FD1, FD0, FD1 and so forth. All this helps alleviate any unplanned localised hardware failures that will interrupt services to your virtual machines. It is very unlikely that there will be issues with two or more fault domains, in fact it is more likely that there is a whole datacentre outage, which in this case you would need cross region replication.

Azure Fault Domains

Azure Fault Domain Example

Now we have shown two fault domains with the availability sets detailed in the earlier diagram. You can see that AppSrv1 and DBSrv1 are in the same fault domain, and therefore more than likely on the same hardware or within the same rack. Should the rack or hardware have a failure, then AppSrv2 and DBSrv2 will not be effected by this outage and will continue delivering your applications.

VM                 Fault Domain

AppSrv1         0

AppSrv2         1

DBSrv1           0

DBSrv2           1

When you boot your servers within your availability set they will be allocated to a fault domain in an order, e.g. FD0, FD1, FD0, FD1, FD0, FD1 etc. The pattern of fault domain allocation never changes and will always follow this pattern.

So how does this work?

It is worth noting, that each availability set automatically creates two Fault Domains and is assigned to five Update Domains. For example, you build an availability set with six virtual machines. The first five are allocated to the five Fault Domains, and the sixth virtual machine is then added in to the first Fault Domain, with the first VM. In the worst case, VMs number one and six could be restarted at the same time if a maintenance event was to occur. As Update Domains are only ever restarted one at a time and that the restart order of the Update Domains isnt always sequential, these can be restarted in any order.

 Cross Region Redundancy

Now, what happens in the unlikely event that a complete Azure Datacentre has an issue. Cross region redundancy is available within Azure which is basically a backup copy of your data in a secondary Azure datacentre (replication of your VMs to a second region). You can set up Cross Region Redundancy for your applications that require this level of service (thinking Tier 1 applications for the most part). You select the primary region to deliver your services from, choose a secondary region and Azure will take care of the replication. In the event of something catastrophic of the primary region, the system will automatically failover to the secondary region. The beauty of this service is that this happens automatically, there is no manual intervention required. Azure automatically takes care of the replication and the failover.

Service Throttling

As Microsoft’s Azure is a multi-tenant environment, with many many customers, how can Microsoft fairly monitor consumption? Service throttling will ensure consistent delivery of services to every customer they have according to the customers subscription limits. If throttling does ever occur, the experience that will be delivered will be degraded services. Azure bases this throttling on a few different criteria. From the amount of data stored, the number of transactions and system throughputs. You do always have the option to increase your limits should you ever reach them. As always, you should plan your architecture within Azure with performance in mind, but if the need arises you can scale up and scale out as needed.

       FAQs

Question Answer
What is Azure planned maintenance?
 Azure planned maintenance is when Microsoft schedules maintenance of their hosting hardware, which could include firmware updates or applying security patches to the underlying hypervisor. Some virtual machines may need to be shutdown and restarted during this process.
What is Azure Availability Sets?
 Azure Availability Sets is a feature that allows customers to group virtual machines together in the same logical group to ensure that they are not all restarted at the same time during maintenance. Having multiple instances of virtual machines in the same availability set qualifies customers for the Microsoft SLA.
What is Azure resilience?
 Azure resilience refers to the ability of a system to withstand and recover from hardware failures or other unexpected events. To ensure resilience, it is best practice to separate application databases and other roles, and to have them in their own availability sets.
What are Azure Update Domains?
 Azure Update Domains are used for planned updates to the Azure Cloud service. Virtual machines are spread across update domains to avoid outages to applications, and Microsoft will only ever update one update domain at any time.
What is Azure unplanned maintenance?
 Azure unplanned maintenance occurs in response to unexpected events such as hardware failures. Azure automatically detects these failures and migrates virtual machines to another healthy host.
What are Azure Fault Domains?
 Azure Fault Domains are a boundary between infrastructure within the same datacenter to prevent issues caused by unplanned outages. Multiple virtual machines deployed in the same availability set are allocated to different fault domains, which can be on separate racks, power supplies, switches, or cooling systems.
How do I ensure my applications are resilient in Azure?
 To ensure application resilience in Azure, it is recommended to group virtual machines in the same availability set, separate application databases and other roles, and have them in their own availability sets.
How does Azure handle unplanned outages?
 Azure automatically detects unplanned outages and migrates virtual machines to another healthy host.
How does Azure prevent outages during planned maintenance?
 Azure uses Azure Availability Sets and Azure Update Domains to prevent outages during planned maintenance.

Well thats it for todays post. Ill continue with the Architecting Azure Solutions 70-534 study in a further post. Make sure you book mark this site for further updates.

70-534 – Azure Datacentres

70-534 – Azure Datacentres

by | Oct 18, 2016 | 70-534, Azure, Cloud Computing

70-534 – Azure Datacentres

The second post of many more to come to help you understand and pass the Architecting Microsoft Azure Solutions exam and gain that sort after certification.

Well first things first, lets cover off the Microsoft Azure Datacentres. The datacentres may be known as Azure GFS datacentres (Global Foundation Services) or they were newly renamed to Microsoft Cloud Infrastructure and Operations (MCIO).

MS Azure DCs

Microsoft’s Azure datacentres are in all 17 different regions throughout the world all networked together with access available to these datacentres from 140 different countries. They are operate in 10 different languages and 24 different currencies. Not only can you run your servers and applications in these datacentres, they also are used by Microsoft to deliver their own services, like Office 365 services, Bing search, Xbox live as well as the Azure platform. These datacentres are huge (some as big as three large cruise ships placed end to end) with over one million servers serving over one billion customers. They have to be to provide infrastructure to themselves as well as all their clients around the world with real time replication, low latency and very very high reliability.

The regions they are available in are;

Azure Region             Location

Central US                   Iowa

East US                        Virginia

East US 2                     Virginia

US Gov Iowa                Iowa

US Gov Virginia           Virgina

North Central US         Illinois

South Central US         Texas

West US                       California

North Europe               Ireland

West Europe                Netherlands

East Asia                      Hong Kong

Southeast Asia             Singapore

Japan East                   Tokyo, Saitama

Japan West                  Osaka

Brazil South                 Sao Paulo State

Australia East              New South Wales

Australia South East    Victoria

Central India                Pune

South India                   Chennai

West India                    Mumbai

Choosing a Microsoft Azure Datacentre

Whenever choosing a datacentre to build your environment in, its always best practice to choose the one that is closest to your users, this will help with any latency, performance and reliability issues. Not all of the Microsoft Azure datacentres share the same set of services. (Microsoft regularly roll out new services. To see which services are available and where, visit the Microsoft website https://azure.microsoft.com/en-us/regions/services/). Australia has an additional constraint that only customers residing within Australia and New Zealand can uses the services within that region. Additionally, China which you may have noticed isnt specified above, delivers Azure services independently from the others as it is offered by one of their largest Internet Service Providers, 21Vianet. Data within the China Azure infrastructure remains within China and doesnt replicate or share data to the other regions.

Azure Datacentre Resiliency

Having datacentres that big and making them highly available creates a huge problem. Just think about having to manage over one million servers, patching them, updating firmware, replacing failed hardware. The number of servers alone is enough to make the average administrator faint. The advantage that Azure has over the average datacentre is, the amount of physical hardware servers. When one server starts to fail, its virtual machines can be migrated to another healthy server. Faults are detected and migration is handled automatically. The ability to quickly recover, or in most instances, migrate these virtual machines live, means high resilience is built in. This is known as Mean Time to Recover (MTTR), which allows Microsoft to provide the availability of services to their customers, quickly and without user intervention.

Azure Security

Microsoft takes security of seriously. Imagine all the data belonging to all these customers and Microsoft have a rogue employee start stealing data. Well Microsoft has locked down Azure only so that the administrators only have enough access and time to do the task they require. This is known as Just in Time Administrator Access. By default, Microsoft administrators do not have access to customer data and can only gain access when granted by the client and only during a predetermined window. All their administrator access and actions are logged, monitored and audited. Physical access to the Microsoft Azure Datacentres and hardware is also monitored with continuous surveillance.

As you can imagine, Microsoft Azure datacentres would be a target for all sort of nefarious type of hackers and threats. Threat management is also provided as part of the service. Data is scrubbed and monitored for any potential threats prior to it coming in to your precious servers. Intrusion detection, Denial of Service attack prevention, regular penetration testing, data analytics and machine learning tools help to keep your servers and data safe. Azure scans all software during all physical server builds. They also have real time protection and on demand scanning of their cloud services and virtual machines.

Deployment of patching is automated to the Azure infrastructure. Patching deployment is based on the severity of the patch. Azure will also patch customers virtual machines unless the customer has requested to manually patch their systems themselves (ie using SCCM or WSUS or the like).

Having so many customers share infrastructure between them in the multitenant environment, could be a huge security risk. Azure logically isolates each customer from each other so that no customer should be able to access any other customers data. For customers own security and compliance, Microsoft Azure provides a set of tools to help the client achieve this. Azure offers technology like data encryption in transit and at rest (Azure storage is encrypted). Azure also obtains some of the highest security certifications, such as ISO27001 and ISO27002,
HIPPA, FISMA, FedRAMP etc (The Microsoft Azure Trust Centre details the certifications held further. Please visit https://www.microsoft.com/en-us/trustcenter/Compliance for more information).

 Azure Datacentre Designs

With so many datacentres that are this large and with so many customers utilising their services and expecting reliability and performance, every Azure datacentre is designed with infrastructure availability as the main concern. Every critical component of Azure is built with redundancy in mind. Multiple Uninterruptible Power Supplies (UPS), huge arrays of batteries and large generators with fuel reserves to compensate in case of a tremendous disaster.

As you can imagine, running each of these datacentres is a huge expense for Microsoft. So each datacentre is also designed with to lower their total cost of ownership. Each of the Azure datacentres operate with a lower Power Usage Effectiveness (PUE) rating as low as 1.125, in comparison an average datacentre PUE rating is an 1.8. A low PUE means that the datacentre consumes less power and Microsoft achieve this by looking at the datacentre as a whole, not just focusing on each single component.

Azure Datacentre FAQs

Question Answer
What are Microsoft Azure Datacentres?
 Microsoft Azure Datacentres are facilities that house and maintain servers and other infrastructure for running applications and services on the Azure platform. They are located in 17 different regions throughout the world and are used by Microsoft to deliver their own services as well as provide infrastructure to clients around the world.
What are the regions in which Microsoft Azure Datacentres are available?
 Microsoft Azure Datacentres are available in 17 different regions around the world, including Central US, East US, West US, North Europe, West Europe, East Asia, Southeast Asia, Japan East, Japan West, Brazil South, Australia East, Australia South East, Central India, South India, and West India.
How do I choose a Microsoft Azure Datacentre?
 When choosing a Microsoft Azure Datacentre to build your environment in, it’s best practice to choose the one that is closest to your users to improve latency, performance, and reliability. Not all of the datacentres share the same set of services, so it’s important to check which services are available and where on the Microsoft website. Additionally, customers residing within Australia and New Zealand can only use the services within the Australia region.
What is Azure Datacentre Resiliency?
 Azure Datacentre Resiliency refers to the high resilience built into Microsoft’s Azure datacentres, which allows virtual machines to be quickly recovered or migrated live to another healthy server in the event of a failure. Faults are detected and migration is handled automatically, resulting in a Mean Time to Recover (MTTR) that allows Microsoft to provide the availability of services to their customers quickly and without user intervention.
How does Microsoft ensure the security of its Azure Datacentres?
 Microsoft takes the security of its Azure Datacentres seriously, and has implemented measures such as Just in Time Administrator Access, physical access monitoring, and continuous surveillance to prevent unauthorized access. Threat management is also provided as part of the service, which includes intrusion detection, Denial of Service attack prevention, regular penetration testing, data analytics, and machine learning tools to help keep customers’ servers and data safe. Azure logically isolates each customer from each other to reduce the risk of security breaches in the multi-tenant environment.

Well thats enough for the moment. I will continue on to the next blog post for the 70-534 exam another day.