Migrate a SQL Server database to Azure SQL Database

Azure Database Migration Service partners with DMA to migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance or SQL Server on Azure virtual machines.

 

SQL Migration.png
Azure SQL Migration (Source Microsoft Corp)

 

Moving a SQL Server database to Microsoft Azure SQL Database with Data Migration Assistant is a three-part process:

  1. Prepare a database in a SQL Server for migration to Azure SQL Database using the Data Migration Assistant (DMA).
  2. Export the database to a BACPAC file.
  3. Import the BACPAC file into an Azure SQL Database.

Using Microsoft Data Migration Assistant

Step 1: Prepare for migration

Complete these prerequisites:

  • Install the newest version of Microsoft SQL Server Management Studio (SSMS). Installing SSMS also installs the newest version of SQLPackage, a command-line utility that can be used to automate a range of database development tasks.
  • Download and Install the Microsoft Data Migration Assistant (DMA).
  • Identify and have access to a database to migrate.

Follow these steps to use Data Migration Assistant to assess the readiness of your database for migration to Azure SQL Database:

  1. Open the Microsoft Data Migration Assistant. You can run DMA on any computer with connectivity to the SQL Server instance containing the database that you plan to migrate; you do not need to install it on the computer hosting the SQL Server instance.
  2. In the left-hand menu, click New to create an Assessment project. Fill in the form with a Project name (all other values should be left at their default values), and then click Create.
  3. On the Options page, click Next.
  4. On the Select sources page, enter the name of SQL Server instance containing the server you plan to migrate. Change the other values on this page if necessary, and then click Connect.
  5. In the Add sources portion of the Select sources page, select the checkboxes for the databases to be tested for compatibility, and then click Add.
  6. Click Start Assessment.
  7. When the assessment completes, look for the checkmark in the green circle to see if the database is sufficiently compatible to migrate.
  8. Review the results the SQL Server feature parity results. Specifically review the information about unsupported and partially supported features, and the recommended actions.
  9. Review the Compatibility issues by clicking that option in the upper left. Specifically review the information about migration blockers, behavior changes, and deprecated features for each compatibility level. For the AdventureWorks2008R2 database, review the changes to Full-Text Search since SQL Server 2008, and the changes to SERVERPROPERTY(‘LCID’) since SQL Server 2000. For details about these changes, links for more information are provided. Many search options and settings for Full-Text Search have changed.
  10. Optionally, click Export report to save the report as a JSON file.
  11. Close the Data Migration Assistant.

Step 2: Export to BACPAC file

Follow these steps to use the SQLPackage command-line utility to export the AdventureWorks2008R2 database to local storage.

  1. Open a Windows command prompt and change your directory to a folder in which you have the 130 version of SQLPackage, such as C:\Program Files (x86)\Microsoft SQL Server\130\DAC\bin.
  2. Execute the following SQLPackage command at the command prompt to export the AdventureWorks2008R2 database from localhost to AdventureWorks2008R2.bacpac. Change any of these values as appropriate to your environment.

SQLPackageCopy

sqlpackage.exe /Action:Export /ssn:localhost /sdn:AdventureWorks2008R2 /tf:AdventureWorks2008R2.bacpac

Once the execution is complete the generated BACPAC file is stored in the directory where the sqlpackage executable is located. In this example, C:\Program Files (x86)\Microsoft SQL Server\130\DAC\bin.

  1. Log in to the Azure portal.
  2. Create a SQL Server logical server

A SQL Server logical server acts as a central administrative point for multiple databases. Follow these steps to create a SQL server logical server to contain the migrated Adventure Works OLTP SQL Server database.

  1. Click the New button found on the upper left-hand corner of the Azure portal.
  2. Type sql server in the search window on the New page, and select SQL server (logical server) from the filtered list.
  3. Click Create, and enter the properties for the new SQL Server (logical server).
  4. Complete the SQL server (logical server) form with the values from the red box in this image.
  5. Click Create to provision the logical server. Provisioning takes a few minutes.

Step 3: Create a server-level firewall rule

  1. Click All resources from the left-hand menu, and click the new server on the All resources page. The overview page for the server opens and provides options for further configuration.
  2. Click Firewall in the left-hand menu under Settings on the overview page.
  3. Click Add client IP on the toolbar to add the IP address of the computer you are currently using, and then click Save. This creates a server-level firewall rule for this IP address.
  4. Click OK.

Step 3: Import a BACPAC file to Azure SQL Database

The SQLPackage command-line utility is the preferred method to import your BACPAC database to Azure SQL Database for most production environments.

SqlPackage.exe /a:import /tcs:”Data Source=<your_server_name>.database.windows.net;Initial Catalog=<your_new_database_name>;User Id=<change_to_your_admin_user_account>;Password=<change_to_your_password>” /sf:AdventureWorks2008R2.bacpac /p:DatabaseEdition=Premium /p:DatabaseServiceObjective=P6

Connect using SQL Server Management Studio (SSMS)

  1. Open SQL Server Management Studio.
  2. In the Connect to Server dialog box, enter this information.
  • Server type: Specify Database engine
  • Server name: Enter your fully qualified server name, such as mynewserver20170403.database.windows.net
  • Authentication: Specify SQL Server Authentication
  • Login: Enter your server admin account
  • Password: Enter the password for your server admin account
  1. Click Connect.
  2. In Object Explorer, expand Databases, and then expand myMigratedDatabase to view the objects in the sample database.

Using Azure Database Migration Service

Azure Database Migration Service (ADMS), now in limited preview, can help you migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance, or SQL Server on an Azure Virtual Machine.

ADMS is designed to simplify the complex workflows you can encounter when migrating various database types to databases in Azure.

  1. In the Azure portal, select Data Migration Service, and then click New Migration Project.
  2. In New Migration Project, enter a unique project name, server source type and a target server type.
  3. Click Start.
  4. Provide all options under Migration target details, and then click Save.
  5. Provide all options under Migration source detail, and then click Save.
  6. In the Select source databases list, select each source database you want to migrate, and then click Save.
  7. Review the details summary, and then click Run Migration to start the migration. The amount of time the migration will run depends on a variety of factors including size and complexity of the database, source disk speed, and network speed.
  8. Once the migration is finished, a Completed status will be displayed in the SQL Migration dashboard.

Migrating VMware Virtual Workloads to Microsoft Azure Cloud

Overview

Migrating to the cloud doesn’t have to be difficult, but many organizations struggle to get started. Before they can showcase the cost benefits of moving to the cloud or determine if their workloads will lift and shift without effort, they need deep visibility into their own environment and the tight interdependencies between applications, workloads, and data. Azure Migrate, Azure Database Migration Service, and Azure Cost Management provides a frictionless approach to moving VMware VMs to Azure.

VMware to Azure.PNG

Microsoft – Cloud Security Certification

Microsoft Azure has been certified by Australian Signals Dicrectorate (ASD), Department of Defence. Check your region to verify Azure certification by the regulator if you have regulatory compliance requirements.

  • Microsoft has undergone an Information Security Registered Assessors Program (IRAP) assessment of Australian Signals Directorate (ASD) and been certified on the Certified Cloud Services List (CCSL) by ASD for Azure, Dynamics 365, and Office 365
  • Microsoft Azure has been awarded PROTECTED classification level by the Australian Signals Directorate (ASD). Microsoft Azure is the first global cloud provider which has been awarded PROTECTED
  • Azure, Cloud App Security, Intune, Office 365, Dynamics 365 and Power BI are awarded certification after rigorous independent assessments of cloud providers by the Cloud Security Alliance (CSA)
  • Azure, Cloud App Security, Intune, Office 365, Dynamics 365 and Power BI are awarded ISO/IEC 27001 certification meeting criteria specified in the ISO certification

Licensing Cost & Azure Hybrid Benefit

  • customers with Software Assurance to run Windows Server VMs on Azure at a lower rate.
  • save up to 40 percent on Windows Server VMs
  • Use existing SQL Server licenses toward SQL Database managed instances
  • Azure Reserved Virtual Machine Instances to further reduce costs—up to 72% on PAYG prices per year or per three years terms on both Windows and Linux virtual machines.
  • pay only for the underlying compute and storage for SQL VM
  • 82% savings over PAYG rates on Azure and up to 67% compared to AWS RIs for Windows VMs.
  • 49% cost savings estimated using the Azure TCO calculator comparing on-premsies VMware VMs. Actual savings may vary based on region, instance type and usage. Reference Nucleus Research
  • You can specify whether you’re enrolled in Software Assurance and can use the Azure Hybrid Use Benefit.

Hybrid Cloud1

Migration Path

Microsoft offers an end-to-end solution to provide you with a proven framework and tools to migrate your first workload and give you a complete roadmap for discovery, migration, and continual optimization, including better insights and strategies for running your entire datacenter portfolio on Azure. Migrating to Azure is simple three-stage process and focuses on how to identify virtual machines, applications, and data that can easily be moved to the cloud.

Hybrid Cloud.PNG

Supported Platform

  • VMware vCenter Server 5.5, 0 and later version managed virtual machines
  • Any On-premises Storage (vSAN, FC SAN, NFS or iSCSI)
  • Appliance-based, agentless, and non-intrusive discovery of on-premises virtual machines.
  • Currently Azure Migrate supports only Locally redundant storage (LRS). However, once you migrated to Azure, you can use Geo-redundant storage.
  • Lift & Shift migration to Azure IaaS Cloud
  • Azure migrate will recommend the use of Azure Database Migration Service
  • Use Azure Site Recovery Manager to migrate business critical and large VMs to Azure Cloud

Stage 1 – Assess Your VMware vSphere Environment

Use these four steps to discover and assess your on-premises workloads for migration to Azure.

  1. Prepare your environment.
  2. Discover virtual machines.
  3. Group virtual machines.
  4. Assess the groups of virtual machines.

Step 1: Prepare your environment

  1. To get started with Azure Migrate, you need a Microsoft Azure account or the free trial.
  2. Assess VMware Virtual machines located on vSphere ESXi hosts that are managed with a vCenter server running version 5.5 or 6.0.
  3. The ESXi host or cluster on which the Collector VM (version 8.0) runs must be running version 5.0 or later.
  4. To discover virtual machines, Azure Migrate needs an account with read-only administrator credentials for the vCenter server.
  5. Create a vCenter virtual machine in .ova format. Download an appliance and import it to the vCenter server to create the virtual machine. The virtual machine must be able to connect to the internet to send metadata to Azure.
  6. Set statistics settings for the vCenter server to statistics level 2. The default Level 1 will work, but Azure Migrate won’t be able to collect data for performance-based sizing for storage.

Tag your virtual machines in vCenter (optional)

Use these steps to tag your virtual machines in vCenter server.

  1. In the VMware vSphere Web Client, navigate to the vCenter server instance.
  2. To review current tags, click Tags.
  3. To tag a virtual machine, click Related Objects > Virtual Machines, and select the virtual machine.
  4. In Summary > Tags, click Assign.
  5. Click New Tag, and specify a tag name and description.
  6. To create a category for the tag, select New Category in the drop-down list.
  7. Specify a category name and description and the cardinality, and click OK.

Step 2: Discover virtual machines

Using Azure Migrate to discover on-premises workloads involves these steps.

  1. Create a Project.
  2. Download the Collector appliance.
  3. Create the Collector virtual machine.
  4. Run the Collector to discover virtual machines.
  5. Verify discovered virtual machines in the portal.

Create a Project

Azure Migrate projects hold the metadata of your on-premises machines and enables you to assess migration suitability.  Use these steps to create a project.

  1. Log on to the Azure portal and click New.
  2. Search for Azure Migrate in the search box, and select the service Azure Migrate (preview) in the search results, and then click Create.
  3. Select the Azure Migrate service from the search results.
  4. Click Create.
  5. Specify a name for the new project.
  6. Select the subscription you want the project to get associated to.
  7. Create a new resource group, or select an existing one.
  8. Specify an Azure location.
  9. To quickly access the project from the Dashboard, select Pin to dashboard.
  10. Click Create. The new project appears on the Dashboard, under All resources, and in the Projects blade.

Download the Collector appliance

  1. Select the project, and click Discover & Assess on the Overview blade.
  2. Click Discover Machines, and then click Download.
  3. Copy the Project ID and project key values to use when you configure the Collector.

Deploy the Collector virtual machine

In the vCenter Server, import the Collector appliance as a virtual machine using the Deploy OVF Template wizard.

  1. In vSphere Client console, click File > Deploy OVF Template.
  2. In the Deploy OVF Template Wizard > Source, specify the location for the .ovf file.
  3. In Name and Location, specify a friendly name for the Collector virtual machine, the inventory object in which the virtual machine will be hosted.
  4. In Host/Cluster, specify the host or cluster on which the Collector virtual machine will run.
  5. In Storage, specify the storage destination for the Collector virtual machine.
  6. In Disk Format, specify the disk type and size.
  7. In Network Mapping, specify the network to which the Collector virtual machine will connect. The network must be connected to the internet to send metadata to Azure.
  8. Review and confirm the settings, and then click Finish.

Run the Collector to discover virtual machines

  1. In the vSphere Client console, right-click the virtual machine > Open Console.
  2. Provide the language, time zone, and password preferences for the appliance.
  3. In the Azure Migrate Collector, open Set Up Prerequisites, and then

o Accept the license terms, and read the third-party information.

o The Collector checks that the virtual machine has internet access. If the virtual machine accesses the internet via a proxy, click Proxy settings, and specify the proxy address and listening port. Specify credentials if proxy access needs authentication.

o The Collector checks that the Windows profiler service is running. The service is installed by default on the Collector virtual machine.

o Select to download and install the VMware PowerCLI.

  1. In Discover Machines, do the following:

o Specify the name (FQDN) or IP address of the vCenter server and the read-only account the Collector will use to discover virtual machines on the vCenter server.

o Select a scope for virtual machine discovery. The Collector can only discover virtual machines within the specified scope. Scope can be set to a specific folder, datacenter, or cluster, but it shouldn’t contain more than 1000 virtual machines.

o If you’re using tagging on the vCenter server, select tag categories for virtual machine grouping. Azure Migrate automatically groups virtual machines based on tag values in the category. If you’re not using tagging, you can group virtual machines in the Azure portal.

  1. In Select Project, specify the Azure Migrate project ID and key you copied from the Azure portal. If didn’t copy them, open Azure in a browser from the Collector virtual machine. In the project Overview page, click Discover Machines, and copy the values.
  2. In Complete Discovery, you can monitor the discovery status, and check that metadata is collected from the virtual machines in scope. The Collector provides an approximate discovery time.

Verify discovered virtual machines in the portal

  1. In the migration project, click Manage > Machines.
  2. Check that the virtual machines you want to discover appear in the portal.

Step 3: Group virtual machines

Enterprises typically migrate virtual machines with dependencies together at the same time to ensure their functionality after migration to Azure. Azure Migrate allows you to categorize the virtual machines by group so you can assess all the virtual machines in a group.

  • If you provided a tag category—which was an optional step while configuring the Collector—groups will be automatically created for the workloads based on the tag values.
  • If a tag category is not provided while configuring the Collector, you can create groups of virtual machines in the Azure Migrate portal.

Optional: Assess machine dependencies before adding them to a group

  1. In Manage > Machines, search the Machine for which you want to view the dependencies.
  2. In the Dependencies column for the machine, click Install agent.
  3. To calculate dependencies, download and install these agents on the machine: o Microsoft Monitoring agent

o Dependency agent

  1. Copy the workspace ID and key to use later when you install the Microsoft Monitoring agent on a machine.
  2. After you install the agents on the machine, return to the portal and click Machines. This time the Dependencies column for the machine should contain the text View dependencies. Click View dependencies.
  3. By default, the dependency time range is an hour. Click the time range to shorten it, specify start and end dates, or change the duration. Press Ctrl + Click to select multiple machines on the map, and then click Group machines.
  4. In Group machines, specify a group name. Verify the machines you added have the dependency agents installed and have been discovered by Azure Migrate. Machines must be discovered to assess them. We recommend that you install the dependency agents to complete dependency mapping.
  5. Click OK to save the group settings. Alternatively, you can add machines to an existing group.

Create a Group

You can create groups of virtual machines from the Machines blade or from the Groups blade, using a similar process.

Create a group from the Machines blade

  1. Navigate to the Dashboard of a project and click the Machines tile.
  2. Click Group Machines.
  3. Specify a name for the group in the Name box, and then select the machines that you want to add to the group.
  4. Click Create.

Add/Remove machines to/from an existing group if you require

  1. Navigate to the dashboard of a project and click the Groups tile.
  2. Select the Group you want to add/remove machines to/from.
  3. Click Add Machines or Remove Machines.
  4. Select the machines that you want to add/remove to/from the group.
  5. Click Add or Remove.

Step 4: Assess groups of virtual machines

Create an assessment

Follow these steps to generate an assessment for the group.

  1. Select the project you want under Project.
  2. On the project dashboard, click Groups.
  3. Create a new group or select an existing group to assess under Group.
  4. Click Create Assessment to create a new assessment for the group.

The assessment includes these details.

  • Summary of the number of machines suitable for Azure which is referred to as Azure Readiness.
  • Monthly estimate of the cost for running the machines in Azure after migration.
  • Storage monthly cost estimate.

Assessment calculation

Azure Migrate performs three checks on virtual machines in this order:

  1. Azure Suitability Analysis
  2. Performance-based sizing
  3. Monthly cost estimate

Stage 2: Migrate virtual machines using Azure Site Recovery

Before you start deployment, review the architecture and make sure you understand all the components you need to deploy.

Next, make sure you understand the prerequisites and limitations for a Microsoft Azure account, Azure networks, and storage accounts. You also need:

  • On-premises Site Recovery components
  • On-premises VMware prerequisites
  • Mobility service component installed on the virtual machine you want to replicate.

These are the general steps to migrate:

  1. Set up Azure services such as Virtual Networks, Availability Group, Network Load Balancer, Address Space, Subnets, Resource Group, Storage Accounts, Public IPs.
  2. Connect to VMware servers.
  3. Set up the target environment.
  4. Complete migration.

I assume, you have completed the step1. So I am moving on to step 2.

Create a Recovery Services vault

  1. Sign in to the Azure portal > Recovery Services.
  2. Click New > Monitoring & Management > Backup and Site Recovery.
  3. In Name, specify a friendly name to identify the vault. If you have more than one subscription, select one of them.
  4. Create a resource group, or select an existing one. Specify an Azure region. To check supported regions, see geographic availability in Azure Site Recovery Pricing Details.
  5. If you want to quickly access the vault from the dashboard, click Pin to dashboard, and then click Create.
  6. The new vault will appear on Dashboard > All resources and on the main Recovery Services vaults blade.

Select a protection goal

In this task, select what you want to replicate, and where you want to replicate to.

  1. Click Recovery Services vaults > vault.
  2. In the Resource Menu, click Site Recovery > Prepare Infrastructure > Protection goal.
  3. In Protection goal, select To Azure > Yes, with VMware vSphere Hypervisor.

Set up the source environment

In this task, set up the configuration server, register it in the vault, and discover virtual machines.

  1. Click Site Recovery > Step 1: Prepare Infrastructure > Source.
  2. If you don’t have a configuration server, click Configuration server.
  3. In Add Server, check that Configuration Server appears in Server type.
  4. Download the Site Recovery Unified Setup installation file.
  5. Download the vault registration key. You need this when you run Unified Setup. The key is valid for five days after you generate it.

Register the configuration server in the vault

The next task requires you to run Unified Setup to install the configuration server, the process server, and the master target server. First however, do these three steps.

  1. On the configuration server virtual machine, make sure that the system clock is synchronized with a Time Server. It should match. If it’s 15 minutes in front or behind, setup might fail.
  2. Run setup as a Local Administrator on the configuration server virtual machine.
  3. Make sure TLS 1.0 is enabled on the virtual machine.

Now you are ready to run Setup.

  1. Run the Unified Setup installation file.
  2. In Before You Begin, select Install the configuration server and process server.
  3. From the Third-Party Software License screen, click I Accept to download and install MySQL.
  4. From the Registration screen, select the registration key you downloaded from the vault, and then click Next.
  5. From the Internet Settings screen, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet.
  6. If you want to connect with the proxy that’s currently set up on the machine, select Connect to Azure Site Recovery using a proxy server.
  7. If you want the Provider to connect directly, select Connect directly to Azure Site Recovery without a proxy server.
  8. If the existing proxy requires authentication, or if you want to use a custom proxy for the Provider connection, select Connect with custom proxy settings. o If you use a custom proxy, you need to specify the address, port, and credentials.
  9. From the Prerequisites Check screen, run a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.
  10. In the MySQL Configuration screen, create credentials for logging on to the MySQL server instance that is installed.
  11. From the Environment Details screen, select whether to replicate VMware virtual machines. If you will, Setup checks that PowerCLI 6.0 is installed.
  12. From the Install Location screen, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of available space.
  13. From the Network Selection screen, specify the listener (network adapter and SSL port) on which the configuration server sends and receives replication data. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment’s requirements. In addition to the port 9443, we also open port 443, which is used by a web server to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.
  14. In the Summary screen, review the information and click Install. When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location. After registration finishes, the server is displayed on the Settings > Servers in the vault.

Step 2: Connect to VMware servers

To allow Azure Site Recovery to discover virtual machines running in your on-premises environment, you need to connect your VMware vCenter Server or vSphere ESXi hosts with Site Recovery. Note the following before you start:

  • If you add the vCenter server or vSphere hosts to Site Recovery with an account without administrator privileges on the server, the account needs these privileges enabled:

o Datacenter, Datastore, Folder, Host, Network, Resource, Virtual machine, vSphere Distributed Switch.

o The vCenter server needs Storage views permissions.

  • When you add VMware servers to Site Recovery, it can take 15 minutes or longer for them to appear in the portal.

Step 3: Set up the target environment

Before you set up the target environment, make sure you have an Azure storage account and a virtual network set up.

  1. Click Prepare infrastructure > Target, and select the Azure subscription you want to use.
  2. Specify whether your target deployment model is Resource Manager-based, or classic.
  3. Site Recovery verifies that you have one or more compatible Azure storage accounts and networks.

Create replication policy

You need a replication policy to automate the replication to Azure.

  1. To create a new replication policy, click Site Recovery infrastructure > Replication Policies > Replication Policy.
  2. Under RPO threshold, specify the RPO limit. This value specifies how often data recovery points are created. An alert is generated if continuous replication exceeds this limit.
  3. Under Recovery point retention, specify (in hours) how long the retention window is for each recovery point. Replicated virtual machines can be recovered to any point in a window. Up to 24 hours retention is supported for machines replicated to premium storage, and 72 hours for standard storage.
  4. Under App-consistent snapshot frequency, specify how often (in minutes) recovery points containing application-consistent snapshots will be created.
  5. Click OK to create the policy.
  6. When you create a new policy it’s automatically associated with the configuration server. By default, a matching policy is automatically created for failback. For example, if the replication policy is rep-policy then the failback policy will be rep-policy-failback. The failback policy isn’t used until you initiate a failback from Azure.

Prepare for push installation of the Mobility service

The Mobility service must be installed on all virtual machines you want to replicate. There are several ways to install the service, including manual installation, push installation from the Site Recovery process server, and installation using methods such as System Center Configuration Manager. Here you can review prerequisites and installation methods for the Mobility Service.

If you want to use push installation from the Azure Site Recovery process server, you need to prepare an account that Azure Site Recovery can use to access the virtual machine.

The following describes the options:

  • You can use a domain or local account

For Windows, if you’re not using a domain account, you need to disable Remote User Access control on the local machine. To do this, in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add the DWORD entry LocalAccountTokenFilterPolicy, with a value of 1.

  • If you want to add the registry entry for Windows from a CLI, type: REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1.
  • For Linux, the account should be root on the source Linux server.

Install Mobility Service manually by using the GUI

  1. Copy the installer executable to the virtual machine that is being migrated to Azure, and then open the installer.
  2. On the Installation Option pane, select Install Mobility Service.
  3. Select the install location and click Install to being the installation procedure.
  4. You can use Installation Progress page to monitor the installer’s progress.
  5. Once installation is complete, click the Proceed to Configuration button to register the Mobility Service with your Configuration server.
  6. Click on the Register button to complete the registration.

Configure replication

After you have installed and configured both the Process Server and the Mobility Service agents, continue configuring replication in Azure.

  1. In the Azure portal, navigate to Site Recovery > Step1: Replicate Application > Enable Replication, and then click Step 1: Source Configure > Source.
  2. In Source, select On-Premises.
  3. In Source location, select your Configuration Server.
  4. In Machine type, select Virtual Machines.
  5. In vCenter/vSphere Hypervisor, select the vCenter server that manages the vSphere host, or select the host.
  6. Select the process server or the configuration server if you haven’t created any additional process servers, and then click OK.
  7. In Target, select the subscription and the resource group in which you want to create the migrated virtual machines. Choose the deployment model for the migrated virtual machines that you want to use in Azure (classic or resource manager).
  8. Select the Azure storage account you want to use for replicating data. If you don’t want to use an account you’ve already set up, you can create a new one.
  9. Select the Azure network and subnet to which Azure Virtual Machines will connect when they’re created after migration. Select Configure now for selected machines to apply the network setting to all machines you select for protection, or select Configure later to select the Azure network per virtual machine.
  10. Point to Virtual Machines > Select, select each enabled machine you want to replicate, and then click OK.
  11. In Properties > Configure properties, select the process server account that will automatically install the Mobility service on the machine.
  12. By default, all disks are replicated. Click All Disks and clear any disks you don’t want to replicate, and then click OK. You can set additional virtual machine disk properties later if needed.
  13. In Replication settings > Configure replication settings, verify that the correct replication policy is selected. If you modify a policy, changes will be applied to the replicating machine and to new machines.
  14. Enable Multi-VM consistency if you want to gather machines into a replication group, specify a name for the group, and then click OK.
  15. Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs. After the Finalize Protection job runs the machine is ready for failover.

Step 4: Complete migration

Because migration is different than failover, it is important to configure Site Recovery for a migration.

For migration, you don’t need to commit a failover or delete machines. Instead, select the Complete Migration option for each machine you want to migrate.

  1. In Replicated Items, right-click the virtual machine, and then click Complete Migration.
  2. Click OK to complete the migration.

You can track progress in the virtual machine properties by monitoring the Complete Migration job in Site Recovery jobs. The Complete Migration action completes the migration process, removes replication for the machine, and stops Site Recovery billing for the machine.

At this point, your virtual machine has been migrated to Azure and you can begin using the IP addresses you set up in Networking. If you must migrate a database, the next section outlines migrating SQL Server databases using Migration Data Assistant and Azure Database Migration Service. Otherwise, the migration process continues with

Stage 3: Optimize migrated workloads

Cloudyn helps ensure migrated virtual machines continue to deliver targeted resource utilization and best cost by recommending changes. Track costs against budget using spending reports that help identify which virtual machine types are consuming budget and support decisions on how to modify the Azure environment to maximize ROI. Cloudyn benefits include:

  • Visibility into resource costs
  • Visibility into application and departmental costs
  • Budgeting
  • Cost optimization with right-sizing guidance

As organizations move on-premises virtual machines to Azure, a best practice is to move workloads through three stages: discover, migrate, and optimize. Microsoft and its partners offer tools to help increase the efficiency and reduce the complexity of those stages.

Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365

MX: domain-com.mail.protection.outlook.com

SPF:  v=spf1 include:spf.protection.outlook.com -all

 

On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e. domain-com.mail.protection.outlook.com

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

Windows Server Patching Best Practices

This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

Patching Requirements

Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

Windows Patch Classification

The following are strongly recommended patches:

  1. Critical
  2. Security
  3. Definition Updates for malware
  4. Service packs

Windows Product Classification

It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).

Patching Groups

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

Change Management

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

Backup

Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

  • A full backup of all databases on the server.
  • A full backup of transaction log and log backup
  • A system state backup of the server.
  • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

Application Compatibility

Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

Documentation

Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

Back out Plan

A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

User Notifications

You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

Consistency across Servers

Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

Routine Maintenance Window

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

Patching Tools

I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.

Automate, Automate and Automate!

Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

Standardize Patch Management Processes

Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

Reboot Windows Computer

Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

X86 and X64 Windows Systems

The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

Antivirus and Antispyware

Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

Audit Practices

Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

Log Retention

Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.

Installing Updates on a single Exchange Server

Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

Check for publisher’s certificate revocation

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options.

3. Click the Advanced tab, and then locate the Security section.

4. Clear the Check for publisher’s certificate revocation check box, and then click OK.

5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.

Pre-check before installing

1. Determine which update rollup packages are installed on your Exchange server roles

2. Determine whether any interim updates are installed

3. Review interim updates

4. Obtain the latest update rollup package

5. Apply on a Test Exchange Server

Install Exchange Update

1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.

2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.

Install Exchange Update on DAG Member

To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.

.StartDagServerMaintenance.ps1 <ServerName>

Install the update rollup

1. Close all Exchange management tools.

2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.

3. On the Welcome page, click Next.

4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.

5. On the Completion page, click Finish.

Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed

.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution

When the installation is finished, complete the following tasks:

  • Start the Services MMC snap-in, and then verify that all the Exchange-related services are started successfully.
  • Log on to Outlook Web App to verify that it’s running correctly.
  • Restore Outlook Web App customizations, and then check Outlook Web App for correct functionality.
  • After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.
  • Check Exchange 2010 version information
  • View Update rollup in Control Panel>Programs and Features

Patching Microsoft Failover Cluster

You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

Procedure to install Windows service pack or hotfixes in Windows Server 2003:

  1. Check the System event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.
  4. Open Cluster Administrator, right-click Node A, and then click Pause Node.
  5. Install the service pack on Node A, and then restart the computer.
  6. Check the System event log for errors. If you find any errors, troubleshoot them before continuing this process.
  7. In Cluster Administrator, right-click Node A, and then click Resume Node.
  8. Right-click Node B, and then click Move Group for all groups owned by Node B to move all groups to Node A.
  9. In Cluster Administrator, right-click Node B, and then click Pause Node.
  10. Install the service pack on Node B, and then restart the computer.
  11. Check the system event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. In Cluster Administrator, right-click Node B, and then click Resume Node.
  13. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

  1. Check the event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. On Node A, Expand Services and Applications, and then click the service or application
  4. Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.
  5. In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.
  6. Install the service pack/hotfixes on Node A, and then restart the computer.
  7. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  8. In Failover Cluster Manager snap-in, right-click Node A, and then click Resume.
  9. Under Actions (on the right), click Move this service or application to another node, then choose the node.
    Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.
  10. Install the service pack/hotfixes on Node B, and then restart the computer.
  11. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.
  13. In Failover Cluster Manager, right-click Node B, and then click Resume.
  14. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

You can use the following PowerShell Cmdlet to accomplish the same.

1. Load the module with the command: Import-Module FailoverClusters

2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA

3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group

4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA

5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group

6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB

7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB

Conclusion

It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.

Bottom line

1. Read all related documents.

2. Use a change control process.

3. Apply updates that are needed.

4. Test patches and hotfixes on test environment.

5. Don’t get more than 2 service packs behind.

6. Target non-critical servers first.

7. Service Pack (SP) level consistency.

8. Latest SP instead of multiple hotfixes.

9. Apply only on exact match.

10. Subscribe to Microsoft email notification.

11. Always have a back-out plan.

12. Have a working Backup and schedule production downtime.

13. Consistency across Domain Controllers and application servers.

Additional Readings:

SQL Server failover cluster rolling patch and service pack process

Patch Management on Business-Critical Servers

Active Directory Certificate Services Best Practices

AD CS is composed of several role services that perform several tasks. One or more of these role services can be installed on a server as required. These role services are as follows:

  • Certification Authority— This role service installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.
  • Certification Authority Web Enrollment— This role service handles the web-based distribution of certificates to clients. It requires Internet Information Services (IIS) to be installed on the server.
  • Online Responder— The role service responds to individual client requests regarding information about the validity of specific certificates. It is used for complex or large networks, when the network needs to handle large peaks of revocation activity, or when large certificate revocation lists (CRLs) need to be downloaded.
  • Certificate Enrollment Web Service— This new service enables users and computers to enroll for certificates remotely or from non-domain systems via HTTP.
  • Certificate Enrollment Web Policy Service— This service works with the related Certificate Enrollment Web Service but simply provides policy information rather than certificates.
  • Network Device Enrollment Service— This role service streamlines the way that network devices such as routers receive certificates.

Windows Server 2012 Step by Step
Active Directory Certificate Services Hierarchy

Public Key Infrastructure must be deployed in hierarchical order to securely deliver certificates to clients, application and servers. The best way to achieve this is to deploy a Standalone Offline Root CA and Online Enterprise Subordinate CA. Offline Root CA meaning you have to shut down the CA once you obtain the CRL chain for subordinate CA. Subordinate stays powered on and joined to the domain. Offline Root CA works in a workgroup not a domain member.

Standalone offline Root CA:

Benefits:

  • Principal component of PKI infrastructure
  • Provide CRL sign off capacity for subordinate authority
  • Provide Web Enrolment for Sub-ordinate Certificate Authority
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Online Enterprise Subordinate CA

Benefits:

  • Subordinate Component of PKI infrastructure
  • Present and issue Certificates to clients
  • Sign off Web Certificates for application
  • Management point of Certificate Infrastructure
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Certificate Services Best practices

  • Analyze and plan necessity of Active Directory Certificates or public key infrastructure (PKI) in your organization before deploying certification authorities (CAs)
  • Place database and transaction log files on separate hard drives possibly SAN
  • Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise
  • When changing security permissions for the certification authority (CA), always use the Certification Authority snap-in
  • Do not issue certificates to users or computers directly from the root certification authority
  • Always point client to subordinate certificate any certificates
  • Back up the CA database, the CA certificate, and the CA keys
  • Ensure that key lifetimes are long enough to avoid renewal issues
  • Review the concepts of security permissions and access control, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester
  • Use Secure Sockets Layer (SSL) when using Web-based certificate enrollment

Certificate Provider

You have to select RSA#Microsoft Software Key Storage Provider” with sha1 if there is any Windows XP Client otherwise select RSA#Microsoft Software Key Storage Provider” with sha256 as certificate provider.

Cryptographic Key Length

Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA.

Templates

  • Plan certificate templates before deployment
  • Only Publish templates that are necessary
  • Duplicate new templates from existing templates closest in function to the intended template
  • Do not exceed the certificate lifetime of the issuing certification authority
  • Do not delete the Certificate Publishers security group

Validity Period

  • Offline Standalone Root CA- 10 Years
  • Online Enterprise Subordinate CA- 10 Years

Revocation List

The following sections summarize how certificate revocation checking works.

  • Basic chain and certificate validation
  • Validating revocation information
  • Network retrieval and caching

Revocation Best Practice

  • Leave the default revocation checking behavior instead of using CRLs for revocation checking
  • Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL
  • Use CryptoAPI 2.0 Diagnostics to Troubleshoot Revocation Settings
  • Use Group Policy to Define Revocation Behavior

Audit Policy

Select the following Audit Policy for both Certificate Authority

  • Backup and restore the CA database
  • Change CA configuration
  • Change CA security settings
  • Issue and manage certificate request
  • Revoke certificates and publish CRL

Backup Certificate Authority

  • Backup Public Key
  • Backup CA database
  • Retention: Daily increment/Monthly Full

Security Permission on Template

The following table summarize certificate security permission in AD CS.

Domain Computers Auto-Enroll Read Only
Domain Users Auto-Enroll Read Only
Wintel Administrator Full Control Full Control

Security Permission on Servers

You must create role separation in Active Directory Certificate Services to provide greater control on Certificate Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg caRoleSeparationEnabled 1. The following table describe role separation for AD CS.

CA Administrator Full Permission
Certificate Manager Issue and Manage Certificates
Auditor Manage auditing and security logLocal Security Settings/ Security Settings/Local Policies/User Rights Assignments
Backup Operator Back up file and directories

Local Security Settings/ Security Settings/Local Policies/User Rights Assignments

Enrollees Authenticated Users

The Following are the messy configurations you must avoid when installing a Certificate Authority.

  • Do not install Certificate Authority on any Domain Controller or server with other roles unless you are a small business and you have only one or two servers in your organization. In this case, you don’t have any choice.
  • Do not install both certificate authority in two different operating systems such as Windows Server 2003 and Windows Server 2008.
  • Do not keep CAs in different patch and update level.
  • Do not use 1024 bit encryption length.

Relevant Articles:

Microsoft Active Directory Best Practice Part II

Microsoft Active Directory—Best Practice