Manage files - you can now select multiple files

just make sure that you have moved cl11 into wvd infra and done that section of the conditional access lab, changed device settings to domain joined

make sure you've done some things so we can see when we create our new vms for session hosts from this image it looks like its doing something

you might also want a new folder, shortcut on start menu, remove sign out from menu etc, so we can see the difference

no longer separated out - you need to just do azure admin portals

note the order you are doing things. You always need to have a token before you can join new hosts to a pool.

A registration token is required to authorize a host to join the pool. The value of token’s expiration date must be between one hour and one month from the current date and time.

Needed if there is a delay in joining session host to the pool because on because day 2 we didn't need registration token, but you can still do it direct from the portal as well. When you click on add host there's an option to generate a registration token.

Type this command first to allow you to login without any problems when using MFA

Update-AzConfig -EnableLoginByWam $false

then Connect-AzAccount or

$tenantId = (Get-AzContext).Tenant.Id

Import-Module -Name AzureAD

$location = 'east us' be careful this might need to be 'westus' depending where we can get our vms - below

use the screenshot for spacing

kubectl exec is a command in Kubernetes that allows you to execute commands inside a running container within a pod. It provides a way to interact with the running processes inside the container, similar to how you would SSH into a virtual machi

do you mean backend? I'm just seeing html file when I do the frontend

i just see the doctype html file, if IU choose the frontend, when I type curl 10.0.1.81:8080 you need to choose the one that says lab4backend-**

curl 10.0.1.82:8080 gives a nice message - not in the midst of an html file

you can use the files in starters or solutions folder if you don't have the files from previous labs - from explorer view in vs code connection

got an error about temporary failure in name resolution

I asked chatgpt where to put this, gave it the original file and then told it I needed to add this section

spec: containers: - name: httpd image: httpd resources: {} volumeMounts: - name: homepage mountPath: /usr/local/apache2/htdocs/ volumes: - name: homepage hostPath: path: /home/student/index.html

I think it would be easier if you just put the whole file and the new stuff in bold, as it's so easy to put in wrong place, I'm getting

rror from server (BadRequest): error when creating "lab3web.yaml": Deployment in version "v1" cannot be handled as a Deployment: strict decoding error: unknown field "spec.template.metadata.volumeMounts", unknown field "spec.template.status", unknown field "spec.template.volumes"

I asked chatgpt and it did well

spec: containers: - name: httpd image: httpd resources: {} volumeMounts: - name: homepage mountPath: /usr/local/apache2/htdocs/ volumes: - name: homepage hostPath: path: /home/student/index.html

k delete deployment lab3web

after adding alias k=kubectl to the bashrc file

What was the answer to this was it

kubectl get pod kvstore -o wide to find the name of the node that it's on - mine was on k8s-worker-1

I then went into ssh settings in visual studio code and added a host so my ssh config file is now

Host worker0 HostName 18.171.145.65 User student IdentityFile c:\users\karen\downloads\qwikLABS-L138956-206416.pem Host worker1 Hostname 35.178.200.149 User student IdentityFile c:\users\karen\downloads\qwikLABS-L138956-206416.pem Host controller Hostname 13.40.152.189 User student IdentityFile c:\users\karen\downloads\qwikLABS-L138956-206416.pem

and I opened them up in 3 separate vs code windows

kubectl get pod <pod-name> -o jsonpath='{.metadata.uid}'

kubectl get pod kvname -o jsonpath='{.metadata.uid}'

and then

on k8s-worker-1 in the terminal windows I used the syntax and replaced my id I had retrieved from above command in the poduid:

/var/lib/kubelet/pods/<podUID>/volumes/kubernetes.io~empty-dir/

sudo ls //var/lib/kubelet/pods/37abdd08-c0f7-4549-a9cc-20df89ed7fa8/volum es/kubernetes.io~empty-dir/

you have to run it with sudo permissions otherwise you get denied access, but then you can see data-volume

I then did sudo -i

cd /var/lib/kubelet/pods/37abdd08-c0f7-4549-a9cc-20df89ed7fa8/volumes/kubernetes.io~empty-dir/

ls (to see directory listing it shoowed me data-volume)

cd data-volume

ls

it then showed me age and name which were the two values I had put in there

not needed!

apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: kvstore name: kvstore spec: containers: - image: abhirockzz/kvstore name: kvstore volumeMounts: - mountPath: /data name: data-volume volumes: - name: data-volume emptyDir: {} dnsPolicy: ClusterFirst restartPolicy: Always status: {}

I removed the line resources: {} at the end as kept getting error saying did not find expected - indicator. The above file works

should be .yaml at the end

scroll down for workbook it's not the top option

Grep is a useful command to search for matching patterns in a file. grep is short for "global regular expression print".

run as two separate lines

this is an lowercase L not the number 1

This is now called MITRE ATT&CK drop down menu

if you are doing this from scratch you will have to create a vm1 in RG1

and then clear filter so you can see the other ones

and then clear the filter so you can see Activity log again and then the three dots at the end and choose Manage

hmm, lots of warnings saying this is the old way of doing it and you should be using AMA agent instead

under the Settings menu choice

From the Microsoft Sentinel menu (add it from All services if needed) - choose +Create button and select your workspace from Task 1 and click the Add button

It takes AGES for Application gateway to deploy

bla bla bla

ensure you have already run instal-module -name az -force

this command only works from cloud shell not from powershell ise

make sure you are selecting student@adatum.com otherwise you get kerberos error later - because you are using the user account as session host id domain joined

If you get the error The current processor architecture is: X86. The module 'C:\Program Files (x86)\WindowsPowerShell\Modules\AzureAD\2.0.2.182\AzureAD.psd1' requires the following architecture: Amd64. - you have used Powershell ISE x86 instead of the main Powershell ISE and you will have to run all the previous commands again!

The powershell module AzureAD is going to be kept for a bit and then Microsoft Graph will be used, even though we are changing to Microsoft Entra ID

I chose that, but when it came to looking at Application insights on vm - map it said

To enable the Map feature, configure Processes and dependencies in the Data Collection Rules for VM insights. Learn more You are using an OS version (MicrosoftWindowsServer WindowsServer 2022-datacenter-azure-edition) that is not supported. For more details on supported OS and kernel versions please review our support matrix

On the Network settings click the hyperlink for WS-VM1-nsg to go to the Network security group and from there crate a new inbound rule, or choose Create port rule blue button at the right side and choose inbound port rule

you need to click on the letters RDP

The wording is now Network settings

odd, as you won't get any emails - you could try using your email

although we aren't changing the other settings, the Workspace will default to your log analytics workspace as there is only one, but you could use the drop down menu to change it. The create alert has been filled in with a condition called whenever the count test result is greater than 2 count

expand the triangle(s) to see the vms available

this is one button called Next: Destination

the button inside the Add data source page is called Next:Destination

probably have to wait a few minutes otherwise the new data collection endpoint won't appear from the data collection endpoint - so check that first before giving it a name and resource group, if necessary close the data collection rule, wait a few more minutes and try again

In the purple banner at the top, you will see an Enable now button

From the web app, select the Diagnostic settings menu and from there +Add diagnostic setting and then choose HTTP logs from there. This section seems to be duplicated, it ells you how to do it properly below!

this is still the website**** app service

this installs tools and restarts your web app

the heading in the menu bar is called Settings

this will be called website**

this group is currently empty!

these are the terms that Azure uses for different resource types, very important in SAS

i got error saying ad sync service not running - go to services, and its called Microosft Azure AD Sync - mine said automatic, but had to click on STart to start it

e:\apps for me

I've done this on my original client

It's important to sign out to commit the change to the profile. You can put the session host that you connected to in drain mode, to ensure your next test you connect to a different session host

ensure when you extracted it just has one release folder, so three files in the release folder

can't do this one, as can't do free trial of microsoft entra id, with Azure pass sponsorship

change this down to 5 to speed things up!!

For some people this has now changed to a heading called Networking

this was in both sets of objectives, but was never in previous course

in previous objective it just said HSM without the full wording!

never in course before, but was in objectives

this was never in the course before, but now appears to be in previous objectives

this is in previous objectives even though it was never in course content

Now secure groups, used to be secure directory groups

you need to be owner of subscription to change from IAM to Access policies, the default subscription doesn't always do this

note not STUDENT

Microsoft Entra

if you leave the azure ad connect open, no further synchronisation will take place, even if you try to force it in powershell

now called Settings

in reality better to do this using centralised group policy on the domain controller

notice this is NOT using the Powershell ISE as Administrator as you've done before

this is now in a new section called Payload - you can just use the search command at the top to find the item Run Command

yes still called that here!! This will be Azure AD Connect V2 - so it will continue to be supported, it's v1 that is not going to be supported going forward

Edge is already installed, just select it from the start menu and go straight to step 4

ensure you are still using bastion session so you are on the domain controller not your own pc!

this is your user called aadsyncuser@*outlook.onmicrosoft.com

ie your outlook account

replace this with suitable password and remove chevron brackets and keep the quotes

replace and make a note of this password here

you need to replace this with your chosen password that will meet complexity for passwords in Active Directory on prem and then later in Microsoft Entra ID

we only need the basic functionality - but if you enable standard you get added functionality

https://learn.microsoft.com/en-us/azure/bastion/configuration-settings

you can just duplicate the tab from your browser

make sure you add them separately, if you shift click to select them both, only one will be uploaded. You can try opening the cloud shell window and dragging both files in from file explorer - this works well.

if you get any errors with this code, it's because you chose the wrong parameters file in the step above!!

please choose your file very carefully, it's the DC paramethers and there's no letter a in it

Please double check at this time, the script did what it was supposed to do. Go into the virtual network and from the menu select DNS servers and ensure that the DNS server now says custom and is pointing at 10.0.0.4 which is the domain controller you've just built... otherwise everything goes wrong from here on in!! If it doesn't say it, and the script has completed, please update it manually so it does say it.

please select carefully - DON'T choose the one with the letter a after it, because that is used by the other lab

just right click on the link and choose to copy the link address

$location = 'east us'

select Disable to do the save

You select Disabled and then use the radio button to say My organisation is using conditional access

you will need to initiate the request again, after setting up MFA - just stay in the New Quota Request window to wait for the update to happen or duplicate the browser tab to continue with lab.

after creating the storage account, you might get an error saying you need to register your Azure Cloud shell. To do this. Go to your subscription and make a note of the subscription id, and then run these commands, substituting the subscription id and removing the chevron brackets.

az account set --subscription < subscription name or id >

az provider register --namespace Microsoft.CloudShell

for example

az account set --subscription b07aadc9-aade-4982-9d2c-7b42caaaaaaaa

az provider register --namespace Microsoft.CloudShell

These files are found from a zip https://github.com/MicrosoftLearning/AZ-140-Configuring-and-Operating-Microsoft-Azure-Virtual-Desktop - click on Code and then download the zip file. You can do quite a lot of the first lab outside of learnondemand environment, so you can save your files on your computer and inside learnondemand.

STOP - wrong lab!!

No.... you are doing the wrong one. Stop, and do the one with ADDS

you will need to add the line $appName="XmlNotepad" above as we overwrote the whole code for step 6 or alternatively overtype $appName.vhd with XmlNotepad.vhd

certificates local computer console

This needs to be C:\allfiles\labs\04\FSLogix_Apps_2.9.8612.60056\x64

make sure the az14-cl-vm11 is running before trying to connect to it using bastion, you may bet a network unstable error!

From Microsoft Entra ID - Security - Conditional Access - Policies

might take a minute or so initially

or just search for Microsoft remote desktop

you need to copy and select and paste the whole number, as if you start typing it doesn't find it. You can actually just type Azure Virtual desktop instead

this is now called Target resources

signed back in as your admin user

remember this is now Microsoft Entra ID - so do a find and replace in your head whenever you see Azure AD

I would suggest, just before taking the image and sysprepping the vm, do something to the vm like create a folder or shortcut so you can see it when you test it.

might be a good idea to create a folder on the desktop and a folder in the c drive with your name, just so when you finish you can see that it's done something!!

If you get asked Security type, be sure to select Standard, as TrustedLaunch isn't supported. If the deployment fails use the Redeploy button and ensure everything is selected correctly.

you can continue with the next part, but be sure not to click on Review and Create for the host pool, until deployment is done

maximum number of users that have concurrent sessions on a session host

Preferred app group type - is a setting underneath this one - leave that as Desktop

and the rest!! maybe up to 15 mins

Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the Tailored experiences setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customer’s needs.

Storage Sense can automatically free up drive space for you by getting rid of items that you don't need, like temporary files and items in your Recycle Bin

Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares

you will encounter this error!!

or just copy it after it has been downloaded

don't need to do this additionally, as when you extract the file, it will go here anyway!

you may find that the vm is in a not ready state as it's still finishing deploying so just be patient, even though the bell icon is suggesting it's finished

Another alternative is to set up peering between your new VNet and the vnet11 you already created, and then you can use the bastion you already deployed. If you do this you can just go straight to task 3

closer to 10 minutes

it has been assigned to the az140-wvd-remote-app group

it might appear as unavailable for a few minutes but then should change status.

This is UTC time zone format For instance, UTC time in ISO-8601 is xx:xx:xxZ - just seems to show AM or PM next to the hours minutes and seconds

you will notice that the vm exists, but it hasn't been added to the host pool yet. Steps to follow

because you are already on an Azure virtual machine which is pretending to be your on premises domain controller you can use the private ip address.

although we use friendly names of groups, Azure always uses the object id of the group when you are adding users to it

more likely 120 mins plus. Please be really careful, go slowly, as mistakes take a lot longer to rectify later!!

A very long 60 minutes!!

use the Reset password option within the Microsoft Entra ID, if you have forgotten the password.

now called Microsoft Entra connect

this name has changed to Microsoft Entra ID - so wherever you see the wording Azure Active Directory or Azure AD, they are talking about Microsoft Entra ID

remember this is now Microsoft Entra ID

it means within the bastion session

Should be something like aadsyncuser@QASTUDENTAZURE1000770.onmicrosoft.com

You will get a warning: WARNING: Install the latest PowerShell module, the Microsoft Graph PowerShell SDK, for new features and improvements! https://aka.ms/graphPSmigration but it's fine for now!!

make sure you haven't selected powershell ise x86 version!

takes a good few minutes!

this doesn't actually exist, so use the Server Manager - local server - and click on IE Enhanced security configuration and turn both to Off

I didn't see this.

not sure what this means - but from the Azure portal, you can go to Azure Virtual desktop - Host pools - az140-23-hp2 - Session hosts and see the total sessions on each of the session hosts and who the assigned user is.

you might not get this.

its the ellipsis on the second row that has the unsubscribe not the one in the very top right hand corner

you can change the last 2$ to 0$ to get info about the first vm.

I have two virtual machines and they are called az140-23-p2-0 and 23-p2-1. The parameters file we used, says prefix az140-23-p2 and the number of instances was 2 - so it has built 2 vms, and called the first one 0 and the second one 1

if it fails, best to remove all deployments from the REsourcegroup az140-23-RG and then start again, and ensure all fields are filled in, including vm location with eastus, as it's not a required field, and the entire NSG id is correct, starting with subscription/ Also ensure you created your subnet hp2-Subnet with the correct name.

type in eastus - all one word

there will be quite a few ones which are not mentioned here which are to remain blank, you only need to have values with the fields with the red stars.

you are already there!!

if the copy icon doesn't work, select the resource id yourself and use Ctrl + C to copy and then paste it into notepad

you can check to see your storage account by looking in Active Directory users and computers and looking under the WVDInfra Organisational unit it will be shown as a computer account object.

Icacls is a Windows command-line utility that IT admins can use to change access control lists on files and folders. To find out what they are click here https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls . F is full control, M is modify, OI is Object Inherit, CI is Container Inherit

this is shown in the main panel (underneath the +File share) when you have selected File shares

ensure you click Yes to All when prompted

easiest way is to just download the azure-file-samples using the green Code button and then extract the azfileshybrid from there

there is a new default option to turn on backup on the second tab - you can leave that on, or take it off to save some money whilst doing the lab.

should be Desktop from DAG, Word, Powerpoint and Excel from Office 365 and CMD prompt from Utilities because user 1 has been assigned to all of the application groups via group membership of az140-wvd-pooled for DAG and Utilities RAG and az140-wvd-remote-app for Office365-RAG

if you've not made a note of the credentials for your user, you need to reset it from the domain controller and then run through Azure AD Connect again to sync the change as we didn't set up password writeback

I got the red text, but it wouldn't work, as the az140-cl-vm11 hadn't joined the adatum.com domain. REstart the vm if it hasn't been restarted since changing the DNS server for the virtual network and then log on to the vm and change the system properties so that you can join it to the adatum.com domain using Student and Pa55w.rd1234 credentials. I ended up right-mouse clicking on STart menu and choosing Computer management and then going into local users and groups and adding az140-wvd-users to the Remote Desktop Users

If you go into the shortcut of Command Prompt - Properties and look at Shortcut - Change icon button you will see the icons available. The first one is the zero, and then you count from there which icon you would like.

Add Microsoft Entra ID users or groups!

make sure the deployment has finished, if there's nothing there! If you look and it says the hosts are unavailable - it means: The AVD agent has not successfully communicated with the AVD Management Service, or the agent is unable to update itself to the latest version. This can also show temporarily while AVD waits for the OS to boot up and the agent to come online. In this scenario, the AVD agent did register to the AVD service. Most likely that the virtual machines didn't join the domain. So you will have to do this manually. Firstly check that the virtual network DNS server points at your domain controller 10.0.0.4. Then you need to use the Restart button to restart your virtual machines az140-21-p1-0 and 1 from the virtual machines view, so they see the new DNS settings. After restarting, connect to each vm az140-21-p1-0 Go to System properties and change the computer name to be part of domain adatum.com, using credentials Student and Pa55w.rd1234. After restarting your vm, wait a bit, and then check back in your host pool and you should see in the host pool that they are now available. Although the virtual machines show as running in the virtual machines view, they take a long time to change the status in the session hosts

be sure to choose carefully, there are some very similar names

this was the one you created earlier in the exercise

It should be something like aduser1@QASTUDENTAZURE1000770.onmicrosoft.com

choose carefully there are similar named ones

virtual machines need to be up and running to be able to add the applications, otherwise you get error The host pool does not contain available virtual machines

NOTE: A desktop application group already exists in the selected host pool and you can only create RemoteApp application groups.

Good time to take your break

if at any stage you see the letter a next to a name it means you have selected the wrong instructions and you are doing the Azure Active Directory - not Active Directory - ie on premises being used as your identity directory