The above alphabet soup could be replaced with, "The Day Microsoft Stopped Hogging all the DNS lookups." First a little background: Sender Policy Framework, or SPF, is used to combat spoofing of email addresses. If you're not familiar with SPF, here's a little background information: http://www.openspf.org/Introduction
Even if you are familiar with SPF, you may not be familiar with the fact that there is a limitation in the specification regarding how many DNS lookups may be performed. This limit is 10 DNS lookups total. According to the spec, if the number of DNS lookups required to query your SPF records exceeds 10, the MTA MUST return a PermError. Until very recently, Microsoft has pushed up against this limit by consuming 8 or 9 of the available 10 DNS lookups. A recent change has made the situation much more workable.
Filed under , , ,
Now that we have our VPN between Azure and our on-premises environment up and running (see part 1), and have our Virtual Machines deployed in a configuration that is HA ready, we can move forward with deploying ADDS and ADFS. (Links to other articles in the series are in the conclusion.)
Why Deploy Active Directory To Azure?
We are choosing to deploy ADFS in Azure IaaS so that we can avoid dependence on the on-premises infrastructure for ADFS. In order to remove dependence on the on-premises infrastructure, we have to provide for ADDS within our virtual data center. I recommend that you create an AD site for the Azure Datacenter and bind it to the subnet we are using for Azure virtual machines. I won't walk through that process here, but there is a Technet article in the references section that explains it succinctly if you don't know how to do that.
Filed under , ,
Now that we have our VPN between Azure and our on-premises environment up and running (see part 1), we can move forward with creating the needed virtual machines to support our solution. (Links to other articles in the series are in the conclusion.)
Azure Virtual Machines, Affinity Groups, and Availability Sets
Affinity Groups and Virtual Networks
Azure allows us to use Affinity Groups to insure that our services reside within the same data center cluster. This improves performance by eliminating the latency caused by inter-cluster communications and also potentially reduces cost by allowing for the use of cache and local storage calls. Since all of our Virtual Machines will be on one Virtual Network, and since a given Virtual Network can be associated with only one Affinity Group, all of our Virtual Machines will be in the same Affinity Group.
Availbilty Sets help to protect nodes (Virtual Machines in our case) from single points of failure. Availability Sets utilize both Fault Domains and Update Domains to accomplish this. When we add two Virtual Machines to an Availability Set, they will be placed into two different Fault Domains. That placement insures that the machines will run on separate racks of physical server hosts and that they will utilize separate network switches. Sharing an Availability Set will also place the Virtual Machines into separate Update Domains. This placement insures that maintenance/updates to the underlying host clusters will be performed at different times. Thus, by adding our nodes to an Availability Set, they should not go down for hardware failure nor for scheduled maintenance at the same time. The use of multiple nodes protected by an Availability Set in a service is required to qualify for Azure's SLA.
Filed under , ,
Microsoft's Windows Azure Virtual Machine (IaaS) and Virtual Network offerings provide some incredible opportunities for a remote datacenter that you can spin up quickly and without breaking the bank. I needed an ADFS environment for an SMB client who was moving to Office 365, wanted to use SSO, but did not want to have to rely on the on-premises environment to be able to access Office 365. I decided to handle all of their ADFS authentication needs using Azure IaaS. (Links to other articles in the series are in the conclusion.)
UPDATE: I had an Azure billing issue that forced me to suspend the writing of this blog series for awhile. In the meantime, a new version of DirSync has been released that does password (hash) syncronization. While following this series will still help you get ADFS up and running on Azure, ADFS may not be the best solution for your SMB any longer.
Azure Virtual Networks and Netgear VPN (or other unsupported VPN)
Virtual Network Introduction and Requirements
Azure Virtual Networks allow you to enable the virtual machines you have on their IaaS offering to communicate privately with each other as if they were all connected to the same LAN. Further, you can connect the Virtual Network to your on-premises LAN via a VPN connection to enable your on-premises endpoints to communicate with the Azure Virtual Machines.
Read more ...
Filed under , , ,