Monday, October 9, 2017

The gotachas of Azure AD Domain Services in ARM

Not too awful long ago Azure Active Directory Domain Services moved over to the ARM portal from the Azure Classic portal.

Yea! the world said.  And there was much rejoicing.

Now, the real world impacts of this.

There are a few scenarios with Azure AD that folks commonly run in to.

I have not blogged about the relationships of an Azure Tenant and Azure AD.  So let me briefly mention the relationship between these two.
(I will be repeating this all in future posts, as this relationship is important to grok)

An Azure Tenant is the Account that you or your company has in Azure.  It is divided into Subscriptions. 
Each Subscription is where you 'consume' in Azure; and it also serves as an isolation boundary (as in, resources in different services can only talk to each other through public entry points - they cannot directly touch each other).
Below that you have Resource Groups, which are management containers (not isolation).
And then you have the actual resources that you get billed for consuming.

All of this together is an Azure Tenant - your phrased another way, you are a Tenant of Azure and this is your playground and thus billing entity.
I will keep using the phrase Azure Tenant in this way.
(I run across MSFT folks that use the word Subscription when referring to the Tenant, and it is just plain incorrect and thus confusing as to the ramifications)

Azure AD is an entirely separate thing.  It is this huge multi-tenant cloud based identity provider, with a number of cool features and touch points.
An Azure Tenant must have an associated Azure AD, but an Azure AD has no dependency on an Azure Tenant (or an Office365 tenant - which is yet another entity).

A single company can have multiple Azure AD's (which is highly likely), they could also have multiple Azure Tenants (which is not very likely, but possible).

A single Azure Tenant can only be associated with one Azure AD.  Nuance here; the tenant has one Azure AD, but people from other Azure ADs can be granted access.  But the invited accounts are foreign accounts.

Now.  Some background into the processes that get us into the strange places that folks end up in.

When an Azure Tenant is created an Azure AD is created for it.
So you end up with some Azure AD such as you@tenantName.onmicrosoft.com

This is fine.  It gets you up and running and then you add your admins which might be your.admin@yourcomapny.com  and they get invited.  Everything in the Azure Portal works.  Now, lets get into the cases that won't work in this scenario.

This actually puts you in a very common scenario, the scenario where the Azure AD associated with your Azure Tenant is not the same Azure AD where your corporate user accounts reside.

Now, if you only want to use Azure AD RBAC to add your IT folks to the Azure Tenant for administrative purposes, this is fine.  And thus, a more common scenario than most folks want to realize.

Now, lets get to Azure AD Domain Services in ARM.  There is a security boundary here.  The Azure Tenant.  Therefore, when you enable AAD DS in ARM you are restricted to the Azure AD that is associated with the Azure Tenant.

Oh, your Azure Tenant Azure AD is not the one with your users?  Oh my!  How do we resolve this?
(trust me, the sarcasm is real here, I can't tell you how many times I have spoken to folks about this and it takes a while for all the dots to connect before they realize the dilemma).

There are three ways to resolve this:
  1. 're-parent' the Azure Tenant.  What does this mean?  It means that you make some other Azure AD the primary Azure AD for your Azure Tenant.  There is an option in the Azure Portal "Move to another Directory".  The impacts:  If you had any RBAC set up, you will break it, and therefore need to set it up all over again.
  2. Use a vNet.  When logged on to the Azure AD where the users are, create a new Azure Tenant and subscription.  Turn on AAD DS there.  Then set up a gateway between the vNet in this subscription where your AAD DS and user accounts are, and a vNet in a subscription of the Azure Tenant where your workloads are that require the domain services provided by AAD DS.
  3. Don't use AAD DS.  Stand up a Windows Server Domain Service VM (more than one for a proper deployment) and use Azure AD Connect to sync the users with the AD domain.
In the end, this is about your user accounts, the reasons why you wanted AAD DS in the first place (you need NTLM or Kerberos for any reason).
Yes, AAD DS is convenient, but the security models that forced it into this particular assumption is not always in line with reality.

Friday, October 6, 2017

Day two as a free agent - looking sideways

If you missed the tale, I was RIF'd and I thought I would spend some time blogging about the experience and the whatever I decide to do next.

All of this went down on Wednesday, October 4, 2017 and pretty much wrapped up by noon.  Out of the building. 
My user account was gone by 2pm.  (the things a calendar invite that you included your personal email account as an attendee can show you - when that other attendee is an object that can't be resolved)

Talking last night, the wife was lamenting that she could not ping me on Skype any longer.  I mentioned that I do still have a Skype for Business account thanks to the MVP program.  And I proudly stated, the domain is blocked by China (ITProctology.com).  She simply looked at me quizzically and said she 'will think about it'

The day started like any other day.  I got up at the 'usual' time, cleaned up, scooped the cat litter, got the kid out of bed.

Kissed the lovely wife as she went off to work, got the kid to the bus stop, checked in the morning HAM radio net from the car.  Then drove all the way...  back home.

7:30am
Well, now what?  I have had a list of all kinds of things I have needed to get done.

Cold morning, checked the air in the tires, a bit low.  Grabbed the air compressor and resolved that.

Kind of chilly in the workshop, fired up the stove.
Looked at the wood scraps and thought of the cat tree the wife wants me to build.  Not feeling it.

7:45am
Watched an MVP PGI from yesterday that I missed. 
Got distracted by;
dirty dishes, cats fighting, HAM hobby antenna research, smelly garbage can, full recycling can, making list of items for another project from the hardware store, checking email (each time a notification popped up), checking LinkedIn, checking Twitter, checking Facebook.
I listened to the recording and viewed the visuals for the part I really wanted to see.

8:45am
Could really use a latte, warm, frothy, 15 minute drive - um, no.
Eventually feeling parched.  Looking for something cold and carbonated.  Hmm, no cold beverage fridge.
Tea it is I guess.

9:30am
Made notes of other follow up items I needed to do with HR.
Returned call to HR from yesterday (they called while I was in the middle of the only thing I had scheduled all day) - ring, ring, ring, disconnect.
I think, that was curious - I will try again later, she may have been on the phone with someone.

9:45 am
Phone rings - its Cabo.  (Mexico) they want to know when I can come visit.  Um, no...

10:00am
Start typing this

10:13am
All caught up
Checked email, read an article the wife sent, investigated LinkedIn Premium, looked around thinking "what next"

10:30am
Yea! spam to delete

And a little after that, my entire attempt at writing a humorous blog post was ruined.
(the following falls into a category that I won't name.  The comments are not disparagement to my former employer.)

I finally got hold of my HR representative, all was fine, my questions were answered.
Then I was asked a few questions (that I had already answered).
They wanted to know the accounts that I was using to access particular resources so they could be deactivated.  No problem.  I gave the account names.
Then I was asked for the passwords to those accounts.  Um.  No.  Just no.
My GitHub account,  They wanted the password to my GitHub account.  No, I never had a 'corporate' GitHub account.  They can just remove my account from the 'company' in GitHub.
And besides, I have access to other repositories that have nothing to do with my former employer. How can I trust the people that I am giving access to _my_ account?

Right there, any groove I had at writing humor was ruined.

So, I simply stepped away from everything for the remainder of the day.  And focused on other projects around the house.
Now, I still can't get this incident out of my head.  It is 5pm and I have to finish this post.

It is Friday.  Monday will bring a new adventure.  And a new post.
That one will actually be technical, and very useful to many folks.




Thursday, October 5, 2017

Day one as a free agent - looking back

tl;dr
This is my therapy for working through the emotions of being RIFed this is not any commentary on my previous employer.
As I open up about my experience, I hope to be helpful to others in at least letting you know you are not alone in your experience.
This is me, pretty raw.

Thursday, October 5 2017 6am

I thought I was doing pretty well this morning.
Then I saw a ping from a long time co-worker through LinkedIn.  That was okay.
It was when my phone reminded me that it was time to go to work...  That really stirred up the emotions.

It suddenly dawned on me that I have not bee out of work for 30 years.  20 of those years in the IT industry.  The changes I have seen and been part of in some way.  It is crazy.
But, it is this that makes the emotion - the abrupt loss of comrades.  Folks I have worked on projects with, suffered with, celebrated with, tackled big ideas and problems with.
The forced end of time on the office really touches this emotional well of feelings.  This is where the feelings come from, very guttural and powerful.

I have always been a person that was broad across a number of technologies.  It gave me a valuable wide angle lens; the systems view of IT.  The dependencies, connections, combinations and touch points.  How this impacted that and so on.
I have worked with a number of younger folks that lack this view, or approached another way; lack the experience to have this view.

I have long had two statements for every manger I have worked for:
  1. Keep me relevant
  2. My job is to make you look good.  Your job is to be my shit screen.
Keep me relevant - that has always been important.  It is my way of expressing that I want to grow and I want to be involved in the company growing, in one simple statement.

My job is to make you look good - that is one that some folks have had a hard time with when I mention it.  It is me appealing to something that my manager needs, he / she needs successful people and a strong team.  That makes them look good, and keeps them relevant and valuable.

It is all a synergy of feedback loops.  And quite honestly, these simple statements of relationship I think have been very powerful in my past success.  Doors have been opened for me, and I have been allowed to organically take and make opportunities as a result.

I cannot be more grateful to my last manager (who ended up being my neighbor (that was strange for a while)).  He saw something in me and harnessed it, supported it, opened doors, and allowed me to just go.  It was great.
I did not fall into the 4 years and I am bored trap.  The work stayed interesting and challenging.  And that is so incredibly important.

I also found a mentor for a couple years in there.  Not with my former employer though.  He helped me realize many things and to envision others.  That is a relationship that I need to renew, without the encumberment of the employer relationship.

But in writing this one thing has occurred to me.
While I left behind lots of valuable works, great ideas, and intellectual property - they can't keep what is in my head.  I still have ideas, I still have knowledge, I still have worth and value.  All of those experiences - those belong to me and not to my former employer.
That is my worth as I look back to figure out how to look forward.

I have carried with me a couple office artifacts for many years now.  One a cover from an Internet magazine long gone (not an online magazine, a magazine about the business of the Internet), the second a Calvin and Hobbs cartoon.

http://www.gocomics.com/calvinandhobbes/2013/10/17

Right now I am listening to the Passacaglia and Fugue in C minor which should only be played on a pipe organ, and the best version I have every heard was recording by Virgil Fox at the Fillmore East.  C minor is the umami of musical keys.  It is earthy, rich, flavorful.
I have listened to this piece for years, generally as loud as my speakers can tolerate without distortion. It is 15 minutes that always helps me clear my head and release emotional tension.

Today, I am posting early.  I have some resources to check out, and I am going to spend the afternoon with my tattoo artist, finishing the work he started a few months ago.
Nothing more relaxing than some time under the needle.

Being laid off sucks

tl:dr
There was a substantial RIF yesterday
Being RIF'ed sucks
Yea, I am okay.  And this blogging is therapeutic.
No, this is not sour grapes, and I am not disparaging my previous employer in any way.  Please don't take any comments in that way, that is not the intent.
That is your warning, read on if you like.

Wednesday, October 4, 2017 6am

My mind has been buzzing in a thousand different directions lately.  My team and I have been working under rumors of 'cost reductions', and our work site has appeared to be one of the targets.

Quite frankly, the entire company has been on edge for two weeks now.  Internal email volume has reduced to a trickle, chatter on Slack has trickled down to only the really critical questions or help.  Really obvious that most everyone at this point in time knows that something is up.

I am beginning this story in the morning of the 'big day'.  My brain has been busy half the night working on this, and it  just needs to get out of my head.

I wonder how many on my team are going to wear a red shirt into work today, as I have...

Needless to say, my emotions are mixed at this point.  The one upside of rumors is that once the threads start to come together, it helps you move through the stages of grief.  And the meeting invitation that many of us received I hope will be a relief, since the anticipation can stop and reality will be known.

I can say this, no matter the face you put on this; it really is emotional.  It is really easy to feel depressed and to feel unvalued.
I honestly didn't think that writing this would be as difficult as it is seeming to be.  But I am at the point of letting go, of what I am not clear.  And I think that is the struggle.

I have worked at my current company and office for 10+ years.  I have made friends, worked with some incredibly smart people, worked on some incredibly cool and innovative projects.  I have nothing to regret for my work, or the experience I have gained. 

So many things that I have been involved in, that I could not share, could not talk about to anyone other than my team.
Until earlier this year I was in a research team.  We were always forward looking, strategic in our projects, and very early in our efforts.
Changes were made and that group was dissolved and we became a more traditional development team.  Definitely different work.

For me, I was finally able to work on my one of my passions; customer success.  That was great.  What was not great was the internal struggles due to the way the business processes, internal feedback, and internal silos reinforced thinking.  This frustration of my position I will not miss.
And I have to say, 'speaking' that frustration is relieving.  But I don't want this to be about sour grapes.  It really isn't.

I wanted this to be about moving through and moving on.  This is the first time I have been on this side of a layoff.
I have been one of the lucky ones to remain behind multiple times, both in a leadership position and as an independent contributor.  That is not simple, that is emotional and disruptive as well.

I have to look at this as the kick in the butt to remake myself (again).
This would not be the first professional shift in my life.  I have remade myself many times, and risen to the occasion each time.  Then it is always the question of "what's next?"

This time it is different, the first question in my head is "now what?"  and I have to consciously place that aside and ask "what's next?"
That is what I need to focus on and simply think about what excites me, what challenges me, what can highly engage me for the next 10 years.

Now, I am going to take a pause from writing, head into work, and do what a team does as we wait for the meeting that outlines our fate.  Nothing anxious about that at all....  :-S

Wednesday, October 4, 2017  12pm

The message has been delivered.
I have had a chance to talk to HR to clarify some questions about the severance.
There is a strange feeling of relief.  I am simply pretty numb to the whole thing.
Strange.
Standing around talking with my co-workers that have been tasked with escorting us out.  What a sucky task.  Being a survivor of these things in the past, not a great mental place to put the remaining folks in.

And that's it.
Move on, go away.  Bye.
That is it.
That is the feeling.
Have I said it is kind of surreal?

A few of us retired for the afternoon to a local business to have lunch, a couple beers, and play Dungeons and Dragons for a few hours.
That was a good distraction.

That is all for now, more tomorrow.  As I am sure there will be more tomorrow.  And as I mentioned, this is therapeutic.




Monday, July 31, 2017

Isolating Citrix Cloud in your Azure Tenant

I have recently been studying issues that customers are having when trying to stand up a proof-of-concept environment for Citrix Cloud in Azure.

Most of these customers are standing up the full XenApp and XenDesktop Service.  However, our Citrix Cloud Services all have the same basic needs for any customer:
  1. Azure Subscription (for workers and infrastructure)
  2. App Registration (this is an Azure Tenant service account for our cloud based control plane to perform worker lifecycle events within a subscription)
  3. Virtual Network (the machines need IP addresses)
  4. Active Directory (there is a much larger discussion here, but either a read / write Domain Controller VM  or the Azure Active Directory Domain Service will work)
  5. The DNS setting for the Virtual Network must be your Active Directory 
  6. Cloud Connector machines (the connection between the machines in the subscription and the control plane)
  7. Some type of 'golden' image that is provisioned into the worker machines your end customers get their work done on.

Growing this conversation from the bottom up;

Each customer of Azure has at least one Azure Tenant.
This is your account in Azure.  It is the highest level of connection between Azure and you the customer.
Within your Azure Tenant you have Subscriptions.
Subscriptions are billing boundaries and service boundaries (services within subscription cannot 'talk' to each other without extra work, as if they are in different buildings).

Isolating Citrix Cloud in your tenant;


Can you isolate Citrix Cloud to its own Subscription in your Azure Tenant?  Yes!  And that is actually the topology that I am going to describe here.  How to isolate Citrix Cloud from your corporate infrastructure.

Common project slow down points that I have heard are:  modifications to existing virtual networks and protecting Active Directory.  

Focusing on the Virtual Network issue first;

You CAN create a virtual network dedicated to your Citrix Cloud deployment. 
The important things to remember are:
  • You need a route to your Active Directory
  • You must update the DNS settings of the Citrix Cloud virtual network to be the AD
The DNS setting is the most common place where customers trip up.  The DNS setting must be set. The Azure default results in the machines not being able to resolve the Active Directory.

The three models as pictures;

It is often that pictures tell a story faster and easier, I wanted to provide those to get you started thinking about your individual topology as well.

If your Active Directory is on the same Virtual Network you are most likely golden.

If your Active Directory machine(s) is on a different Virtual Network in the same subscription, you can use peering between the two virtual networks.

If your Active Directory machine(s) is on a different Virtual Network in a different subscription, you must use a gateway between the two virtual networks.