SQL Server with Mr. Denny

December 4, 2017  4:00 PM

Managing VMs via Azure Active Directory just got a lot easier

Denny Cherry Denny Cherry Profile: Denny Cherry
Active Directory, Azure, Virtual Machines

Back when Azure and Azure Active Directory got Windows InTune pushing down setting, and specifically oddball settings changes were complex. In the newest release of InTune that is accessible via Azure and Office365 things have gotten much easier. There used to be a InTune menumajor gap, in that you couldn’t run PowerShell. You had to convert it into an EXE, then package it via an MSI and upload the MSI to Azure. Short story, it wasn’t easy.

Now, however, you just need to sign your PowerShell (which was much easier than I was expecting) and upload it to the Azure portal. Then tell Azure which users are assigned to use the PowerShell. After that give the system some time to push to your users, and the PowerShell will be run against the users as needed.

In our case, we’ve got a non-standard VPN configuration, but using PowerShell, I was able to create the VPN connection on users computers easily enough. Let’s look at how it was done. The first step in Azure it two bring up “InTune” from the service list.

After opening up the Intune menu select the Device Configuration option from the Intune menu. This will give you access to where you’ll upload your PowerShell scripts.

Device Configuration Menu

The next step will be to setup a Certificate Authority internally. While this isn’t needed, it’s recommended so that all the users get the CA configuration. From what I’ve been able to tell with a CA in place (and duly registered and synced with Azure) multiple users can sign code and make it available for download and execution by users. For a more extensive IT shop this is going to be critical. For smaller shops, this may not be needed, but it will make life easier.

If you opt not to setup a CA within the network and sync it to Azure, then you’ll need to upload the certificate being used to sign code, and you can only upload a single certificate.

Once the CA is setup and Azure AD sees it (via AD Sync I assume) the menus changes so you can download the sync software. This took about 10 minutes for me when setting this up.

These changes are all done using the “Certification Authority” menu option that you see under “Device Configuration.”

Once the Certificate Authority is setup, you can go into the PowerShell scripts section of the screen. From there just click the “Add” button to add a PowerShell script to Intune.

PowerShell Scripts WindowOnce you’ve added a PowerShell script you can add a name for a PowerShell script and point Azure to the signed PowerShell script so it can be run by users. There’s no much under “Settings” to work with.

The first setting is, is this a user-level script or a system level script. By default, scripts are run by the system account, but there’s a lot of cases where you want things to run at the user level instead, so you’ve got both options available. My script was written as a user-level script, so I set this to “Yes.”

The second setting allows you to force the system to check if the code is signed by a known code-publisher or if InTune doesn’t need to be checked or not. When I was working with this, I left this at “No,” and everything worked exactly according to plan (I also had a CA setup and synced with Azure and Intune).

After creating the script, the Portal should take you to the details of that specific script. The next step would be to change to the “Assignments” page. This is where you configure which domain groups will have access to download and run the script.

When you select “Assignments,” you can select as many groups as are needed to assign to this specific script. Groups can be synced from on-premises, groups which are AAD/O365 only, or even dynamic groups, so users are added automatically based on how settings for the users are configured.

It may seem like there are a bunch of steps to get this completed, but realistically once the PowerShell script is written, it took about 5 minutes to setup the script to be pushed out. After that, it was just a matter of waiting for users systems to refresh and pick up the change.


November 27, 2017  4:00 PM

Should I be blocking outbound ports in Azure by default?

Denny Cherry Denny Cherry Profile: Denny Cherry

The short answer is that yes there are ports that you’ll want to block outbound by default.  There’s a variety of amplification attacks that you have the possibility of being a member of. These attacks aren’t against your systems, but you run the risk of your machines being used to amplify attacks against others. These could be DNS based, NTP Based, or other kinds of amplification accounts.

Occasionally I  get notifications from Azure that they see these ports open, and that you should network Network Security Groups to closed the unneeded ports.

Two of the ports that I’ve needed to deal with recently are UDP 123 and 389.  Blocking these was a minor issue but best practice.

UDP 123 and 389Blocking these in Azure is super low risk and easy to implement,

To be clear there is no inherent risk of being in Azure compared to other platforms.   These sorts of amplification issues can come up in any environment. The beautiful thing about Azure is that they monitor these outbound issues and report back to the end  on what blocking needs to be done for successful implementations,


November 20, 2017  4:00 PM

Being critical without being a crank

Denny Cherry Denny Cherry Profile: Denny Cherry

Tweets, facebook posts and blog posts can be powerfull things.  The have the ability to sway peoples opinions of others, to drive people to buy software, to sell stock, and to make bad decissions.

Posting cranky posts just to get clicks views and retweets does nothing useful but show that all you care about is showing that you want to stir the pot.

SQL Server 2014 Service Pack 1 Sucks and It's All Your Fault

An example of a non-constructive tweet

There are lots of ways of being constructive without fanning the flames.  In the above tweet the author just craps all over someone, I assume the people who made the service pack, with no context or any followup at all.  I get that it’s only a tweet with 140 characters, but there’s ways to get context.  In our next example we see exactly how.  We have a thank you to Microsoft for the lovely lapel pin/magnet, but a warning to people who aren’t used handling rare earth magnets that they need to be kept away from kids.  As it’s a longer post (from Instagram)  there’s a link though to the origional where the rest of the post finishes with “These are dangerous.”. The warning is still given, but without just crapping all over the fact that somone went through the trouble of sending these out to the MVPs.

I love that the new MVP label bling comes with a magnet. Bug please be careful. Keep it safe from kids and pets.

A constructive post

I think my message here is, think before you post.  Think how it’s going to impact others. Not just those you want to have read it, but those who did the thing that you’re writing about. Maybe rephrase how you’re going to post that snarky post and it’ll have more of the desired impact.  I can almost guarantee that the first tweet had no useful impact on the SQL Server product team, where as the second post would have had much more impact to the MVP team when designing the next round of awards.


November 13, 2017  4:00 PM

8TB SSD in Azure vs. 8 1TB SSD in Azure

Denny Cherry Denny Cherry Profile: Denny Cherry
Azure, SSD

With the 8TB SSD drives that Azure has, which makes the most sense to use multiple 1TB SFastSDs or the 8TB SSD drives?  Well that depends.  The 8TB SSDs give you 7500 IOPs and 250 MB/sec, but if I take 8 1TB SSD drives I can get 1600 MB/sec of throughput and 40,000 IOPs in the same amount of space.

Of course I need to stripe the 8 disks together in Windows, but there’s no cost for that. The cost of 8 1TB drives is slightly higher than 1 8TB drive by 114 pounds in the case of this screenshots.  But given the performance difference it’s a cost worth having.

So why would I want the 8TB drive, because I have a GS5 that needs 1/2PB of storage. There’s no “easy” way to do that with 1TB drives.  If/when we get P70+ drives things will get really interesting.







November 6, 2017  4:00 PM

Taking Shortcuts Isn’t Worth It

Denny Cherry Denny Cherry Profile: Denny Cherry

Leaf with a staple in itEveryone takes shortcuts. It’s normal. But we shouldn’t be doing it. It comes with some disadvantages. Sometimes it doesn’t look pretty, sometimes the shortcuts cause performance problems, sometimes they cause bugs in software. Sometimes they cause applications to fails. Our job as IT professionals it’s to do what’s easy. It’s to do what’s in the best interest of the system or company.

Stop putting staples in plants.  Stop taking shortcuts.


November 1, 2017  4:00 PM

Day 1 at the PASS Summit, Welcomes John Morehouse to DCAC

Denny Cherry Denny Cherry Profile: Denny Cherry
SQL Server

John MorehouseToday is Day 1 at the PASS Summit, and there’s going to be all sorts of blog posts all about what’s being announced during the keynote today (I assume). I’ll leave those announcements for others to blog about.

Denny Cherry & Associates Consulting has a big announcement to make today as well.  Starting today, DCAC is expanding by adding another fantastic consultant to our ranks.  This time we’re adding John Morehouse to our growing family. Like the rest of us, John will be working from home which means a co-worker in Kentucky (yea, another set of state paperwork to fill out every month, thanks, John).

John flew in this morning to join the rest of the team for his first day at the “office” which we appreciate.  Leaving the two little ones on a very early flight after Halloween couldn’t have been the most fun thing ever.

John’s has 20 years of IT experience, with over ten years of dedicated SQL Server experience making him an excellent addition to the DCAC organization bringing our in-house team up to about 100 years of IT experience.

When John isn’t traveling to SQL Saturday events, his hobbies include spending him with his kids, reading and vacationing.

We welcome John to DCAC. Come to the exhibit hall and to booth 316 to get some great swag and say hi to John.


October 23, 2017  4:00 PM

Wide open steps, do not a process make

Denny Cherry Denny Cherry Profile: Denny Cherry

bad blog instructionsI found the above instructions on a blog post I was trying to use to fix an issue in visual studio recently. (Ignore the fact that I was in Visual Studio and focus on the screenshot.) This post has 4 step. Step 1, which you can see above has two warnings in it, but now followup information about what to do it you get the errors that it says.  It doesn’t give you links out to posts on how to fix these critical errors.  In fact, I could go no further in working through this issue in Visual Studio. I ended up simply copying the code manually from one branch to another as that took me 20 minutes and I spent 6 hours trying to figure out how to fix the issue.

When it comes to writing blog posts, writing for the expert is fine, but at the least, you need to have links out for the beginner, if not put those details in your post. Not everyone out there is an expert and knows how to use products at the Scott Hanselman level.  If they did we wouldn’t need blog posts on how to do things. Some people like myself and really good in some areas (SQL Server) and not others (Visual Studio) and posts should cater to everyone.


October 16, 2017  5:39 PM

PASS Summit 2017 Speaker Idol Judges

Denny Cherry Denny Cherry Profile: Denny Cherry

I know I’ve been really slacking on getting this year judges list for speaker idol posted. A lot of this is just because of everything else that’s been going on leading up to the PASS summit, specifically my insane travel schedule to SQL Saturday’s Microsoft Ignite, and the SQL 2017 Launch, and shifting the schedule to slide the judges in where possible so there are no conflicts.

Without delay, and in no specific order, here are your 2017 Speaker idol Judges.

  • Karen Lopez
  • Joey D’Antoni
  • Kendra Little
  • Mark Simms
  • Allan Hirt

(Even spelled correctly this year)

I know our judges are going to give all 12 of our contestants some great feedback, and they are going to do a great job picking out first PASS Summit 2018 speaker.


October 12, 2017  5:46 PM

PASS Summit Speaker Idol Lineup Change Redux

Denny Cherry Denny Cherry Profile: Denny Cherry

We’ve had another change to the PASS Summit speaker idol line up. Tzahi has had to withdraw due to work commitments and won’t be able to attend the PASS summit at all this year.  Which is good news for Jeremy Frye as he will be taking the open spot.  Like all the contestants we with Jeremy the best of luck and we’ll see everyone at the PASS summit.

Your new and improved speaker idol line up now stands at:

Your Wednesday lineup for speaker idol is:

  • Jim Donahoe
  • Brian Carrig
  • Jonathan Stewart
  • Robert Volk

Your Thursday lineup for Speaker Idol is:

  • Javier Villegas
  • Eric Peterson
  • Ed Watson
  • Dennes Torres

Your Friday lineup for Speaker Idol is:

  • Daniel de Sousa
  • Joseph Barth
  • Jeremy Frye
  • Simon Whiteley


October 9, 2017  3:00 PM

DR is more than just building an AG

Denny Cherry Denny Cherry Profile: Denny Cherry

Building, implementing and executing a proper DR plan successfully is a challenging undertaking. It is a lot more complicated

Plane missing an engine

than most experienced IT professionals and/or consultants think it is. This is because there are a LOT of moving parts to build a DR platform that’s going to fail over and allow the application to keep working.  I’ve been bringing this point up in my sessions a lot recently. Our job in IT isn’t to build the cool, slick, sexy, solution.  Our job is to make it so that the sales guy can sell widgets.  Whatever widgets your company sells, the job of IT is to help the sales guy sell widgets.  If the sales guy can’t sell widgets (and the shipping department can’t fulfill those orders and everything else that goes with selling widgets) then your company doesn’t get paid. If the company doesn’t get paid, then you don’t get paid. Then you have a pissed off spouse, and a pissed off mortgage company.  And these aren’t good things to have.  So let’s get back to talking about helping the sales team sell widgets.

HA Failover is pretty straightforward. There’s no data loss, everything is done using two-phase commit as it’s all inside the data center.  So I don’t want to talk about that.  I want to talk about when things really fall apart.  The production site fails.  Things are getting really interesting.  Lets design for this.

Now let’s

just talk about what we need to think about.

  • Active Directory
  • IP Space
  • Subnetting
  • Connection String Issues
  • Alerting
  • Remote Access
  • Connectivity
  • End-user application access (web front end)
  • Employee access (web / fat client)

That’s a lot of things that have to be thought about.  You’ll notice that I haven’t even talked about the database stuff yet.  Once we get into the database stuff starts getting more complex.

  • Recovery Point Objective (RPO)
  • Recovery Time Object (RTO)
  • Am I using features that make availability groups not supportable (probably not on current versions)
  • How many replicas do I need?
  • Am I correctly licensed?
  • Can I do this in the cloud?
  • Should I do this in the cloud?
  • How many values do I need to skip for sequences and IDENTITY columns?

This is clearly a complex topic. Because of this, we’ve put together a roundtable of experts on high availability and disaster recovery to have a roundtable discussion to talk about some of this complexities that there are that people stumble on.  The webinar will be at 11 am Pacific Time / 2 pm Eastern Time on Tuesday, October 24th.

To register for the webinar so that we can remind you about it, click over to our registration page.  Download the Outlook calendar entry and we’ll remind you when it’s time for the webcast. Can’t make it on the 24th? No problem. We’ll be recording the webcast and sharing making it available for viewing after for free.

When it comes to DR, you only get one chance. If you screw it up the company goes out of business so you really need to be taking your DR planning experience from the very best. And that’s who we have scheduled for our round table.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: