Azure Insights: Azure DNS error messages; Azure CLI; Weak protocols; Log Analytics; Managing APIs

August 7 2019

This week, Azure pros share their insights on Azure DNS error messages, installing Azure CLI on Windows, disabling weak protocols and more.

Azure DNS error messages

Anderson Patricio, writing on TechGenix, described a common error message when using a VNet with Azure Private DNS that reads "Set-AzDNSZone: Virtual networks that are non-empty (have Virtual Machines or other resources) are not allowed during association with a private zone." With the Private DNS still in public preview, Microsoft is working to resolve the problem, but for now users will simply need to configure Private DNS correctly. Once it's configured they can go ahead and add servers to the VNet.

Installing Azure CLI on Windows

Thomas Maurer went over how to install Azure CLI on Windows using PowerShell. He included a single-line command that users can run after starting PowerShell as administrator. Extra configuration may be needed when running behind a proxy. Alternatively, a single line of code also works set up CLI in an isolated Docker environment. "One of the settings which I really like to change is the default output from JSON to table," he wrote, adding:

I personally love that PowerShell gives me objects and especially in scripts, this makes things much easier for me. However, when it commands to do something in a one-liner quickly, the Azure CLI experience often works better for me. So it really depends on what you prefer…

Disabling weak protocols

Microsoft MVP, Sander Berkouwer, writing on The Things That Are Better Left Unspoken, assessed how to disable weak protocols and other attributes for systems running Azure Active Directory Connect. Cipher suites, protocols and hashing algorithms encrypt traffic with Hybrid Identity implementations, which rely on Azure AD Connect, Active Directory Federation Services and Web Application Proxies. Microsoft recommends hardening the security arrangements between these systems, but an unsuccessful hardening effort can cause the Hybrid Identity implementation to breakdown.

For getting started, Berkouwer recommends logging in with high-level permissions and notifying people in charge of Active Directory, load balancer, backups and SIEMs. It may be a good idea to disable protocols like PCT v10 SSL v2 or v3 and some TLS versions or a variety of weak cipher suites such as RC2, NULL and DES. This can be accomplished using PowerShell scripts. Berkouwer wrote:

Typically, hardening is rolled out to one Windows Server. When testing the hardening of the functionality behind the load balancer, make sure that the load balancer points you to the hardened system, not another one. In an environment with a Staging Mode Azure AD Connect installation, the hardening can be performed on this Windows Server installation and tested with the normal Staging Mode (imports only) synchronization cycles.

Setting Active AD Connect to use TLS 1.2 exclusively

About MSDW Reporter

More about MSDW Reporter

Azure Services