Lost Access to Azure Windows Instance



  • Has anyone worked with Windows on Azure? (The IaaS service?) I built a server and everything was working fine. It joined the domain and was accessible. After a reboot, RDP and PowerShell Remoting (and PsExec) are all blocked. I get the NLA (Network Level Authentication) error and nothing works.

    Now I let it sit for a while and access was available again. Very odd. Just wondering if anyone has run into this and, if so, what would you do to access the instance since there is no console access!! Obviously disabling NLA is one option, now that things work, but we would obviously prefer the extra security. But we need something to ensure that we can get access should something go wrong as well.

    Thoughts? Experiences?



  • @scottalanmiller said:

    Has anyone worked with Windows on Azure? (The IaaS service?) I built a server and everything was working fine. It joined the domain and was accessible. After a reboot, RDP and PowerShell Remoting (and PsExec) are all blocked. I get the NLA (Network Level Authentication) error and nothing works.

    Now I let it sit for a while and access was available again. Very odd. Just wondering if anyone has run into this and, if so, what would you do to access the instance since there is no console access!! Obviously disabling NLA is one option, now that things work, but we would obviously prefer the extra security. But we need something to ensure that we can get access should something go wrong as well.

    Thoughts? Experiences?

    What changed between joining it to the domain and the second reboot? Are there any firewall-specific group policies in place (or lack thereof?) Did any of the other instances on your virtual network experience the same issue?



  • possible it was stuck applying updates? Cause to my knowledge those security policies wouldn't "change" after a period of time.



  • @alexntg said:

    @scottalanmiller said:

    Has anyone worked with Windows on Azure? (The IaaS service?) I built a server and everything was working fine. It joined the domain and was accessible. After a reboot, RDP and PowerShell Remoting (and PsExec) are all blocked. I get the NLA (Network Level Authentication) error and nothing works.

    Now I let it sit for a while and access was available again. Very odd. Just wondering if anyone has run into this and, if so, what would you do to access the instance since there is no console access!! Obviously disabling NLA is one option, now that things work, but we would obviously prefer the extra security. But we need something to ensure that we can get access should something go wrong as well.

    Thoughts? Experiences?

    What changed between joining it to the domain and the second reboot? Are there any firewall-specific group policies in place (or lack thereof?) Did any of the other instances on your virtual network experience the same issue?

    Nothing changed. Just the reboot. And eventually it was accessible.



  • @scottalanmiller said:

    @alexntg said:

    @scottalanmiller said:

    Has anyone worked with Windows on Azure? (The IaaS service?) I built a server and everything was working fine. It joined the domain and was accessible. After a reboot, RDP and PowerShell Remoting (and PsExec) are all blocked. I get the NLA (Network Level Authentication) error and nothing works.

    Now I let it sit for a while and access was available again. Very odd. Just wondering if anyone has run into this and, if so, what would you do to access the instance since there is no console access!! Obviously disabling NLA is one option, now that things work, but we would obviously prefer the extra security. But we need something to ensure that we can get access should something go wrong as well.

    Thoughts? Experiences?

    What changed between joining it to the domain and the second reboot? Are there any firewall-specific group policies in place (or lack thereof?) Did any of the other instances on your virtual network experience the same issue?

    Nothing changed. Just the reboot. And eventually it was accessible.

    Is it a DC or Exchange server?



  • check your logs 🙂



  • @Hubtech said:

    check your logs 🙂

    That's a safe bet. Wild hunch is that it sounds like it might be a DC that's stuck waiting for the DNS service to start, or is pointed at servers that are unavaiable. That, or a resource-starved Exchange server.



  • No Exchange in the environment. DNS or AD might do it.

    But the question was.... How would we get access if this happens?



  • @scottalanmiller said:

    No Exchange in the environment. DNS or AD might do it.

    But the question was.... How would we get access if this happens?

    Wait it out. Otherwise, remotely manage it from another machine and adjust its services as needed. There's also LogMeIn, which generates a viewable session long before RDP starts up.



  • Was already getting LMI on there. But no work arounds on Azure as far as I can tell. If this happens the box is just " lost".



  • @scottalanmiller said:

    Was already getting LMI on there. But no work arounds on Azure as far as I can tell. If this happens the box is just " lost".

    Could you please rephrase that? Were you able to connect to LogMeIn, but couldn't log into the server, or you weren't able to connect via LogMeIn?



  • @alexntg said:

    @scottalanmiller said:

    Was already getting LMI on there. But no work arounds on Azure as far as I can tell. If this happens the box is just " lost".

    Could you please rephrase that? Were you able to connect to LogMeIn, but couldn't log into the server, or you weren't able to connect via LogMeIn?

    The question is about just azure. If you have a Windows server on Azure and ANY tool you are using loses access.... What is the fallback?

    On Rackspace it is.... Go to console. On Azure it appears to be "rebuild and start over". Is that true?



  • no idea. i dont play in azure



  • I've used Rackspace a ton and some of AWS and Softlayer. Had to round it out.



  • They each have their nice features. For the SMB, though, Rackspace is the clear winner. Azure and AWS have little accommodations for SMB style use and assume a lot of things that don't turn out to be true in the SMB. They are clouds to be clouds. Rackspace is a cloud with a strong VPS functionality.



  • @Hubtech said:

    no idea. i dont play in azure

    Likewise. I'm an AWS person. At least in AWS, you can restore back to the last snapshot of the machine you took (assuming you took one). If you do something like give it a bad IP address or it bluescreens, your options are to reboot, restore from backup, or rebuild from scratch.



  • @scottalanmiller said:

    @alexntg said:

    @scottalanmiller said:

    Was already getting LMI on there. But no work arounds on Azure as far as I can tell. If this happens the box is just " lost".

    Could you please rephrase that? Were you able to connect to LogMeIn, but couldn't log into the server, or you weren't able to connect via LogMeIn?

    The question is about just azure. If you have a Windows server on Azure and ANY tool you are using loses access.... What is the fallback?

    Have multiple tools in place. If you're using RDP and that fails, Try connecting via LogMeIn, or vice versa. There's also remote management from another box on the same network. If all 3 fail, there's something bad happening with the machine.



  • @alexntg said:

    @scottalanmiller said:

    @alexntg said:

    @scottalanmiller said:

    Was already getting LMI on there. But no work arounds on Azure as far as I can tell. If this happens the box is just " lost".

    Could you please rephrase that? Were you able to connect to LogMeIn, but couldn't log into the server, or you weren't able to connect via LogMeIn?

    The question is about just azure. If you have a Windows server on Azure and ANY tool you are using loses access.... What is the fallback?

    Have multiple tools in place. If you're using RDP and that fails, Try connecting via LogMeIn, or vice versa. There's also remote management from another box on the same network. If all 3 fail, there's something bad happening with the machine.

    In this case, LMI wasn't installed yet. And access from other machines on the same network were what was failing.



  • Can't just revert back a DC.



  • @scottalanmiller said:

    Can't just revert back a DC.

    In that case, it'd be a simple matter of tossing the old DC and spinning up a new one. More of an annoyance than anything else.



  • @alexntg said:

    @scottalanmiller said:

    Can't just revert back a DC.

    In that case, it'd be a simple matter of tossing the old DC and spinning up a new one. More of an annoyance than anything else.

    Yes. Mostly stateless. Would be scary if you put all DCs on azure though. Or any live/live system like this where an environmental change might lock out the entire environment.



  • So did this happen to you? or was this a "what if" situation?



  • @scottalanmiller said:

    @alexntg said:

    @scottalanmiller said:

    Can't just revert back a DC.

    In that case, it'd be a simple matter of tossing the old DC and spinning up a new one. More of an annoyance than anything else.

    Yes. Mostly stateless. Would be scary if you put all DCs on azure though. Or any live/live system like this where an environmental change might lock out the entire environment.

    I have my entire environment on AWS, spread across two geographic regions with a site-to-site VPN. Upping it a level would be putting one part on AWS and the other on Azure, with a site-to-site VPN between the two.



  • @Hubtech said:

    So did this happen to you? or was this a "what if" situation?

    Really happened but while testing. So no bad outcome. So it's a "what if" now.



  • @alexntg said:

    @scottalanmiller said:

    @alexntg said:

    @scottalanmiller said:

    Can't just revert back a DC.

    In that case, it'd be a simple matter of tossing the old DC and spinning up a new one. More of an annoyance than anything else.

    Yes. Mostly stateless. Would be scary if you put all DCs on azure though. Or any live/live system like this where an environmental change might lock out the entire environment.

    I have my entire environment on AWS, spread across two geographic regions with a site-to-site VPN. Upping it a level would be putting one part on AWS and the other on Azure, with a site-to-site VPN between the two.

    Yes. Having one node in Rackspace would have protected against this.


Log in to reply