I'm using an automated powershell script to downgrade the pricing tier of the database backup copy. While supplying the below command the tier downgrade fails. The error, if I understood correctly is referring to key-vault with a key named same as my server name, since there is no such key exists(hence the soft delete can also be not enabled), this command fails.
The command has been set-up when my application was not set-up with key-vault and seems like now it's failing.
Command used:
Set-AzureRmSqlDatabase -DatabaseName <*Back-up DB name*> -ServerName <*SQL server name*> -ResourceGroupName <*Resource Group name*> -Edition Standard -RequestedServiceObjectiveName S0
Error:
Set-AzureRmSqlDatabase : 45377: The provided Key Vault uri
'https://****.vault.azure.net/keys/<SERVERNAME>/<Subscription/some
ID> is not valid. Please ensure the key vault has been configured
with soft-delete. (https://aka.ms/sqltdebyoksoftdelete) At line:1
char:2
+ Set-AzureRmSqlDatabase -DatabaseName <Back-up DB name> -ServerName <SQL server name>...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmSqlDatabase], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Sql.Database.Cmdlet.SetAzureSqlDatabase
Questions :
1.Why Set-AzureRmSqlDatabase command is referring to a key-vault URI, when not mentioned explicitly ?
2.Is there a option we need to set at the server/DB level to allow this command to read the server/DB name directly rather than searching for a key with server name?
Is this anywhere related to Transparent data encryption ?
Are we suppose to make any changes to this command if the key-vault comes later than the application/DB/key-vault set-up ?
This issue was purely related to TDE(Transparent data encryption) as I thought of. Since Azure SQL databases were secured by TDE, it was expected that the key-vault should also be enabled with soft delete to recover any deleted keys.
While trying to enable soft-delete, I figured out that the Azure powershell installed on my machine doesn't support soft delete property.
I am able to resolve this issue by following steps :
Upgraded powershell :
Installation Package
Login into your azure subscription and run this command
$vault = Get-AzureRmKeyVault -VaultName myvault; $vault.EnableSoftDelete
If the above doesn't work run the below command. This will find the resourceId of the key-vault and then will enable soft-delete -
($resource = Get-AzureRmResource -ResourceId (Get-AzureRmKeyVault -VaultName "YourKeyVaultNameHere").ResourceId).Properties | Add-Member -
MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"
Set-AzureRmResource -resourceid $resource.ResourceId -Properties $resource.Properties
Verify if the key-vault soft-delete is enabled by below command
Get-AzureRmKeyVault -VaultName "YourKeyVaultNameHere"
Hope this would be helpful for someone facing the similar issue.
Here are some personal opinions for you to refer.
First, per my test, the command works fine on my side.
Note: In my test environment, it is a sql server and database without any other things, like transparent data encryption.
Set-AzureRmSqlDatabase -DatabaseName joydatabase -ServerName joydb -ResourceGroupName joywebapp -Edition Standard -RequestedServiceObjectiveName S0
Why Set-AzureRmSqlDatabase command is referring to a key-vault URI, when not mentioned explicitly ?
On my side, I catch the request via fiddler, it is not referring to a key-vault URL, refer to the screenshot.
Is there a option we need to set at the server/DB level to allow this command to read the server/DB name directly rather than searching for a key with server name?
On my side, I think we needn't to do so.
Is this anywhere related to Transparent data encryption ?
I think there is a great possibility that it is related to it. You could create a new sql server and database to have a try. Here is an article about transparent data encryption for azure sql server, you could refer to it.
Are we suppose to make any changes to this command if the key-vault comes later than the application/DB/key-vault set-up ?
I think it seems not make any change to this command.
Related
I'm trying to get site template and getting error:
PS C:\Windows\system32> Get-PnPSiteTemplate -Out template.xml
Get-PnPSiteTemplate : GetAccessTokenAsync() called without an ACS token generator. Specify in AuthenticationManager constructor the authentication parameters
At line:1 char:1
Get-PnPSiteTemplate -Out template.xml
CategoryInfo : WriteError: (:) [Get-PnPSiteTemplate], ArgumentException
FullyQualifiedErrorId : EXCEPTION,PnP.PowerShell.Commands.Provisioning.Site.GetSiteTemplate
Version:
pnp.powershell 1.6.0
I had the same issue and after quite some time invested in troubleshooting, I've figured out that the export gets interrupted once it iterates over a list. It is not related to the site you're trying to export because it happened also on other, newly created sites.
It turned out that the problem was that the PNP Module requires Admin Consent since it can manipulate almost all components of O365.
Solution: Connect to the site with the following command:
Connect-PnPOnline -interactive -URL "Your Site Url"
Provide admin consent to PnP and then try to export the site template with:
Get-PnPSiteTemplate -Out "File Location" # Use handlers and other params if needed
If the prompt window doesn't show up, run the following command first:
register-pnpmanagementshellaccess # See notes before running this cmdlet
Note: Admin consent requires additional permissions and SharePoint Admin role is not enough! So either ask a Global Admin to consent for you or ask for additional AD permissions. If I'm not mistaken Application Administrator role should be the right choice.
This seems to have worked for me.
Get-PnPSiteTemplate -out template.xml -ExcludeHandlers Lists,ApplicationLifecycleManagement
It seems the lists and ALM sections need an ACS token generator and that fails with UseWebLogin.
This is what I got on version 1.7.10, but I have used 1.7.0 and 1.5.0 and seen the same issues. I don't know if the older versions have more problematic modules.
Method: I found this resolution by running Set-PnPTraceLog -on -logfile log.txt -Level Debug and Set-PnPTraceLog -off, then reviewing log file to see which module failed.
I may use the Export-PnPListToSiteTemplate and see how that goes in getting list XML for the template file.
I had the same issue with PnP.PowerShell 1.6.0. I was using Connect-PnPOnline command with -UseWebLogin flag because my account had multi factor authentication turned on.
My solution was to disable MFA for my user and connect without the "-UseWebLogin" flag. Then Get-PnPSiteTemplate command worked without any issues.
I'm not sure why this is happening, but I'll use this workaround for now :)
I'm trying to use the 'Add-AzureRmServiceFabricNodeType' command to add a new nodeType to an existing service fabric cluster. This is my command:
Add-AzureRmServiceFabricNodeType -ResourceGroupName "$ResourceGroupName$" -Name "$ClusterName$" -NodeType "$TypeName$" -VmSku "Standard_H8" -Capacity 3 -VmUserName "$UserName$" -VmPassword $pwd
Having already logged in and set the subscription using 'Login-AzureRmAccount' and 'Set-AzureRmContext'
The call runs for ~1hr and then returns the following error:
WARNING: Rolling back the changes to the cluster
Add-AzureRmServiceFabricNodeType : 'accountName' cannot be null.
At line:1 char:1
+ Add-AzureRmServiceFabricNodeType -ResourceGroupName "%ResourceGroupName% ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Add-AzureRmServiceFabricNodeType], ValidationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.AddAzureRmServiceFabricNodeType
I have successfully added a nodetype to this cluster in the past, but then i didn't set the -VmSku option. As well as that difference, the subscription has since been upgraded from a pay as you go sub to an Enterprise Agreement. Based on the error received I guess it might have something to do with that, but i can't seem to find what exactly.
Any ideas?
I will assume you used the secure encoding to provide the password
$password = ConvertTo-SecureString -String 'Password$123456' -AsPlainText -Force
I also suggest you add the -Tier as part of your command, because as part of provisioning process it requires the sku, tier and capacity. If you not provide one it will use the default, and the sku might not be compatible with the default tier or your account availability.
You can also check in Azure if the VMSS are created once you run the command.
If you want to investigate further, I would recommend reading the source code for the command operation executed for adding node types.
I try to perform a swap between 2 Azure slots (Staging and Production) on a QA environment. For that I use PowerShell and use Switch-AzureWebsiteSlot cmdlet.
Below what I execute:
*`
Switch-AzureWebsiteSlot -Name "http://qa-2.cloudapp.net/" -Slot1
"Production" -Slot2 "Staging" -Force -Verbose -Debug
`*
But I got the following error:
Switch-AzureWebsiteSlot : The website must have at least two slots to
apply swap At
C:\PrivateAgents\agent2_work\r6\a\MyCompany-CI-Template\drop#1129\mycompany-swapslots-azure.ps1:222
char:2
+ Switch-AzureWebsiteSlot -Name "http://qa-2.cloudapp.net/" -Slot1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Switch-AzureWebsiteSlot], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Websites.SwitchAzureWebsiteSlotCommand
DEBUG: AzureQoSEvent: CommandName - Switch-AzureWebsiteSlot; IsSuccess
- False; Duration - 00:01:02.5624486; Exception - System.Management.Automation.PSInvalidOperationException: The website
must have at least two slots to apply swap at
Microsoft.WindowsAzure.Commands.Websites.SwitchAzureWebsiteSlotCommand.ExecuteCmdlet()
at
Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
I use Debug mode to have more details but I don't understand what does it mean. I am a newbie in Azure and Powershell as well.
I made sure the right AzureSubscription is set as current one before to execute my cmdlet.
Anyone got the same issue as me before?
I have a doubt about the "-Name" value I used. I use site URL I found on the Azure portal. I don't know if it is correct.
To get the name of your websites in the subscription use the below PowerShell cmdlet:
Get-AzureWebsite
Note: The website should be something like this "constosoweb" and azure website looks like contosoweb.cloudapp.net.
For more details, you may refer "Swap Slots in Azure Web Site when there are 2 or more staging slots using Azure PowerShell".
I have a doubt about the "-Name" value I used. I use site URL I found
on the Azure portal. I don't know if it is correct.
-Name is the name of the website, we can use ARM powershell to get it:
Get-AzureRmWebApp -ResourceGroupName <resourcegroupname> -Name <webappname>
Like this:
Switch-AzureWebsiteSlot : The website must have at least two slots
According to this error message, we should add at least two slots to that website:
Then we can run Switch-AzureWebsiteSlot -Name jasonapp3 -Slot1 jasonapp32 -Slot2 jasonapp4, here is the result:
Hi Pradeep and Jason,
Thanks a lot for your help.
Thanks to your advices I figured out where was my issue. In fact we use Azure Cloud Service and not WebSite. That's why my cmdet failed.
I looked for cmdlet suit to Cloud Service and I found Move-AzureDeployment that works perfectly for me.
Thanks
I'm using "http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe" for configuring secure remote powershell access to my Azure VM. It works good.
I deleted my machine with keeping attached disks. I've recreated this machine with previous identical parameters, but from "my disk" option.
And after that my secure remote powershell access stop working. Every time I tried to use "http://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe" for downloading certificate i recieved the following error:
Get-AzureCertificate : Cannot validate argument on parameter 'Thumbprint'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.
At C:\Users\username\Desktop\InstallWinRMCertAzureVM.ps1:54 char:83
+ ... me -Thumbprint $WinRMCert -ThumbprintAlgorithm sha1
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureCertificate], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.WindowsAzure.Commands.ServiceManagement.Certi
ficates.GetAzureCertificate
Actually, the option
(Get-AzureVM -ServiceName $CloudServiceName -Name $Name | select -ExpandProperty vm).DefaultWinRMCertificateThumbprint
is empty.
But in original machine it was a valid thumbprint.
Can someone point me in the right direction, please?
Problem was fixed. Partially :)
So, I connected to my virtual machine via RDP and manually export certificate from LocalMachine store. After that, I've imported certificate to my local machine to the "Trusted Root Certification Authorities" (!) section in Local Machine store. DefaultWinRMCertificateThumbprint field in Azure VM setting is still empty, but now I can connect to machine via Powershell without any problems.
I'm trying to use the Windows Azure PowerShell module to manage a subscription.
I have downloaded my certificate (the .publishsettings file) and imported it with Import-AzurePublishSettingsFile and then I've selected my subscription with Select-AzureSubscription neither of which gave errors.
I've also set my subscription using Set-AzureSubscription -SubscriptionName "Blah"
Still, I get a
Get-AzureService : Value cannot be null.
Parameter name: subscriptionId
when running Get-AzureService
I've read getting started guides and various documentation but I can't work out what I'm doing wrong. Which in my mind, makes this a UX problem that Microsoft should address.
Update
I got a bit further, I used
Set-AzureSubscription -SubscriptionName "Blah" -SubscriptionId 0123
which changed the error from Get-AzureService to:
Get-AzureService : Value cannot be null.
Parameter name: managementCertificate
But now I cannot set my certificate since the argument wants an X509Certificate type.
There is a better way to authenticate when using the Azure Powershell cmdlets --- Add-AzureAccount. This will prompt you for your login credentials instead of using the service management certificate.
You may still run into some issues because Azure powershell caches your subscriptions in XML files in %appdata%\Windows Azure Powershell.
I would recommend:
Close the Azure Powershell window
Delete the XML files in %appdata%\Windows Azure Powershell.
Open Azure Powershell and run Add-AzureAccount.
This should ensure that you have the correct subscriptions configured.
I hope this might help you-
Add-AzureAccount
Get-AzurePublishSettingsFile
Import-AzurePublishSettingsFile filenamewithpath
filenamewithpath is the publishsetting file with path saved on your pc