We use Azure Backup and set our backup vaults to use GRS. We want to use LRS instead. It is understood that this cannot be changed once machines have been added to the vault, and we need to start from scratch. Two questions:
Do I need to remove the current vault first before I set up a new vault for that same server?
Can the current backups be transferred to the new vault?
Changing a Recovery Service Vault's storage replication type can be achieved via the Portal or PowerShell. Unfortunately, this option is greyed-out in the Portal, and whilst the cmdlet successfully executes, it doesn't change the underlying value: if there is one or more Protected Instances already contained in the vault.
Because of this, and because the default value is GeoRedundant, this must be set before any items have been protected.
To set the storage to Locally Redundant via the Portal:
Create/Open the Recovery Services Vault
Scroll-down and select Backup Infrastructure
Select Backup Configuration
Set Storage replication type to Locally-redundant
To achieve the same via PowerShell:
$RG = 'testResourceGroup'
$VaultName = 'testVault'
$Location = 'Central US'
$vault = Get-AzureRmRecoveryServicesVault -ResourceGroupName $RG -Name $VaultName
If (-not $vault) {
$vault = New-AzureRmRecoveryServicesVault -ResourceGroupName $RG -Location $Location -Name $VaultName
}
Set-AzureRmRecoveryServicesBackupProperties -Vault $vault -BackupStorageRedundancy LocallyRedundant
With regards removing existing vaults and transferring existing backup points:
The existing vault does not need to be deleted, however any protected items will need to be removed from the vault before they can be added to a new vault. It is not sufficient to simply stop backup on the protected item - all the restore points must also be deleted before the item can be added to the new vault
I cannot find any documentation, facility in the Portal or PowerShell which would allow the migration of existing protected items and/or restore points
The only way I've been able to change from Geo-Redundant Storage (GRS) to Locally Redundant Storage (LRS) is to create a new empty vault in the old portal (https://manage.windowsazure.com).
In the old portal you can change storage type in "Configuration".
I expect you will also be able to do it with PowerShell, but haven't tried it though.
You can register your server with 1 vault. In order to register your server with the new vault, you need to use the new vault credentials downloaded from manage.windowsazure.com
You can have multiple vaults. If you do not use your current vault in the future, it will stay there. You have to pay for each vault. So, if you don't need it in the future, it may be better to remove it completely.
There is a comprehensive documentation here:
https://azure.microsoft.com/en-us/documentation/services/backup/
Related
I'm trying to create a key vault in Azure using this CLI command...
az keyvault create --location $location --name $keyVaultName --resource-group $resourceGroupMainName --output none
But this returns the error...
(VaultAlreadyExists) The vault name '[value of $keyVaultName]' is
already in use. Vault names are globaly unique so it is possible that
the name is already taken. If you are sure that the vault name was not
taken then it is possible that a vault with the same name was recently
deleted but not purged after being placed in a recoverable state. If
the vault is in a recoverable state then the vault will need to be
purged before reusing the name. For more information on soft delete
and purging a vault follow this link
https://go.microsoft.com/fwlink/?linkid=2147740.
So I ran both of these...
az keyvault list
az keyvault list-deleted
And $keyVaultName does not appear in either list. I've asked a colleague to double-check those results but it really doesn't appear. I've also looked in the Manage deleted vaults blade in the portal and that matches the results from the CLI - it's not there.
I also tried to recover the key vault with that name...
(DeletedVaultNotFound) The specified deleted vault '[value of $keyVaultName]' does not exist.
...and to purge a key vault with that name...
No deleted Vault or HSM was found with name [value of $keyVaultName]
So why does Azure think that the name is already in use?
I found an easier way, which is via UI, you can check if the deleted key vault is in the key vaults management page.
I am able to select and purge or recover deleted key vault after clicking the 'manage deleted vaults' hyperlink.
As provided in the comment, Similar to Storage Accounts in Azure, the keyvault is also unique across globally. You can check the similar error code from the docs,
Your attempt to create a new key vault with the specified name has
failed since the name is already in use. If you recently deleted a key
vault with this name, it may still be in the soft deleted state
Vault names and Managed HSM pool names are selected by the user and
are globally unique.
You can verify the existence using Powershell or Rest API
When you create an azure keyvault a soft delete feature is by default enabled which helps the customers to recover their keys and secrets which were accidentally deleted within 90days (default) and for that time period you cannot create another keyvault with the same name as that.
Once soft delete is enabled for Azure Key Vault you cannot disable the soft-delete as it's implemented as a one-way operation and cannot be changed back once enabled. However, You can use the PowerShell cmdlet Remove-AzureRmKeyVault command with the option -InRemovedState and by specifying the location of the deleted key vault with the -Location argument to permanently delete or purge the Azure Key Vault. If you want to permanently delete a key or secret you need to use Remove-AzureKeyVaultKey and Remove-AzureKeyVaultSecret with -InRemovedState parameter. Please refer to How to use Key Vault soft-delete with PowerShell for details.
You can also achieve the same using the Azure CLI. Refer to How to use Key Vault soft-delete with CLI for details.
First, I checked the deleted keyvault and purge which one is creating problem.
az keyvault list-deleted
az keyvault purge --name my-key-vault-dev01
I'm using my personal Azure account and Visual Studio Azure subscription where I'm Global Admin. I get the following error when I try to purge a soft-deleted Azure Key Vault.
Using Azure Power Shell:
Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed.
Using Azure CLI:
ValidationError: (MethodNotAllowed) Operation 'DeletedVaultPurge' is not allowed.
It looks like there is a permission that I don't have, even though I'm Global Admin. So what do I need to do in order to purge soft-deleted Key Vaults?
Here are the steps in Azure Power Shell (4.7.0) that I can use to reproduce the error:
First I create a Key Vault:
New-AzKeyVault -Name $keyVaultName -ResourceGroupName $resourceGroupName -Location $location -EnablePurgeProtection
Then I delete it.
Remove-AzKeyVault -Name $keyVaultName -ResourceGroupName $resourceGroupName
Then try to purge the soft-deleted Key Vault:
Remove-AzKeyVault -Name $keyVaultName -Location $location -InRemovedState -Force
Remove-AzKeyVault: Operation 'DeletedVaultPurge' is not allowed.
The reason is that you have enabled the Purge protection when you create the keyvault.
Once the Purge protection is enabled, it's not allowed to delete it. Please refer to the doc for more details. I just pasted part of the doc as below:
When purge protection is turned on, a vault or an object in deleted state cannot be purged until the retention period has passed.
And please also note that, if the Purge protection is enabled, you cannot disable it. So during creating the key vault, please make sure the Purge protection is disabled, then try the command again.
I need to remove any Authentication Key that the Storage Accounts of my subscriptions. Do you know if there is any way to remove it? I was looking for a cmdlet in powershell to do it but was unable to find it.
I was able to retrieve the list of Storage Accounts and check if there is an authentication key set, however I was unable to remove them. I tried to set them as null, but it didn't work
$colStorageAccounts = Get-AzureRMStorageAccount
for ($objStorageAccount in $colStorageAccounts)
{
$objAccountKey = Get-AzureRMStorageAccountKey -ResourceGroupName $objStorageAccount.ResourceGroupName -AccountName $objStorageAccount.Id
if ($objAccountKey -ne $null)
{
here i should set the code for remove it
}
}
As you can see from the list of commands supported on azure storage module, there is no command to delete account key, Instead you can remove the container if you need or generate a new one from the portal.
I have an old Azure Recovery Services vault for an on-premise Windows Desktop that I am trying to remove after decommissioning said desktop. Azure is responding with this error message:
Vault cannot be deleted as there are existing resources within the vault. Please ensure there are no backup items, protected servers or backup management servers associated with this vault. Unregister the following containers associated with this vault before proceeding for deletion : VAULT-NAME. Unregister all containers from the vault and then retry to delete vault
Where VAULT-NAME is the name of my vault.
I followed the steps referenced in this answer but could not get past this step due to the fact that there is not a corresponding "Windows" or "WindowsServer" option for the WorkloadType parameter.
$item = Get-AzureRmRecoveryServicesBackupItem -Container $container -WorkloadType AzureSQLDatabase
Skipping the item retrieval and disable steps and instead trying to unregister the container and remove the vault with the following commands was of no use on account of still having backups associated with the container.
Unregister-AzureRmRecoveryServicesBackupContainer -Container $container
Remove-AzureRmRecoveryServicesVault -Vault $vault
I have not mapped this answer to the corresponding Azure commands, but I was able to find my way to a solution via the Azure Portal. The steps were as follows:
Selected my Recovery Service resource
Under the Manage section, clicked Backup Infrastructure
Under Management Servers, clicked Protected Servers
In the list that followed, clicked on the row where my Protected Server Count was greater than 0, in my case, Azure Backup Agent (because the backup agent was installed on my Windows Desktop)
Clicked on my server name in the Protected Server list
Clicked Delete in the card for my protected server
After that completed, I was able to delete the entire vault. These steps may be helpful if you have other Backup Infrastructure resources and possibly even Site Recovery Infrastructure resources associated with a vault.
Update: It seems like there's an open issue for Get-AzureRmRecoveryServicesBackupItem not having any capacity to return MARS backup items which is ultimately what the issue here was.
Is it possible to set up a custom domain for a Azure Resource Manager (ARM) storage account using Azure Powershell? If so, how?
I tried to set up a custom domain through the Azure Preview Web Portal but that functionality does not yet exist for the new resource manager storage accounts.
Using this documentation, I am able to login and see the properties of my new RM storage account, but I am unsure how to update the CustomDomain property. I expected to find an example/documentation of how this worked with the old storage accounts, but I have not found anything.
I have found a solution that worked for us. You can use the Set-AzureRmStorageAccount command to set properties on an existing storage group. Not sure how I missed this one.
Set-AzureRmStorageAccount -ResourceGroupName "<YOUR RESOURCE GROUPNAME>" -Name "<YOUR STORAGE ACCOUNT NAME>" -CustomDomainName <YOUR.CUSTOM.DOMAIN> -UseSubDomain $true
In case, like me, you get ResourceGroupNotFound do following command to select your subscription before (you get your subscription id in the Azure Portal):
Select-AzureRmSubscription -SubscriptionId <YourSubscriptionID>