Preparing Azure Stack for the upcoming Extension Host.

So this is my first attempt at recording a session.  If this works out I will try to do some more recorded sessions that will go along with the blog I am writing.  Please excuse the editing as I am very new to this format.  🙂



As with most my blogs I pretty much followed the following Microsoft Document to get my multi-node Azure Stack stamp ready for the upcoming Extension host.  So please check out the Prepare for extension host for Azure Stack document for more information.

The first thing that will be needed is the certificates themselves.  These can be created fairly easily by using the same tools you used to create the other required certificates for your Azure Stack deployment. For reference you can go to the following Microsoft Doc Azure Stack public key infrastructure certificate requirements to generate your PKI certificate needed for the extension host.

We will have two new certificates that we will need to validate and import into our Azure Stack multi-node stamp.  One certificate for the Admin extension host and the other for the Public extension host.

Like in my video, the first thing I did was validate the certificates using the Azure Stack Readiness Checker Tool.  You will need to install the Azure Stack Readiness check module if you haven’t done so.

Note:  At the time of this blog and video the newest release of the Readiness Checker didn’t work for me.  It had issues with the -ExtensionHostFeature parameter.  I had to install a previous version in order to run the Readiness Checker with that parameter.

Install-Module -Name Microsoft.AzureStack.ReadinessChecker -RequiredVersion 1.1811.1029.1

Next, make sure that your have your certificates and directories configured correctly for the Readiness Checker.  In the video I have already staged this.  In order to create the proper directory structure you can run the following PowerShell script:

New-Item C:\Certificates -ItemType Directory
$directories = ‘ACSBlob’,’ACSQueue’,’ACSTable’,’Admin Portal’,’ARM Admin’,’ARM Public’,’KeyVault’,’KeyVaultInternal’,’Public Portal’, ‘Admin extension host’, ‘Public extension host’
$destination = ‘c:\certificates’
$directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}

Make sure you put your certificates in the proper directory including the two new extension host certificates.  Then we are going to run the script to validate the certificates before we import them into Azure Stack.

# Readiness Checker to Validate Certs
$pfxPassword = Read-Host -Prompt “Enter PFX Password” -AsSecureString
Start-AzsReadinessChecker -CertificatePath c:\certificates -pfxPassword $pfxPassword -RegionName dfw -FQDN -IdentitySystem AAD -ExtensionHostFeature
This script will then validate the certificates.  You should get a pass on all test.  If not, then we will need to check our certificates.



Once the validation has completed we are good to import the two new extension host certificates.   We will run the following two scripts to import the Admin Hosting and the hosting endpoint certificates.

# Import Admin Hosting Endpoint
$CertPassword = read-host -AsSecureString -prompt “Certificate Password”
$CloudAdminCred = Get-Credential -UserName azurestack\cloudadmin -Message “Enter the cloud domain credentials to access the privileged endpoint.”
[Byte[]]$AdminHostingCertContent = [Byte[]](Get-Content “C:\Certificates\Admin Extension Host\adminhosting_dfw_azurestack_dfw.pfx” -Encoding Byte)
Invoke-Command -ComputerName
-Credential $CloudAdminCred
-ConfigurationName “PrivilegedEndpoint”
-ArgumentList @($AdminHostingCertContent, $CertPassword)
-ScriptBlock {
# Import Hosting Endpoint
$CertPassword = read-host -AsSecureString -prompt “Certificate Password”
$CloudAdminCred = Get-Credential -UserName azurestack\cloudadmin -Message “Enter the cloud domain credentials to access the privileged endpoint.”
[Byte[]]$HostingCertContent = [Byte[]](Get-Content “C:\Certificates\Public Extension Host\hosting_dfw_azurestack_dfw.pfx” -Encoding Byte)
Invoke-Command -ComputerName
-Credential $CloudAdminCred
-ConfigurationName “PrivilegedEndpoint”
-ArgumentList @($HostingCertContent, $CertPassword)
-ScriptBlock {
This process takes a few minutes for each script.
Import Cert 01Import Cert 02
Once the script have run and it has been a success we are pretty much done.  There are some steps that will be done after you install update 1810.  If you do not have your DNS Zone delegated for DNS Integration you will need to add the two Azure Stack endpoints and create two more A records.
You will also need to make sure you have the endpoints open on your firewalls before you enable the extension host.  The endpoints are Adminhosting and Hosting, they use the HTTPS protocol on ports 443.
Once the update has been installed you will also need to validate that the endpoints exist and that your firewall rules are open for the above mentioned ports and endpoints.  Then you can close the ports that are no longer needed.

Final Thoughts

Well, I hope people enjoyed my video and got something out of it.  So I would like feedback, good and the bad.  I will be trying to do more videos in time if I have the time.  Time is very important?  I am looking forward to some of the newer features coming to Stack with 1810 and what the roadmap has for Azure Stack.  I hope you are as well.  I also may have some big news coming soon as well.

Spread the word. Share this post!