Leave a reply

Certificates for vCenter and HTML 5 Appliance – Part 1

So I pretty much lost a day and half trying to sort out certificates for one of my vCenter clusters.  I’ve read through many VMware KB’s different blogs and articles on how to have a valid certificate for my vCenter servers, but didn’t quite find a definitive one.  So I’m hoping that what I did early in the week will be helpful.  It will also serve as a reminder for me on how I did this.

As of March 7, 2019 I am running VCSA 6.0 Build 9291058, I also have Microsoft CA to generate and issue certificates.

From the VCSA, I logged in as root and ran the following command


This will bring up the vSphere 6.0 Certificate Manager


Select Option 1 to replace machine ssl certificate with custom certificate.

Follow the prompts to enter credentials for the SSO and vCenter server.

After a successful login, select option 1 to generate certificate signing request(s) and key(s) for machine SSL certificate


You’ll then be prompted for a location to save the CSR(s) and Private Key(s).  Enter a desired location and select whether or not to reconfigure certool.cfg.  If you already have one configured, you can select no, to save some time.  Otherwise select Y and enter the appropriate values.


After the csr is generated, select Option 2 to exit the certificate manager


Next up, you’ll need to go to your Microsoft CA to request a certificate.


Open the CSR in a text editor and copy it into the field, add any attributes if neccesary:



After you submit the request, open the .cer in a text editor and copy that into a text editor on your VSCA.  Save the file with a meaningful name, ie; hostname.cer

Next, you’ll need to create a signed chained cert.

You’ll need the cer that was just created, as well as any intermediate CA certs and the root cert.

For my purposes, I exported the certs from the built-in windows certificate management console.  Selected the intemediate and root certs, and exported them. Be sure to download the cert in Base64 format


After you have all the certs, copy it to your vCenter, and then you’ll need to create a signed chained cert in this order: <generated CA cert> <intermediate cert> <root cert>

cat certnew.cer intermediateCA.cer RootCA.cer > name_of_signing_chain.cer

After creating the chained cert, run the certificate manger again


Select Option 1


Enter credentials for SSO and select Option 2 to import certs.

Provide the location of the generated cert, the private as well as the chain cert.

This will take a minute or two.  After the certs are successfully imported, you’ll valid SSL cert for you vCenter.

Leave a reply

MS Products Coming Up on End of Life

Just a n FYI that the following Microsoft products will be end of life “relatively soon”

July 9, 2019 – MS SQL Server 2008/ 2008 R2 – July 9, 2019
January 14, 2020 – MS Windows Server 2008 / 2008 R2

After these dates, extended support will end and the affected products will no longer have security or reliability patches.

You will probably be able to still run them, but I would not suggest it.

Leave a reply

PDQ and Windows Updates

Last year introduced PDQ as way to easily deploy applications to desktops. In the past, applications were either installed in the master clone, thinapp’d or manually installed by remotely connecting to the VM and installing it locally.

This is where I did a POC and proved that this was a time saver and pretty much fool proof.

In the last few months I started looking at using PDQ to install Windows patches. Preliminary tests showed that it worked well. I did look at WSUS, but was limited in terms of scheduling, and without using something like SCCM or SCOM, it would be very hard to manage. I also did not want to put up infrastructure just for patching.

PDQ pushes out Windows patches just like any other application, connects to the target, installs, and reboots, if you choose to. DONE.

However, there was no easy way to snapshot the VM. I came up with a PowerCLI script attached as a Pre-Step, however, I soon discovered that the PowerCLI script also ran on the target computer, and not on the source. One solution presented was installing PowerCLI on all server VMs. Tossed that idea out quickly as I didn’t want to install PowerCLI on all VMs, and with how the script worked, a snapshots of all VMs would occur on all VMs. So if I had 10 VMs in the script, the script would run on all 10 VMs, give me 100 snaps in total.

After some brainstorming, I decided to have the script run as scheduled task. If I had the patching occur at 2AM, I could have the script run at 1:58AM. Early testing showed that this worked just as expected. BINGO!

Only thing I need to make sure of, is to update the server list, so the VMs scheduled for patching gets snapped.

So essentially, have a scheduled task run the script 2 minutes before patch time, and then have the patch schedule run.

Hope this helps other people facing the same or similar problem

Leave a reply


The other day, I was asked how to change the NTP Server on a Windows Server 2008 R2 VM.  I responded with a dumbfounded look, and replied with, “You don’t, the Server talks back with an AD server that with PDC Emulator role and syncs with that server…”  Of course, my storage guy only asked me because his Unisphere VM was almost 2 minutes off.  So naturally I took a look and discovered, that it was not syncing at all. 

Query the current time settings always pointed back to

Local CMOS Clock

which is not a good thing.

Further investigation showed that the registry settings for W32time was incorrectly modified.

So after much Googling, I ended up resetting the Windows Time:

net stop w32time
W32tm /unregister
w32tm /register
net start w32time

Then for good measure, I configured Windows Time is use the forest time hierarchy:

w32tm /config /syncfromflags:domhier /update /reliable:no
w32tm /resync /rediscover
net stop w32time && net start w32time

After a few minutes, the Windows Time was now sync’d up with the AD Server.

Leave a reply

Creating transforms file and using PDQ

The other day I need to “mass deploy” an application to our users at the hotels.  Normally, pushing applications using PDQ is straightforward, however, the installation needed some user inputs such as server name, username and install feature.  Luckily, the installer was an MSI, and was able to create a transforms file to automatically answer those questions.


Found this simple application, Transforms Creator

The application is fairly simple, after installing the Transforms Creator, you would find the MSI in question, right click it and select Create Transforms.  The MSI will then simulate an install, answer all the questions needed, once you’re done, an MST will be generated.

Tested it out, and it worked exactly as I needed.

I did run into some issue using TRANSFORMS in PDQ.  This was merely a user issue and not knowing how to do this rather than technical.  So for future reference, when creating a package in PDQ, you’ll need to the following settings in the Edit Package dialog box:

Parameters: TRANSFORMS=transforms_package.mst

and the ensure that you check “Include Entire Directory” otherwise,  you’ll get an error message saying:

“This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.”



Leave a reply

Guest OS reporting error during quiescing

My storage engineer recently approached me about a couple of VMs that were failing to backup because it could not quiesce.  We were seeing:


My storage engineer recently approached me about a couple of VMs that were failing to backup because it could not quiesce.  We were seeing:

“An error occurred while saving the snapshot: Failed to quiesce the virtual machine.”

An open call to EMC said to run an extended Snapshot, however, that is only available starting with vSphere 6.5.  Despite that, running a manual snapshot using the vCenter MOB was successful.

Running scheduled and unscheduled backups failed with the same message.

However, after digging into the logs, I saw a very specific error message:

The guest OS has reported an error during quiescing. The error code was: 5 The error message was: ‘VssSyncStart’ operation failed: IDispatch error #8472 (0x80042318)

A quick search shows that this can be resolved by a number of ways, re-registering the VSS Components and re-configure VMTools.

for my purposes, re-registering the VSS Components did the trick.  Instead of running each of the following commands separately, I put them into a batch script.

cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ole32.dll
regsvr32 /s oleaut32.dll
regsvr32 /s vss_ps.dll
vssvc /register
regsvr32 /s /i swprv.dll
regsvr32 /s /i eventcls.dll
regsvr32 /s es.dll
regsvr32 /s stdprov.dll
regsvr32 /s vssui.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml3.dll
regsvr32 /s msxml4.dll
vssvc /register
net start swprv
net start vss

Leave a reply

Reusing Computer Names in a Full Clone Pool

For the few of us using Full Clones in their Horizon View environment, we’ve always run into the issue of not being able to reuse computer names like you can in a Linked Clone pool.

However, I came across a VMWare KB that explains how to do this.  I’d advise you fully read the KB as it involves modifying the ADAM database.  I don’t have to tell you what can potentially happen if that get’s corrupted.  So backup and/ or snapshot before making changes.

So basically, you need to modify the following value in the ADAM database for the pool in question.

pae-VMNameReuseAllowed = 1

You would need to remote onto one of you connection servers, and  open up ADSI Edit from Administrative Tools, select the ADAM Database, go to OU=Server Groups, right click the pool in question and find the above attribute and change it to 1.

Have fun!

For reference here is the KB:




Leave a reply

ending the week on a high note

nothing like ending the week on a high note. Been running RecoverPoint for VM for the past few weeks with lack luster results with the same level of support. Replication was painfully slow along with a UI that was severely lacking in features. However, after setting up Zerto, which took about 15 minutes or so, I was already replicating a 9.4TB VPG, with an ETA of 20h.  This same VPG in RP4VM nearly took 2 weeks to replicate.  Even after increasing the RPA resources to 8vCPU and 16GB RAM, we only ever got 11MB/sec at best.  With Zerto I’m seeing 112MB/sec constant.


Next week, I’ll have enough information to make the case to go with Zerto and drop RP4VM


Leave a reply

Windows Update Error 8024402F

I’ve recently built a new W7 VM for AppVolume provisioning, however, when trying to install windows updates, I get the following


For whatever reason, my new Windows build couldn’t contact the MS Windows Update servers.  After some Googling, I ran into a post saying to add windowsupdate.microsoft.com to the list of trusted sites.  After putting that in, I was able to update the OS.




Leave a reply

using Runonce to move VM to different OU

If you are using Horizon View and creating full clones, undoubtedly you’ve run into the issue of having the VM joining the domain but placed in the wrong OU.   To get around this you either moved it yourself, have a GPO do it or some VBScript.

After many searches and trial and errors, I’ve finally got it working in my environment.

In the customization specification, I have the VM join the domain using the UPN format, user@domain.com, then in the Runonce field I have the following:

cmd.exe /c dsmove -u user@domain.com cn=%computername%,cn=computers,dc=domain,dc=com -d domain.com -newparent "ou=NEW OU,dc=domain,dc=com" -p "P@ssword"

To get this to work, you’ll need to copy dsmove.exe and dsmove.exe.mui from a another computer that has AD tools installed.

You’ll need to copy dsmove.exe from c:\windows\system32 and dsmove.exe.mui from  c:\windows\system32\en-us and place them in the same folders on your image\template.

Please keep in mind this tested and verified on Windows 7,  other Windows versions may be different.  So please test thoroughly.

Hope this helps anyone using Horizon View using full desktops or manual pools.

%d bloggers like this: