Category: VMWare

Leave a reply

Certificates for vCenter and HTML 5 Appliance – Part 1

So I pretty much lost a day and half trying to sort out certificates for one of my vCenter clusters.  I’ve read through many VMware KB’s different blogs and articles on how to have a valid certificate for my vCenter servers, but didn’t quite find a definitive one.  So I’m hoping that what I did early in the week will be helpful.  It will also serve as a reminder for me on how I did this.

As of March 7, 2019 I am running VCSA 6.0 Build 9291058, I also have Microsoft CA to generate and issue certificates.

From the VCSA, I logged in as root and ran the following command

/usr/lib/vmware-vmca/bin/certificate-manager

This will bring up the vSphere 6.0 Certificate Manager

certman

Select Option 1 to replace machine ssl certificate with custom certificate.

Follow the prompts to enter credentials for the SSO and vCenter server.

After a successful login, select option 1 to generate certificate signing request(s) and key(s) for machine SSL certificate

genssl

You’ll then be prompted for a location to save the CSR(s) and Private Key(s).  Enter a desired location and select whether or not to reconfigure certool.cfg.  If you already have one configured, you can select no, to save some time.  Otherwise select Y and enter the appropriate values.

certool2

After the csr is generated, select Option 2 to exit the certificate manager

certool_complete

Next up, you’ll need to go to your Microsoft CA to request a certificate.

req_cert

Open the CSR in a text editor and copy it into the field, add any attributes if neccesary:

SAN:DNS=<FQDN>&DNS=<hostname>&DNS=<IP_Address>&IPADDRESS=<IP_Address>

submt_csr

After you submit the request, open the .cer in a text editor and copy that into a text editor on your VSCA.  Save the file with a meaningful name, ie; hostname.cer

Next, you’ll need to create a signed chained cert.

You’ll need the cer that was just created, as well as any intermediate CA certs and the root cert.

For my purposes, I exported the certs from the built-in windows certificate management console.  Selected the intemediate and root certs, and exported them. Be sure to download the cert in Base64 format

req_cert_base64

After you have all the certs, copy it to your vCenter, and then you’ll need to create a signed chained cert in this order: <generated CA cert> <intermediate cert> <root cert>

cat certnew.cer intermediateCA.cer RootCA.cer > name_of_signing_chain.cer

After creating the chained cert, run the certificate manger again

/usr/lib/vmware-vmca/bin/certificate-manager

Select Option 1

certman

Enter credentials for SSO and select Option 2 to import certs.
genssl

Provide the location of the generated cert, the private as well as the chain cert.

This will take a minute or two.  After the certs are successfully imported, you’ll valid SSL cert for you vCenter.


Leave a reply

PDQ and Windows Updates

Last year introduced PDQ as way to easily deploy applications to desktops. In the past, applications were either installed in the master clone, thinapp’d or manually installed by remotely connecting to the VM and installing it locally.

This is where I did a POC and proved that this was a time saver and pretty much fool proof.

In the last few months I started looking at using PDQ to install Windows patches. Preliminary tests showed that it worked well. I did look at WSUS, but was limited in terms of scheduling, and without using something like SCCM or SCOM, it would be very hard to manage. I also did not want to put up infrastructure just for patching.

PDQ pushes out Windows patches just like any other application, connects to the target, installs, and reboots, if you choose to. DONE.

However, there was no easy way to snapshot the VM. I came up with a PowerCLI script attached as a Pre-Step, however, I soon discovered that the PowerCLI script also ran on the target computer, and not on the source. One solution presented was installing PowerCLI on all server VMs. Tossed that idea out quickly as I didn’t want to install PowerCLI on all VMs, and with how the script worked, a snapshots of all VMs would occur on all VMs. So if I had 10 VMs in the script, the script would run on all 10 VMs, give me 100 snaps in total.

After some brainstorming, I decided to have the script run as scheduled task. If I had the patching occur at 2AM, I could have the script run at 1:58AM. Early testing showed that this worked just as expected. BINGO!

Only thing I need to make sure of, is to update the server list, so the VMs scheduled for patching gets snapped.

So essentially, have a scheduled task run the script 2 minutes before patch time, and then have the patch schedule run.

Hope this helps other people facing the same or similar problem


Leave a reply

Guest OS reporting error during quiescing

My storage engineer recently approached me about a couple of VMs that were failing to backup because it could not quiesce.  We were seeing:

 

My storage engineer recently approached me about a couple of VMs that were failing to backup because it could not quiesce.  We were seeing:

“An error occurred while saving the snapshot: Failed to quiesce the virtual machine.”

An open call to EMC said to run an extended Snapshot, however, that is only available starting with vSphere 6.5.  Despite that, running a manual snapshot using the vCenter MOB was successful.

Running scheduled and unscheduled backups failed with the same message.

However, after digging into the logs, I saw a very specific error message:

The guest OS has reported an error during quiescing. The error code was: 5 The error message was: ‘VssSyncStart’ operation failed: IDispatch error #8472 (0x80042318)

A quick search shows that this can be resolved by a number of ways, re-registering the VSS Components and re-configure VMTools.

for my purposes, re-registering the VSS Components did the trick.  Instead of running each of the following commands separately, I put them into a batch script.

cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ole32.dll
regsvr32 /s oleaut32.dll
regsvr32 /s vss_ps.dll
vssvc /register
regsvr32 /s /i swprv.dll
regsvr32 /s /i eventcls.dll
regsvr32 /s es.dll
regsvr32 /s stdprov.dll
regsvr32 /s vssui.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml3.dll
regsvr32 /s msxml4.dll
vssvc /register
net start swprv
net start vss

Leave a reply

Reusing Computer Names in a Full Clone Pool

For the few of us using Full Clones in their Horizon View environment, we’ve always run into the issue of not being able to reuse computer names like you can in a Linked Clone pool.

However, I came across a VMWare KB that explains how to do this.  I’d advise you fully read the KB as it involves modifying the ADAM database.  I don’t have to tell you what can potentially happen if that get’s corrupted.  So backup and/ or snapshot before making changes.

So basically, you need to modify the following value in the ADAM database for the pool in question.

pae-VMNameReuseAllowed = 1

You would need to remote onto one of you connection servers, and  open up ADSI Edit from Administrative Tools, select the ADAM Database, go to OU=Server Groups, right click the pool in question and find the above attribute and change it to 1.

Have fun!

For reference here is the KB:

https://kb.vmware.com/s/article/2138714

 

 


Leave a reply

ending the week on a high note

nothing like ending the week on a high note. Been running RecoverPoint for VM for the past few weeks with lack luster results with the same level of support. Replication was painfully slow along with a UI that was severely lacking in features. However, after setting up Zerto, which took about 15 minutes or so, I was already replicating a 9.4TB VPG, with an ETA of 20h.  This same VPG in RP4VM nearly took 2 weeks to replicate.  Even after increasing the RPA resources to 8vCPU and 16GB RAM, we only ever got 11MB/sec at best.  With Zerto I’m seeing 112MB/sec constant.

 

Next week, I’ll have enough information to make the case to go with Zerto and drop RP4VM

 


Leave a reply

using Runonce to move VM to different OU

If you are using Horizon View and creating full clones, undoubtedly you’ve run into the issue of having the VM joining the domain but placed in the wrong OU.   To get around this you either moved it yourself, have a GPO do it or some VBScript.

After many searches and trial and errors, I’ve finally got it working in my environment.

In the customization specification, I have the VM join the domain using the UPN format, user@domain.com, then in the Runonce field I have the following:

cmd.exe /c dsmove -u user@domain.com cn=%computername%,cn=computers,dc=domain,dc=com -d domain.com -newparent "ou=NEW OU,dc=domain,dc=com" -p "P@ssword"

To get this to work, you’ll need to copy dsmove.exe and dsmove.exe.mui from a another computer that has AD tools installed.

You’ll need to copy dsmove.exe from c:\windows\system32 and dsmove.exe.mui from  c:\windows\system32\en-us and place them in the same folders on your image\template.

Please keep in mind this tested and verified on Windows 7,  other Windows versions may be different.  So please test thoroughly.

Hope this helps anyone using Horizon View using full desktops or manual pools.


Leave a reply

multiple sVmotions via powercli

I’m currently working on a project to move our server VM infrastructure from our old VMAX3 to a new all flash VMAX 250F SAN.   So for my own sanity sake, and to save myself from one less Google search, below is what I used to sVmotion all VMs from the “old” LUN to the new LUN

get-datastore “old-datastore” | get-vm | move-vm -datastore(get-datastore “new-datastore”)

 


Leave a reply

Reclaiming Free Space

I was tasked earlier in the week to reclaim free space from VMs that have been deleted or from snapshots that have been consolidated.

What I discovered was that from vSphere 5.0 to 5.5 had the ability but was disabled by default due to performance issues on the arrays during reclamation.  However, reclamation can still be done manually by issuing the following command

esxcli storage vmfs unmap -l <datastore name>

What is happening here is that when a VM is either deleted, moved due to SvMotion, or snapshots deleted/ consolidated, the VMFS datastore sees that space has been freed up, but not reported back to the array, and still holds on to that space.  So in the vCenter client, you’ll see the amount of free space available to you right away, but you’ll the LUN reporting a different number. I think this is normally not an issue as long as your datastores don’t fill up or if you’re running alerts against the datastores and not the array.

In any case the above command reclaims the space, but depending on how big the LUN is, it can take long time.

For example, to reclaim 50% of free space from a 8TB LUN took about 11 hours.

Good news, VMware had re-implemented the SCSI UNMAP commands in 6.5

Please keep in mind the scsi unmap command needs to be run from the host console.


Leave a reply

MacOS on vSphere ESXi 6.0

I recently installed MacOS High Sierra (10.13) on ESXi 6.0 for a developer I work with.  The steps I used were from a number of sources found on the InterWebs.

First off you need a Mac to download the installer. On the Mac, go to the App Store and and download MacOS.  While that is downloading, you’ll need to run the Unlocker script found at insanelymac.com.  Please read the notes thoroughly, and yes, a reboot of the host is needed.

After the installer is downloaded, you will need to create the ISO. The following steps are all done on the Mac

Mount the installer:
hdiutil attach /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/InstallESD.dmg -noverify -nobrowse -mountpoint /Volumes/install_app

Then create a blank ISO
hdiutil create -o /tmp/HighSierra.cdr -size 7316m SPUD -fs HFS+J

Then mount the blank ISO
hdiutil attach /tmp/HighSierra.cdr.dmg -noverify -nobrowse -mountpoint /Volumes/install_build

Then restore the base image to the blank ISO
asr restore -source /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/BaseSysyem.dmg -target /Volumes/install_build -noprompt -noverify -erase

copy the install dependencies
cp /tmp/HighSierra.dmg /Volumes/OS\ X\ Base\ System/

unmount installer image
hdiutil detach /Volumes/OS\ X\ Base\ System

convert to iso
hdiutil convert /tmp/sierra.cdr.dmg -format UDTO -o /tmp/HighSierra.iso

rename to iso and place on Desktop
mv /tmp/HighSierra/iso.cdr ~/Desktop/HighSierra.iso

Enjoy on non Apple Hardware!

 

 

 

 


Leave a reply

listing vms from a portgroup

I was recently asked to get a list of all VMs in a certain VLAN along with OS and IP address.  To do that…

get-vdportgroup “<name of port group>” | get-vm | get-guest | select vm, ipaddress, osfullname | ft -autosize

if you happen to be on a standard switch, replace get-vdportgroup with get-virtualportgroup -name <name of portgroup>

 


%d bloggers like this:
Bitnami