Category Archives: VMware Vsphere 5

Creating a template for Server 2012 R2 – Part 2

Now that our VM is created, we will install VMware Tools, upgrade the Hardware Version, and make some helpful Windows changes. If you are going to use the BGinfo program, please make sure you go and download that.

Finishing VMware Changes and Configuring the OS

  1. First thing we need to do is upgrade the VMware Tools on the machine. This will install critical drivers for both Network and Video and will make for a better all-around experience. Select your VM and then click “Guest” and then “Install/Upgrade VMware Tools”.
  2. Click “OK” on the window that comes up.
  3. Go back to your console screen for the VM and you should see the D: drive change to “VMware Tools”. Double click this to start the install.
  4. Click “Next” on the tools welcome screen.
  5. I used to do a custom install and removed the shared folders, but from all my reading I don’t think this is needed anymore. Choose the “Typical” radio button and then click “Next”.
  6. To continue with the install click “Install”.
  7. Click “Finish”.
  8. Click “No” when it asks for you to reboot.
  9. Instead we are going to Shut the VM down so that we can update the hardware. Select your VM in VMware then choose “VM” from the menu bar then “Power” and then “Shut Down Guest”.
  10. Once the VM is shut down, right click on it in vCenter Server and then choose “Upgrade Virtual Hardware”. The hardware version for the server will change to 9.
  11. Right click on the VM again and this time click on “Edit Settings”.
  12. Click the CD/DVD drive 1 and change the Device Type to “Client Device”.
  13. Click on the Floppy drive 1 and then click “Remove”.
  14. Click the “Options” tab and then click “Boot Options” check the box for “Force BIOS Setup”. Click “OK”.
  15. Power on the VM again using the “Power On” button.
  16. Arrow down to “Legacy Diskette A:” and hit the + key until is says “disabled”.
  17. Arrow to the right so that “Advanced” is highlighted. Then arrow down 4 times until “I/O Device Configuration” is highlighted and then press “Enter”. Go down the list changing “Serial port A:, Serial port B:, Parallel port:, and Floppy disk controller to “Disabled”.
  18. Press “ESC” twice and then press “Enter” to Exit Saving Changes. Press “Enter” again when it asks for confirmation.
  19. Logon using your administrator password that you created in part 1.
  20. I like to get the time right on the server before I do anything else. Do this by right clicking the time in the lower right corner and choose “Adjust date/time”. Click the “Change time zone” button. Make the appropriate change for your location and then click “OK”, and then “OK” again.
  21. The first thing I like to do is to rename the server and add it to the domain if needed (I try to not add it to the domain if I don’t have to). The Server Manager should open automatically for you. Click “Local Server” on the left side and then click the “Computer Name” Change the name, but you won’t be able to add it to the domain yet because it has not been IPed.
  22. Right click on the Network icon in the task bar and choose “Open Network and Sharing Center”.

  23. Click “Change adapter settings”.
  24. Click “Properties”.
  25. The default lists the following items.
  26. Click “QoS Packet Scheduler” and then click “Uninstall”. Do the same for both “Link-Layer Topology” items. QoS Packet Scheduler is not needed unless you are doing QoS at the Windows layer instead of the L2/L3 switch layer. Please read about Link Layer Topology here and determine if you want/need it in your environment – http://en.wikipedia.org/wiki/Link_Layer_Topology_Discovery

  27. Finally, uncheck “Internet Protocol Version 6 (TCP/IPv6). WARNING – DO NOT uninstall IPv6 as this might cause problems.

  28. The first thing we are going to do with Server Manager is to change its behavior on startup. Open up Server Manager if it is not already done. Click “Manage” and then click “Server Manager Properties”.
  29. Check the “Do not start Server Manager automatically at logon”.
  30. In Server Manager click on the “Internet Explorer Enhanced Security Configuration” and set both Administrators and Users to “Off”.
  31. Now we are going to add some important items to the desktop. From the main Server Manager Dashboard page click “Add roles and features”. Click “Next” on the Before you begin page, leave the radio button on “Role-based or feature based installation” and click “Next.
  32. On the Server Selection screen leave everything default and then click “Next”. Click “Next” again to bypass the Server Roles and move to “Features”.
  33. Expand both .NET Framework 3.5 and 4.5 and then check to have both installed.
  34. Next click the check box for “User Interface and Infrastructure”. This is going to allow us to add some missing desktop icons. Click “Add Features” when the required features window comes up.
  35. We use SNMP for server monitoring so I check the box for “SNMP Service” and then click “Add Features” when the required features window comes up, then click “Install”.
  36. Right click on your desktop background and click “Personalize”. Click the “Change desktop icons” link and then check the boxes for “Computer, Recycle Bin, and Control Panel”.

  37. Right click on the Desktop again, and under “View”, set icon size to “Small”, and set Auto Arrange and Sort By options according to your preference.


  38. Right click the task bar and click “Properties”.
  39. Check the box “Use small taskbar buttons”.
  40. Click on the “Navigation” tab and then check the box “When I sign in or close all apps on a screen, go to the desktop instead of Start”. I also check the boxes “Show the Apps view automatically when I go to Start” and “Search everywhere instead of just my apps when I search from the Apps view”.
  41. Create a new folder on C: called BGInfo. Place all your BGinfo files into this folder. Edit the BGInfo.bgi file if you want to customize the BGinfo settings. Create a .bat file called bginfolaunch.bat in the BGinfo folder. I have included what I have in my batch file.
  42. Right click on the start button and choose “Run”. Then type Regedit in the open box.
  43. Adding the following entry into the registry will cause BGInfo to automatically refresh BGInfo every time you log onto the server. Add a reg key (string value) called BGInfo with the value of C:\BGInfo\bginfolaunch to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

  44. Right click on the start button again and this time choose “Control Panel”. Change the view to “Small Icons”. Click on “Power Options”.
  45. Change the power settings to “High performance”. And then click “Change plan settings”. Set both “Turn off the display” and “Put the computer to sleep” to “Never”.

  46. Right click on the Powershell icon and the select “Run as Administrator”. Type powercfg –h off and press “Enter”.
  47. Click “File Explorer” on the task bar. Click “View” then “Options” and then “Change folder and search options”
  48. Check “Display the full path in the title bar area” and click the radio button for “Show hidden files, folders, and drives”. Uncheck “Hide protected operating system files”.
  49. Right click the start button and click “Run”. Type gpedit.msc in the run box. When the group policy window comes up go to Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options. Set “User Account Control: Run all administrators in Admin Approval Mode” to disabled.

  50. Then change “User Account Control: Behavior of the elevation prompt for administrators” to Elevate without prompting.
  51. The final thing is to include Logoff and Disk Manager Icons on the desktop. Create them and place them in C:\Users\Public\Desktop.

Creating a template for Server 2012 R2 – Part 1

I have borrowed items from http://www.boche.net/blog/index.php/2012/08/16/microsoft-windows-server-2012-tips/ to create this post. I encourage you to take a moment to check out that post.

This is the step by step document that I used to build my 2012 and 2012 R2 VMs.

VM values will start at:

Hardware: Value:
Memory 4 GB
CPU’s 1
Video card Auto-detect video settings
VMCI device None
SCSI Controller 0 VMware Paravirtual
Hard disk 1 40 GB, Thin
CD/DVD Drive 1 Client Device
Floppy Drive 1 Removed (when done)
Network Adapter 1 VMXNET3
General Options OS: Microsoft Windows Server 2012 and 2012 R2
VMware Tools Default Settings
Virtual Machine Version 9

Creating the VM

  1. In vCenter click “File” then “New” then “Virtual Machine”
  2. Choose the “Custom” radio button and then “Next”.
  3. Name the SM and choose the folder location.
  4. Choose the datastore for the VM and then click “Next”.
  5. Make sure that the “Virtual Machine Version: 8” radio button is selected. (5.1 is using version 9 so I am not sure why this can’t be selected here. We will change this later.
  6. Select the “Windows” radio button and then choose “Microsoft Windows Server 2012 (64-bit).
  7. Take the default of 1 virtual socket and 1 core per virtual socket.
  8. Take the default of 4GB memory and click “Next”
  9. Choose your Network and change the adapter to “VMXNET 3” then click “Next”.
  10. Change the SCSI controller to “VMware Paravirtual” and then click “Next”.
  11. Select the “Create new virtual disk” radio button and then “Next”.
  12. Take the default of 40GB and click “Next”.
  13. Take the default virtual device node. For the system partition you want this to be SCSI 0:0. Click “Next”.
  14. On the summary screen click the “Edit the virtual machine settings before completion” box and then click “Continue”.
  15. Click on the Video Card and then change the radio button to “Auto-detect settings”.
  16. Click on the CD/DVD and then choose the datastore location that you have the 2012 R2 install ISO. Make sure under Device Status that “Connect at power on” is checked. Now click “Finish”.
  17. Right click on your newly created VM and click “Edit Settings”.
  18. Click on the Floppy drive 1 and choose the “Use existing floppy image in datastore” radio button. Then click “Browse”. At the bottom of the datastores you should see a folder called “vmimages”. Double click this folder. (For some reason until the VM is created this folder does not show up and that is why we had to create the VM and then go back into the settings to change this).
  19. Double click on the “floppies” folder.
  20. Choose the “pvscsi-Windows2008.flp” and then “OK”.
  21. The Floppy drive 1 settings should look like this and then click “OK”.
  22. On the list of VMs click the one you are building and then click the “Power On” button.
  23. Now click the “Open Console” button.
  24. The VM should boot into the 2012 R2 setup screen. Choose your language and then “Next”.
  25. Click “Install”.
  26. Choose the version of server that you are using. We use the Datacenter here. Then click “Next”.
  27. Agree to give up your first born to Microsoft by clicking the “I accept the license terms” box and then click “Next”.
  28. Choose “Custom: Install Windows only (advanced).
  29. Uh oh, there is no location to install Windows. Luckily you configured the floppy drive 1 earlier right? Click the “Load Driver” button.
  30. Click “Browse”.
  31. Look for the Floppy Disk Drive and then double click “amd64”.
  32. Select the “VMware PVSCSI Controller (A:\amd64\pvscsi.inf) and click “Next”.
  33. Hey look there is our drive!! Click “Next”.
  34. Windows should now be installing.
  35. Enter a password for your admin account. Do not lose this password!
  36. You should have the login screen now.

Installing APC Network Shutdown for ESXi – Part 3

In Part 3 we are going to install Powerchute Network Shutdown on the OVA that we deployed, then we are going to configure it to shut down the VMs in case of a problem.

  • See APC pdf FA159776. Open Putty.exe, insert the name or IP of the VMA you just deployed, and then click “Open“. Click “Yes” if you get a security alert. Login with vi-admin and your password that you set earlier.
  • Create a temp directory in opt using the command (You will be prompted for the vi-admin password): sudo mkdir /opt/temp
  •   Next we need to change the permissions to this temp directory: sudo chmod 777 /opt/temp
  • Now to check the permissions: ls -la /opt The permissions should now read drwxrwxrwx
  • Now using WINSCP we need to transfer the .tar.gz file that we downloaded earlier up to the ESXi host. Enter the appropriate information and then click “Login“. Click “Yes” or “Proceed” if prompted with a security warning.
  • Check the “Never show this banner again” box and then click “Continue“. You should now see a screen with two windows. The window on the left is your local computer and the screen on the right is the VMA. Navigate on the left window until you find the .tar.gz file.
  • On the right window the drop down where it says “vi-admin“. Change this to /<root>. Then navigate to “opt–>temp 
  • Drag the .tar.gz file from the left window to the right window. Click “Copy” when prompted.
  • Verify that the file has been copied successfully.
  • Now go back to Putty.exe and we are going to uncompress the file. The commands are: gunzip pcnsname.tar.gz then: tar -xvf pcnsname.tar
  • Use the ls-la command and you should see a new ESXi folder. Use the command cd ESXi to change to this folder.
  • List the contents of ESXi with the ls -la command. We need to change the permissions for the installation file: sudo chmod 777 install_en.sh
    Now do another ls -la to see that the permissions have changed to rwxrwxrwx.
  • Now we are ready to install PCNS. Use the command: sudo ./install_en.sh
    Press “Enter” and then use the “z” key to scroll to the end of the agreement. If you agree then type “yes” and then press “Enter“.
  • Accept the default installation path (or insert a different one if you prefer). Press “Enter“. Type “yes” and “Enter” that you are sure about the path.
  • Take the default for the java directory. Press “Enter“.
  • Next the installation looks for the ESXi host that will be shut down. First add the IP of the host and then it will ask for the username and password for the host to make this change.  Update:  Almost all of the deployments failed to add the ESXi host here, so I would choose “q” to skip and then at the command line do: sudo vifp addserver <hostname/ IP address of ESXi host>
  • Verify that the server has been added with the command: vifp listservers
  • To ensure Powerchute can shutdown the VMs on the host, we need to add the ESXi host to the fasspass. Use the command: vifptarget -s <server name or ipaddress>
    Now type the command: vicfg-nics -l
    You should see a list of nics on the ESXi host.
  • One the server has been added you should be able to open a browser and go to the powerchute configuration wizard: https://vmahostnameorip:6547
  • Click “Next” and you should see the Configuration Wizard: Security page. Insert the username and password and the authentication phrase. This must match the card in your APC device. By default this is apc/apc with the passphrase: “admin user phrase” then click “Next“.
  • On the UPS Electrical Configuration page choose the correct configuration for your company and then click “Next“.
  • On the UPS Details page choose the protocol, port, and IP for the APC network card.
  • On the Miscellaneous page check the box for “Automatically check for updates to PCNS” and then click “Next“.
  • Confirm the details and then click “Apply“.
  • Hopefully you see that the computer is now protected. Click “Next“.
  •  You should now see that the wizard is complete, now click “Finish”.
  • You will now see the main page for the Network Shutdown. Click “Configure Events” and then click the check box for “Shutdown System” on “UPS: On Battery“.
  • The “Shut Down Operating System” page will display and input 300 into the “Shut down the PCNS operating system only when the event lasts this long (seconds)
  • Finally, we need to set up the virtual machine shutdown options on the ESXi host. Open the vSphere Client, select the host, and then choose the “Configuration” tab. Under the “Software” pane click on “Virtual Machine Startup/Shutdown“.
  • In the top right corner click “Properties“. Click the box “Allow virtual machines to start and stop automatically with the system“. Set the shutdown delay (120 default) and then set the shutdown action to “Guest Shutdown“.
  • Leaving VMs under the Manual startup will make it so when the host turns back on, the VMs will not start up by themselves. Usually you want to make sure power is restored and stable before bringing up VMs. You can change your VMs to start automatically if you really wanted to. 

THAT’S IT!!

Installing APC Network Shutdown for ESXi – Part 2

In Part 2 we are going to configure the OVA that we just deployed

  • Click on your new VMA and then click the “Open Console” button.
  •  There should be a Network Configuration menu. I have found that if I set the gateway first that it will not save when I set the IP. I am going to set that last. Choose option “3” to set the hostname.
  •   Make your hostname match your VM name.
  •  Select option “4” to set the DNS servers. Type the appropriate primary (Server 1) DNS IP and then press “Enter“. If used, also add your secondary (Server 2) DNS IP and press “Enter” again.
  • Select option “6” to set the IP for eth0. I only use IPv4 so type “n” to not configure IPv6, then “y” to configure IPv4, and then “n” to not use DHCP. Type the IP and Subnet for your VMA and then “y” to confirm it is correct.
  • Now I set the Gateway. Choose option “2” and the press “Enter” to set the gateway for eth0. Type the IP of your IPv4 Default Gateway and the press “Enter“. Press “Enter” again to skip the gateway for IPv6.
  • Choose option “1” to “Exit this program“. This will boot the VMA with the network settings that we just configured.
  • Next the VMA will ask for the old password for the vi-admin account. Press “Enter” for the Old Password. Then type your new password “Enter” and then retype it when prompted. “Enter” again.
  • The VMA should boot and you should see the following screen. Browse to https://VMA-IP:5480 to verify connectivity. 

Great, now you have configured the new VMA, it is now time to install Powerchute in Part 3.

Installing APC Network Shutdown for ESXi – Part 1

Preparation:

  •  Create a password for the vi-admin account.
  • Download VMA OVA from VMware.
  • Download the Powerchute Network Shutdown for ESXi from www.apc.com. The most current version at the time of writing this is v3.0.1.
  • Download and install putt.exe.
  • Install WinSCP on your local machine. This will be used to put the tar.gz file that you just downloaded from APC on your Esxi host.
  • Make sure the vSphere Client is installed on your machine.

Installation:

  •  On your vCenter server click “File–>Deploy OVF Template“.  
    Choose the location of your ovf. Click “Next“.

  • Verify the details and click “Next“.
  •  Click “Accept” and then “Next“.
  •  Name your VM and then choose the inventory location for the VM. Click “Next“.
  •  Choose the host you wish to deploy to and then click “Next“.
  •  We don’t use resource pools. Select the top level cluster and then click “Next“.
  •  Select the datastore to deploy the VM to and then click “Next“.
  •  I prefer thin provisioning…especially for the VMA’s. Click the “Thin Provisioning” radio button and then click “Next“.
  •  Choose the appropriate source network and destination network and then click “Next“.
  •  Choose the “Fixed” radio button and then click “Next“.
  •  Enter the IP address for the new VMA and then click “Next“.
  •  Verify all of the settings, click the “Power on after deployment” box, and then click “Finish“.
  •  You will see the OVF start to deploy.

Everything look good? Proceed to Part 2

Part 2 — vCenter 5.1 U1 — Creating and installing SSL certs for SSO.

Installing Certificates with the VMware SSL Certificate Automation Tool

  1. From and administrative prompt run c:\vmwarecerttool\ssl-environment.bat.  This is important because it sets the variables that we edited early on.
    sslenvironment
  2. Next run c:\vmwarecerttool\ssl-updater.bat
    Step2
  3. At this point backup all VMware Databases (VCDB, RSA, and VCU).  Also take a VMware snapshot of the three VMware VMs.
  4. Select Option 1 and then Option 8.  Print out the Detailed Plan.
    Detailedplan
  5. Press 9 to go back to the main menu and then choose option 3, “Update Single Sign-on”.  Say a huge prayer and then press 1 to “Update the Single Sign-on SSL Certificate.  You will be prompted for the Single Sign-on master password.  Did you remember to write down your single sign-on master password?  You will need this many times during this install.
    Step1

    Hopefully it was successful…
    successfulmessage
  6. Switch to the vCenter Inventory Service Server.  From an administrative prompt run c:\vmwarecerttool\ssl-environment.bat and then c:\vmwarecerttool\ssl-updater.bat.  Select Option 4 “Update Inventory Service” and then option 1 “Update the Inventory Service Trust to Single Sign-On.
    Step3
  7. Select option 3, “Update the Inventory Service SSL Certificate”.  You will be prompted for the SSO admin password.
    Step4
  8. Login to the vCenter Server.  From an administrative prompt run c:\vmwarecerttool\ssl-environment.bat and then run c:\vmwarecerttool\ssl-updater.bat.  Choose option 5, “Update vCenter Server” and then option 1, “Update the vCenter Server Trust to Single Sign-On”.
    Step5
  9. Make sure that you created an administrator account within vCenter to use for this install.  This will be needed for the next step!
  10. Select option 2, “Update the vCenter Server SSL Certificate”.  You will need the passwords for your vcenter administrator, SSO admin, and the vCenter system database password.
    Step6
  11. Next, select option 3, “Update the vCenter Server Trust to the Inventory Service”.
    Step7
  12. Go back to the Inventory Service Server and choose option 2, “Update the Inventory Service Trust to vCenter Server”.
    Step8

  13. Switch again to the vCenter Server and select option 5 to get to the main menu, and then option 6, “Update vCenter Orchestrator (vCO)”.  Select option 1, “Update the vCenter Orchestrator Trust to Single Sign-On”.
    Step9
  14. Select option 2, “Update the vCenter Orchestrator Trust to Single Sign-On”.
    Step10
  15. Select option 3, “Update the vCenter Orchestrator (vCO) SSL Certificate”.
    Step11
  16. Select option 5 to go back to the main menu.  Select option 7, “Update vSphere Web Client and Log Browser”.  Now select option 1, “Update the Web Client Trust to Single Sign-On”.  You will be prompted for the SSO admin password.
    Step12
  17. Now choose option 2, “Update the Web Client Trust to Inventory Service”.
    Step13
  18. Continue with option 3, “Update the Web Client Trust to vCenter Server”.
    Step14
  19. Next choose option 4, “Update the Web Client SSL Certificate”.  You will be prompted for the SSO admin password.
    Step15
  20. Continue by selecting option 5, “Update the Log Browser Trust to Single Sign-On”.  This will ask you for the SSO admin password.
    Step16

The last item for the certification tool is to choose option 6, “Update the Log Browser SSL Certificate”.  This will ask you for the SSO admin password.

Updating VUM SSL Certificate

  1. Backup all the files in the directory below.  Copy the rui.key, rui.crt, and rui.pfx files from the c:\certs\vum directory to c:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
  2. Stop the VMware vSphere Update Manager Service.
    Step18
  3. In the C:\Program Files (x86)\VMware\Infrastructure\Update Manager directory launch the VMwareUpdateManagerUtility.exe application.
  4. Login to the vCenter server using proper credentials.
    Step19
  5. Click on the SSL Certificate option on the left side then check the box on the right side and click Apply.
    Step21
  6. If all goes well you should see the window below.  Restart the service as directed.
    Step22Go Back to Part 1
    https://favoritevmguy.wordpress.com/2013/06/17/part-1-vcenter-5-1-u1-creating-and-installing-ssl-certs-for-sso/

 

Part 1 — vCenter 5.1 U1 — Creating and installing SSL certs for SSO.

There is a lot of information out there for installing vCenter 5.1, but the information is lacking for getting SSL certs working properly.  I first want to thank Derek Seaman over at www.derekseaman.com for his posts regarding what to do.  I have tried to shorten this a little bit for my own recollection.  Here is what I did to get SSL certs working.

Preparation

  1. Make sure you have installed the SSO Server, Inventory Service Server, and vCenter Server.  I used three separate machines for my environment, but you can use just one if you wanted to.
  2. Download and install the Visual C++ 2008 Redistributables (x64) and Win64 OpenSSL v0.9y from http://slproweb.com/products/Win32OpenSSL.html on your SSO server.
    Create a c:\certs folder on the SSO server containing the following subfolders:
    certsfolders
  3. Download the SSL Certificate Automation Tool from https://my.vmware.com/group/vmware/get-download?downloadGroup=SSL-TOOL-10.  Unzip this to c:\vmwarecerttool folder.
  4. Following Derek Seaman’s blog post http://www.derekseaman.com/2012/09/create-vmware-windows-ca-certificate.html , create a VMware-SSL template on your CA server.
  5. You will need the following information during the install:

SSO Administrator

Username: admin@System-Domain

Password:

 vCenter Administrator

Username:

Password:

 Original Database Password

 

Creating Certificates

 1.  Edit the ssl-environment.bat file located in c:\vmwarecerttool and fill in the appropriate information:

set sso_cert_chain=c:\certs\sso\chain.pem
set sso_private_key=c:\certs\sso\rui.key
set sso_node_type=single
set sso_admin_is_behind_lb=no

set is_cert_chain=c:\certs\inventory\chain.pem
set is_private_key_new=c:\certs\inventory\rui.key

set vc_cert_chain=c:\certs\vCenter\chain.pem
set vc_private_key=c:\certs\vCenter\rui.key

set ngc_cert_chain=c:\certs\WebClient\chain.pem
set ngc_private_key=c:\certs\WebClient\rui.key

set logbrowser_cert_chain=c:\certs\LogBrowser\chain.pem
set logbrowser_private_key=c:\certs\LogBrowser\rui.key

set vco_cert_chain=c:\certs\Orchestrator\chain.pem
set vco_private_key=c:\certs\Orchestrator\rui.key

set vum_cert_chain=c:\certs\UpdateManager\chain.pem
set vum_private_key=c:\certs\UpdateManager\rui.key

set sso_admin_user=admin@system-domain
set vc_username=corp\vminstaller

2.  Next, create the following configuration files in their respective folders.  Make sure that you name the files correctly.  Do not include the .cfg filename in the .cfg file.  I have done this…J  Do not change the organizationalUnitName!  I have created an example of the Inventory.cfg.  I got these from http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html .

EXAMPLE: Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:VCINV1, DNS:VCINV1.DOMAIN.LOC

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Missouri
localityName = Saint Louis
0.organizationName = IT
organizationalUnitName = vCenterInventoryService
commonName = VCINV1.DOMAIN.LOC


Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your Inventory Server), DNS:(FQDN of your Inventory Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName = vCenterInventoryService
commonName = (FQDN of your Inventory Server)

SSO.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your SSO Server), DNS:(FQDN of your SSO Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName = vCenterSSO
commonName = (FQDN of your SSO Server)

vCenter.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =vCenterServer
commonName = (FQDN of your vCenter Server)

WebClient.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =vCenterWebClient
commonName = (FQDN of your vCenter Server)

VUM.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =VMwareUpdateManager
commonName = (FQDN of your vCenter Server)

LogBrowser.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =vCenterLogBrowser
commonName = (FQDN of your vCenter Server)

Orchestrator.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)

[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =VMwareOrchestrator
commonName = (FQDN of your vCenter Server)

3.  You should now have one configuration file in each of the certificate folders you created earlier.  Next, we need to pull down the root certificate.  I am using Microsoft CA, so that is the only example I can give.  Open a browser and go to https://yourcaserver/certsrv/.  Make sure you fill in your CA server.  Click on Download a CA certificate, certificate chain or CRL. Change the encoding method to Base 64 and click Download CA certificate chain. Change the file name to cachain.p7b.

4.  Double click on the downloaded certificate, then locate the certificate in the console. If you have more than one certificate in the console, skip to step 3 below. If you have just one certificate, right click on the certificate and select All Tasks -> Export. Select Base-64 encoded and save the certificate with a filename of Root64.cer in the root of the Certs directory.

Notice that I have a root CA and a Subordinate CA
CACHAIN

5.  If you have a root and intermediate CAs (two or more certs in the console), you have some extra work. Export each certificate from the console as Base-64 and save into different files (e.g. Root64-1.cer and Root64-2.cer). You MUST save your Root CA as Root64-1.cer and the intermediary CA as Root64-2.cer.
RootCert

6.  We also need a concatenated file of the CAs (Root64.cer), in reverse order. Reverse order means the root is at the bottom of the file, and the subordinate CA is at the top.  From an administrative command prompt in the c:\certs folder run:
copy Root64-2.cer+Root64-1.cer Root64.cer
Combineroot

7.  Create a batch file in c:\certs called create_csr.bat.  Paste the following into this file:

Set OpenSSL_BIN=c:\OpenSSL\bin\openssl.exe

Set Cert_Path=C:\Certs

CD /d %Cert_Path%\vcenter\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config vcenter.cfg

CD /d %Cert_Path%\Inventory\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config inventory.cfg

CD /d %Cert_Path%\SSO\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config SSO.cfg

CD /d %Cert_Path%\UpdateManager\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config VUM.cfg

CD /d %Cert_Path%\webclient\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config webclient.cfg

CD /d %Cert_Path%\LogBrowser\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config LogBrowser.cfg

CD /d %Cert_Path%\Orchestrator\

%OpenSSL_BIN% genrsa 2048 > rui.key

%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config Orchestrator.cfg

8.  Open an administrative command prompt and then browse to c:\certs.  Run the create_csr.bat.  This will create two files in each of the cert folders.  If the files don’t create, check the configuration files that you created earlier.

Example: Inventory Folder
inventoryexample

9.  Now it is time to mint the certificates using these two files.  Under c:\certs create another batch file.  This time call the batch file vCenter5.1_CertRequest.bat.  Paste in the following and make sure that you change the Certificate Authority Name.  This batch file can be found here http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html .

:: Script to request vCenter 5.1 SSL certificates from a Microsoft CA
:: Modify these variables for your paths and CA information
:: Place your root64-1.cer and root64-1.cer (if using an intermediate CA)
:: in the Cert_Path directory. OpenSSL config files must already exist.
:: Also creates the chain.pem files for the VMware Certificate automation tool
::
:: Written by Derek Seaman, derekseaman.com
::

:: Certificate Authority Template name
Set Cert_Template=VMware-SSL

:: Certificate Authority Name
Set CA_Name=D001DC01\Contoso-D001DC01-CA
:: Path to OpenSSL
set OPENSSL_CONF=c:\OpenSSL\bin\openssl.cfg
Set OpenSSL_BIN=c:\OpenSSL\bin\openssl.exe

:: Path to your vcenter services directory with the config files
Set Cert_Path=C:\certs

:: Do not change anything below here
Set Root_CA_Cert=%Cert_Path%\Root64-1.cer
Set Sub_CA_Cert=%Cert_Path%\Root64-2.cer
Set CA_Chain=%Cert_Path%\Root.cer

if exist %Sub_CA_Cert% (
copy /B  %Sub_CA_Cert% + %Root_CA_Cert% %CA_Chain%
Set CA_Cert_Chain=%CA_Chain%
) Else (
Set CA_Cert_Chain=%Cert_Path%\root64.cer
)

CD /d %Cert_Path%\vcenter
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config vcenter.cfg
certreq -submit -q -f -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx

copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\Inventory
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config inventory.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx

copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\SSO
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config SSO.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem

CD /d %Cert_Path%\UpdateManager
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config VUM.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx

copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\webclient
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config webclient.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx

copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\LogBrowser
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config LogBrowser.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem

CD /d %Cert_Path%\Orchestrator
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config Orchestrator.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem

You should see a bunch of messages like this:
successfulmessage

All of the certs folders should now contain some new files:
certsnewfiles

10.  Copy the c:\certs and c:\vmwarecerttool folder from the SSO server to both the Inventory and vCenter Server.  Part 2 will fail if you forget to do this.

Continue on with part 2.  https://favoritevmguy.wordpress.com/2013/06/17/part-2-vcenter-5-1-u1-creating-and-installing-ssl-certs-for-sso

Can’t power off/on a VM — VM is stuck

We had an issue the other day with our filers and because of it, some our machines orphaned themselves and VMware didn’t know what to do with them.  If I tried to power off the machine I would get the error,

Image

Basically, I don’t even think the machine was on, but my vCenter server showed it as being powered on.  Luckily I found a KB article that deals with this.    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014165.

SSH into the host that the VM is said to be running from.  Then run the command:

esxcli vm process list

This gives you a list of all the running VMs, and the important piece you want is the World ID.  Copy that, and then run the command:

esxcli vm process kill –type=[soft,hard,force] –world-id=WorldNumber

Note: Three power-off methods are available. Soft is the most graceful, hard performs an immediate shutdown, and force should be used as a last resort.

As you can see, I ran this command and it killed the VM.  After doing this, I was able to power on the VM without issue.  I used soft and it worked.

Image

That’s all I have for today.

Storage Vmotion Problem

We have two vCenter servers that are in linked mode.  After upgrading to Vsphere 5 I have been having problems deploying machines.  I get this error:

Image

Strange right…  Well, I then decided to do a vStorage migration of a machine and got the same error:

Image

Turns out that this is a bug with no fix right now when you link two vcenter servers together.  To get around this, make sure that your VIC client is logging into the vCenter server that you are going to do the vStorage migration or deplate deployment from.  If I have vCenter Server A and B and I want to deploy from a template on B; you would log into the B vCenter to deploy.

Here is the KB article http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2013516

Manually Assigning a MAC in VMware

During our migration from ESXi 4.1 Update 2 to ESXi 5 Update 1 we decided to change all nics on VMs to VMXNET3.  Everything was fine until my users came in the next morning and couldn’t do some of the things that they needed to do.  It turns out that there were some programs tied to the old MAC address of the nic that I had removed from the virtual machine.  We had to get licenses tied to the new MAC addresses, and then the decision was made for the remaining VMs that I still had to work on, to keep the current MAC address.  How to do this…

1.  Install the latest VMware tools. (If you haven’t done this, you might not see VMXNET3 as an option for network card.
2. RDP into the virtual machine and take not of the IP information on all nics.  Then, change the IP to “Obtain an IP address automatically” and “Obtain DNS server address automatically”.  (This keeps you from getting weird messages later about IP addresses already being assigned to a nic.Image
3.  Shut down the VM.
4.  Edit Settings on the VM using the vSphere Client.
5.  Click on each network adapter and write down the current MAC address.  Then click on remove to remove the nic from the machine.
Image
6.  Click “Add” and then select “Ethernet Adapter”.
7.  Change the adapter type to VMXNET3 and then choose your network for the VM.
8.  Change the MAC to “Manual” and then enter the MAC that you wrote down before from the old nic.
Image
9.  Click “OK” and the old nic will be removed and the new nic added.  If you go back in and look at the nic you will notice that it has the MAC that you manually added.
10.  After powering on your VM, open the command prompt in administrative mode and type without quotes, “set devmgr_show_nonpresent_devices=1”  Then type “devmgmt.msc”
11.  When device manager opens click “View –> Show Hidden Devices”.  Hidden devices, especially old nic need to be removed.  You will see unused devices showing greyed out.  Right click on them and choose “uninstall”.

Hopefully this saves someone from a licensing headache when upgrading your VMs.