Author Archives: smctighe

SRM 8.3 Certificate Management

Following on from my last post on vSphere 7.0 certificate Management, I wanted to continue with another certificate related post. This one being Site Recovery Manager (SRM) 8.3. Like vSphere 7.0, this version seems simpler than previous versions I have used.

With SRM, it’s the Appliance Certificate replacement that I am going to take you through in this blog post.

Firstly log into the SRM appliance management console via https://<srm-fqdn&gt;:5480 and select the ‘Certificates’ option on the left, followed by ‘Generate CSR’ in the top right.

Fill in the information for your certificate, then click ‘Generate and Download’. You then need to process the CSR with your certificate authority, whether thats an internal, public or lab CA.

New Private Key and CSR 
Generating a new private key invalidates any existing Certificate Signing Request (CSR) configuration. 
A private key is created when you generate the CSR, making a key pair. 
This information will be used to generate a certificate. 
Organization 
Organization unit 
Locality 
State 
Country 
FQDN 
IP addresses 
smt-lab.local 
smt-lab 
Lab City 
Labshire 
GB 
Two letters country code. 
smt-lab-srm-01.smt-lab.local 
10.200.15.25 
CANCEL 
GENERATE AND DOWNLOAD

Once you have your certificate, select the ‘Certificates’ option on the left again, this time followed by ‘Change’ in the top right.

Select the last option in the Select certificate type section; ‘CA-signed certificate generated from CSR’. Then, browse both your newly generated certificate and either you root CA certificate, or the CA chain. Click ‘Change’ once done.

This should complete the replacement of the SRM appliance certificate!

If like me you get an error complaining that the IP or Common name / SAN is missing, make sure the local host field is set to the FQDN when connecting SRM to vCenter.

Thanks for reading!

vSphere 7.0 Certificate Management

vCenter 7.0 brings many new features, one of which is a much smoother certificate management experience. There are now 4 main ‘modes’ for certificate management.

These are; Fully Managed Mode, Hybrid Mode, Subordinate CA Mode and finally Full Custom Mode. There is a great article here from Bob Plankers explaining the difference between each.

As mentioned in Bob’s blog, Hybrid Mode is the recommend option, and I will show you that process here in this blog.

Firstly, in your vSphere Client, browse to Administration > Certificates. Then click Actions and select ‘Generate Certificate Signing Request (CSR)’.

Complete the required fields with your information, making sure you have at least added the common name as a Subject Alternative Name to avoid issues with modern browsers. Click Next.

Finally, copy or download your CSR to generate the certificate on the CA of your choosing. Click Finish when ready.

Generate CSR 
1 Enter Info 
2 Generate CSR 
Generate CSR 
X 
Copy or download the CSR below and provide it to your Certificate Authority 
to be signed. 
---BEGIN CERTIFICATE REQUEST.... 
MllDrZCCAPCCAQAwfZEmMCQGAIUEAWWdC210LWXhYi12Y3NhLTAXLnNtdCISY 
Wiu 
bG9jYWwxCzAJBgNVBAYTAkdCMREwDwYDVQQlDAhMYWJzaGIyZTERMA8GA 
IUEBWWI 
TGFilENPdHkXEDAoagNVBAOMB3NtdCISYWlXEDAOBgNVBASMB3NtdCISYWlW 
ggEi 
MAOGcsqGSlb3DaEBAGUAA41BDWAwggEKAOlBAQCXZYRq1HAU7M601HmvuT 
EsFnNZlpP2sBz4C9K87Wi/4kgLMq04LCTjCK08SPa+6w7AwVjmFja1np4hrSVl+N 
mh5dUOUDFHgKqFeuIAvjfXCAEVS4ircreCN7KfW12ytfUin8ce8qEu5DouguhWhl 
oi5Fa1xOGKybZFzLpySsA7rdJ6bYcJYeyn+uf7YHbO+dWHz3XZ9FG7M8fCbtLdW 
COPY 
CANCEL 
DOWNLOAD 
BACK 
FINISH

Once you have your certificate, return to Administration > Certificates and this time select ‘Import and Replace Certificate’.

You then need to select the second option. This may seem slightly deceiving but it effectively is the option you need when you have generated the CSR from vCenter like this.

Now browse and select both your freshly produced certificate, and the root certificate or certificate chain if you have issuing CA’s.

Replace Certificate 
1 Choose appropriate option 
2 Replace with signed certificate 
Replace with external CA certificate 
vCenter server services will be automatically restarted after successful replacement Of the machine SSL certificate. 
Machine SSL Certificate 
Chain of trusted root certificates 
Certificate: 
Data: 
Version: 3 (Ox2) 
BROWSE FILE 
MllDNjCCAh6gAWlBAglUZHHFEZH7/jq1Z9NXjm+ORhgflOSWDQYJKOZlhVCNA 
GEL 
CANCEL 
BROWSE FILE 
BACK 
REPLACE

Hit replace, then wait for the Web Client to restart with the new certificate.

Now one final step is needed to complete Hybrid Mode. You need to download the VMCA Root certificate from https://<vCenterFQDN by clicking the ‘Download trusted root CA certificates’ option and distributing it to your vSphere admins.

Once distributed and installed on your vSphere admins client devices, they should not get certificate errors when either browsing to vCenter or the hosts it manages.

You could however, get this error due to the default certificate having a 5 year validity period and not being within the new ‘standard’ of 398 days.

NET::ERR_CERT_VALIDITY_TOO_LONG

If you receive this, you will want to adjust the vpxd.certmgmt.certs.daysValid value in the vCenter Advanced Settings. It defaults to 1825, making it 365 (one year) will stop this.

You can then renew the certificate on each host by clicking ‘Renew’ in the Configure > Certificates menu –

Before (5 years) –

After (1 Year)-

If you want to do this renewal via PowerCLI (because…well why wouldn’t you!?) there is a nice function here by Ankush Sethi which does a great job.

Thanks for reading.

DFS NameSpace Issues – MIGRATING FROM FSR TO DFSR FOLLOWING AD Upgrade

I recently assisted a friend who had an issue with DFS Namespaces following an Active Directory Upgrade from 2008R2 to 2012R2.  They were faced with not being able to access the NameSpace following the demotion of the last 2008R2 controller and promotion of the final 2012R2 controller.

Upon opening the DFS NameSpace management console, the following error was displayed when selecting the required NameSpace – “The namespace cannot be queried. Element not found.”

After looking in the FRS (File Replication Service) and DFSR (Distributed File System Replication) event logs, I came to realise that the forest was using FRS for replication! This isn’t supported after 2008R2.  Ideally, you would have completed the migration from FRS to DFSR before upgrading the domain controllers.

Note: Always make sure you have a backup, snapshot or other reliable rollback method in place before doing anything in your live environment. This worked for me, it doesn’t guarantee it will work for you!

With FRS being the likely cause, I needed to confirm this.  I ran the following command to confirm the status –

Dfsrmig /getglobalstate

It returned the following result confirming that FRS was still in fact being used.

Current DFSR global state: 'Start'
Succeeded.

Before being able to look at the DFS NameSpace issue, this needed addressing.  Luckily you can still remediate this after upgrading the domain controllers. I would still advise confirming all the prerequisites are in place BEFORE upgrading!

Now onto the migration from FRS to DFSR.

Firstly, run the following command to move the state to the second of the four states.  The four states being; Start, Prepared, Redirected and Eliminated.

Dfsrmig /setglobalstate 1

You will then want to run a directory sync to speed things up, especially if you have a large replication interval!

Run the following RepAdmin command to get things moving.

Repadmin /syncall /AdeP

You can then monitor the progress by running –

Dfsrmig /getmigrationstate

You will then see any remaining domain controllers that are yet to have synchronized the new state.  Eventually you will see that all domain controllers have migrated to the second state; Prepared.

undefined

Now time to move to the Redirected state.  Same process as the previous set but this time specifying ‘setglobalstate 2’

Dfsrmig /setglobalstate 2
Repadmin /syncall /AdeP
Dfsrmig /getmigrationstate

Again run the RepAdmin to get replication moving and monitor using the ‘getmigrationstate’ command.  As in the previous step, you will eventually see that all domain controllers have migrated to the third state; Redirected.

undefined

Last one! Same as before, but this time you want to use ‘setglobalstate 3 –

Dfsrmig /setglobalstate 3
Repadmin /syncall /AdeP
Dfsrmig /getmigrationstate

Once complete you will get confirmation that you have reached the final state; Eliminated.

undefined

You will now be able to run the ‘net share’ command to see that the SYSVOL share has been moved to ‘C:\Windows\SYSVOL_DFSR\sysvol’ and that the FRS Windows service is stopped and set to disabled.

Output of the ‘net share’ command
File Replication Service Properties (Local Computer) 
General Ing On Recovery Dependencies 
Service name 
Display name 
File Replication Service 
chronizas folders wth fila servers that use Fila 
Cation Service (FRS) instead of the newer OFS 
Path to executable 
C exe 
Startup type 
Service status 
Start 
Stopped 
Stop 
Pause 
Resume 
You can specify the start parameters that apply when you start the service 
Start parameters: 
*ppb'
File Replication Service (FRS) service

This should now give you a correctly functioning directory again! You will want to now check the Directory Services, File Replication and DFSR Logs in Windows Event Viewer to ensure you have no further errors.

Now onto repairing the NameSpace.  I read a few different blogs and guides for this, some included deleting the NameSpace via ADSI Edit others didn’t.

I found I didn’t need to delete anything, bonus.

The get the NameSpace accessible again I found that right clicking the NameSpace and removing it, followed by recreating it using the  ‘New NameSpace Wizard’ did the trick. 

OFS Management 
File Action View Window Help 
z[öl 
OFS Management 
v Namespaces 
Folder I 
Folder 2 
Folder 3 
(Domain-based in Windows Server 2008 mode) 
Namespace Namespace Servers Delegation Search 
New Folder... 
Add Namespace Server... 
Delegate Management Permissions... 
\smt- lab.IocaI\D 
New Folder... 
Replication 
Remove Namespace from Displaym 
New Window from Here 
Delete 
Refresh 
Properties 
Help 
a 
Add Namespace Server... 
Delegate Management 
Remove Namespace fr... 
New Window from Here 
Delete 
Refresh 
Properties 
Help
New Namespace Wizard 
Con 
Namespace Server 
Namespace Name and Settings 
amespace ype 
Review Settings and Create 
Namespace 
You have successfully completed the New Namespace Wizard 
Tasks Enum 
Task 
Creat 
Status 
e namespace
OFS Management 
File Action View Window Help 
zbll O d 
OFS Management 
v Namespaces 
Folder I 
Folder 2 
Folder 3 
Replication 
(Domain-based in Windows Server 2008 mode) 
Namespace Namespace Servers Delegation Search 
FSRoot 
Type 
Name 
Folder I 
Folder 2 
Folder 3 
New Folder... 
Add Namespace Server... 
Delegate Management 
Remove Namespace fr... 
New Window from Here 
Delete 
Refresh 
Properties 
Help

Upon recreating it, all of the folders reappeared and were accessible again with no additional configuration required. (these screenshots are of my lab, not the live environment as it was not appropriate)

Thanks for reading!

VM and vSAN Encryption

In this day an age, securing data is a must.  In this post I’d like to show you two options for protecting your data; vSAN Encryption & VM Encryption.

To achieve either of these you need to have connected a Key Management Server (or Cluster) to your vCenter server.  Check out my previous post of how to do that – Deploying and Connecting a Key Management Server to vCenter.

Lets talk though VM Encryption first.

VM Encryption is achieved using storage policies.  By Default after configuring a KMS server, the ‘VM Encryption’ is available for use.  Alternatively,  you can create your own custom VM Encryption storage policy to include additional host based services such as caching and Storage I/O.

For a new VM, select the ‘Encrypt this virtual machine’ option on the ‘Select Storage’ section of the New Virtual Machine wizard. Then select the default encryption policy, or a custom one if you have one.

Then when customising your hardware you will see the following notification –

Once deployed, you will see confirmation of the virtual machines encryption status on the VM’s summary tab.

Encryption 
Encrypted with standard key provider

For an existing VM, it’s a slightly different approach.

Firstly, power off the VM. Edit the VM’s settings and on the VM Options tab, expand the Encryption option and select your desired VM Encryption policy like so –

Below the policy you will see the option to select which disks you want to encrypt. In this test VM’s case, there is only one disk, disk 0.  You can choose to only encrypt the VM and not the disks if you have a use case to do so. Disks you choose not to encrypt will have the datastore default policy applied to them.

Alternatively, you can take a different route by editing the storage policy of a powered off VM to achieve the same result. Here you can also choose to ‘Configure per disk’. This is a useful option if you only have select hard disks you need to encrypt.

The VM will then reconfigure, this may take some time depending on the size of the disks, so make sure you factor this into your downtime window!

If you check out the performance backend monitor you will notice an increase in throughput an I/O while this is happening.

One disk at a time copies data from unencrypted to new encrypted disk.  Once done, it attaches the new encrypted disk and deletes the old unencrypted disk.  You will need enough disk space on the datastore to allow the duplication of the largest disk attached to the VM.

Once the task is complete, you will notice you have an updated encryption status.

Now the flip side, un-encrypting a VM.  

This is a reverse of the process.  Power off the VM, change the storage policy to a non Encryption policy and power back on when complete.

Now on to vSAN Encryption.

To enable encryption for an entire vSAN cluster, its just a few clicks but there are a few things to be aware of.

  1. Make sure you have adequate free space within the vSAN cluster to allow for the rolling reformatting of the disk groups.
  2. There will be increased IO during this operation, make sure you choose an appropriate maintenance window to do this in so as to not cause unwanted impacts to your workloads.

To enable this feature, select the cluster you wish to enable encryption on and browse to the ‘Configure > vSAN > Services option.

Click to enable ‘Data-At-Rest Encryption’.

You have the option to check the ‘Wipe residual data option’ if you have a need to.  Bare in mind, wiping the storage can take a significant amount of time, so only use this option if you need to wipe existing data.

The final option is ‘Allow Reduced Redundancy’.  This option will allow vSAN to run your workload at a reduced redundancy level during the encryption process.  Make sure you understand the risks before using this option.

Hit apply and the cluster will begin reconfiguring.

Task Name 
Remove dlsk group from 
the vSAN cluster 
Peform dlsk format 
converslon resource check 
task 
Peform vSAN resource 
check task 
Convert dlsk format for 
Update vSAN configuratlon 
Update vSAN configuratlon 
Update vSAN configuratlon 
Remedlate vSAN cluster 
Configure the host key 
Configure the host key 
Configure the host key 
Reconfigure vSAN cluster 
Target 
smt-Iab-esx-01_smt-Ie___ 
smt-Iab-esx-01_smt-Ie___ 
smt-lab-cl-mn-01 
smt-lab-cl-mn-01 
smt-lab-esx-03_smt-l_ 
smt-Iab-esx-01_smt-Ie___ 
smt-lab-cl-mn-01 
smt-lab-esx-03_smt-L__ 
smt-Iab-esx-01_smt-Ie___ 
smt-lab-cl-mn-01 
Status 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed

Once it has cycled through each host in the cluster you will be able to see that the encryption status is now ‘Enabled’

Thanks for reading!

Deploying and Connecting A Key Management Server to vCenter

Is it secure?  

This has to be one of the first things you consider with any technology solution or decision today.  So when I was lucky enough to receive a NFR license from HyTrust for their KeyControl Key Management System I was excited to get this into my lab so I can make use of VMware’s vSAN and VM Encryption.

In this post I will be going through the process of deploying a HyTrust Key Control appliance and creating a trust with vCenter.  It was surprisingly straight forward and I was up and running in no time at all!

Firstly, deploy the OVA to an ESXi Host or Cluster that isn’t going to be managed by the Key Control appliance.  You don’t want your encryption keys in the same place as the objects you are encrypting!  

Follow the OVF deployment wizard, providing the details as prompted, and once the appliance is online, complete the final configuration steps to finish the installation.

You will then be met with this screen – 

System setup has completed successful ly . 
System Conf iguration Sunmry : 
Hostnam: smt-lab-kms-al 
Phnagemnt IP Address: 1B . Zag . 15 . 15 
From your browser, please go to https ://IB .ZBB . 15 . 15

Now, browse to the web GUI and log in using the default credentials.  You will then be prompted to set your own, followed by SMTP and online monitoring configuration options.

Once this is done and you are logged in there are a few KMIP settings you need to adjust in order for it to be ready to connect to vCenter as a Key Provider – 

State = ENABLED

Protocol = Version 1.1

TRUST 
H 
SECURITY 
Actions • 
Host Name: 
port: 
State 
Basic 
Client Certificates 
Objects 
10.200.15.15 
5696 
ENABLED 
OFF 
Yes 
Version 1.1 
Detault 
OFF 
O Infinite 
CREATE-MODIFY 
DISABLED 
Connections Will use TLS 1.2 if set to Enabled 
AUDIT LOG 
v 
Auto-Reconnect 
Verity 
Protocol: 
Certificate Type: 
Nöio: 
Timeout: 
Log Level: 
Restnct TLS] 
Custom nex value

Below is a link to a HyTrust document with the details for vSphere 6.5.  I used this for deployment in my vSphere 7 environment. You can find it here.

You will also want to apply a license file.  This is done via; ‘Settings > License’, by way of uploading the license file you have been issued.

This completes a basic configuration that is now ready to connect to vCenter.  If you are deploying outside of a lab environment, you are going to want to review your installation appropriately for the environment it is intended for.

So over to the Web Client.  Select the vCenter Server object, select ‘Configure > Security > Key Providers’ and hit ‘Add Standard Key Provider’.

smt-lab-vcsa-01.smt-lab.local 
Summary Monitor 
Con figure 
Permissions 
Key Providers 
Settings 
General 
Licensing 
Message of the Day 
Advanced Settings 
Authentication Proxy 
vCenter HA 
Security 
Trust Authority 
Ke Providers 
Alarm Definitions 
Scheduled Tasks 
Storage Providers 
vSAN 
Update 
Internet Connectivity 
ACTIONS V 
Datacenters 
Hosts & Clusters 
V Ms 
Datastores 
Networks 
Linked vCenter Server Systems 
Extensions 
Updates 
ADD STANDARD KEY PROVIDER 
MAKE DEFAULT 
REMOVE

You will then want to give it a name, followed by the requested information.  Once done, click ‘Add Key Provider’

Add Standard Key Provider 
Name 
KMS 
smt-lab-kms-011 
ADD KMS 
HyTrust Key Control 
Address 
10_200.15.15 
Proxy configuration (optional) 
Password protection (optional) 
CANCEL 
5696 
ADD KEY PROVIDER

You will receive the following prompt to confirm you want to from the Key Provider you have entered. Click ‘Trust’

This will have now created a Key Provider, but will show that it is not connected and has a certificate issue.  So next we need to set up the trust.

This can be done by clicking ‘Establish Trust’ and selecting ‘Make KMS trust vCenter’

Key Providers 
ADD STANDARD KEY PROVIDER 
Key Provider 
HyTrust Key Control (default) 
Provider By Trust Key Control - 
ESTABLISH TRUST v 
KMS trust vCenter 
Make KMS trust vCenter 
Upload Signed CSR Certificate 
vcenter Trust KMS 
Make vCenter Trust KMS 
Upload KMS Certificate 
MAKE DEFAULT 
EDIT 
REMOVE 
T 
5696 
Connection Status 
1 KMS not connected 
Key Management Servers 
T 
Address 
Certificates 
1 certificate issue(s) 
vCenter Certificate 
Connection Status 
Client trusts server 
KMS Certificate 
@ Valid until: Dec 31, 2049 
items 
items

In my lab, I have gone with the option of creating a CSR and having the KMS issue a certificate – 

Make KMS trust 
vCenter 
1 Choose a method 
2 Estaalish Trust 
Choose a method 
Choose a method to make the KMS trust the vCenter based on the KMS vendor's 
requirements Once the trust is established, all replicas in the same KMS cluster will 
also trust the vCenter_ 
C) vCenter Root CA Certificate 
Download the vCenter root certificate and upload it to the KMS. All certificates 
signed by this root certificate will be trusted by the KMS 
C) vCenter Certificate 
Download the vCenter certificate and upload it to the KMS. 
C) KMS certificate and private key 
Upload the KMS certificate and private key to vCenter 
New Certificate Signing Request (CSR) 
Submit the vCenter-generated CSR to the KMS then upload the new KMS- 
signed certificate to vCenter. 
CANCEL 
NEXT
Make KMS trust 
vCenter 
1 Choose a method 
2 submit CSR to KMS 
Submit CSR to KMS 
Copy or download the CSR below, make it available to KMS, and have the KMS 
sign the certificate. 
..BEGIN CERTIFICATE REQUEST..... 
MllE5TCCAs0CAaAwczEhMB8GAIUEAmvYa21pcENsaWVudDlwMjAw0DA5MTAy0DMy 
MaswncaYDVOGGEwJVUzETMBEGAIUECAwK02FsaWZvcmspYTEPMAOGAIUECgwGV 
AOUAA41COwAwgglKAolCAODbUPS+jw9AG09pGOg2sgOdCa1n-mvJXVTA14xOSdrOV 
BFgu06A*CBRW61rsPSKaetu7x9mHlkogcscARfy9CEqkPHfntYp7RJNcJWEVBXb0 
WXKvS+Gfoex2jBNCASB/0kLuH+LWZwz6Kq0REmpeHDbHcsXNvjKN5x9DGckDUw 
ykgB9p2YuHom/lf6YiYMadA4C2kgPkeKGDSILJsvvmTG9PtxUlrhgatA400CD+cv 
FhT+tlgpUOV2MJFowadoFT6DgrWUgyg,'noWm10E9jicEm7dxxTNGVcNAmtynJRE 
xnlEYUhGGsNHyNb0GdA9RS2qjhDekNNRg7x6snZIC+pE/gaqNOJ5Zxx3X*lmalYE 
GENERATE NEW CSR 
copy 
DOWNLOAD 
@ The trust won't be established after you finish this wizard. Go to the 
KMS to upload the CSR, have the KMS sign the certificate, and upload 
it to the vCenter to establish the trust. 
CANCEL 
BACK 
DONE

Download the CSR using the option available.  This will be in the .pem format which is exactly what you need.

Now over to the HyTrust appliance, load the CSR we downloaded into the wizard, as well as a name, and hit create.  This is via the KMIP menu and selecting ‘Actions’ followed by ‘Create New Client Certificate’.

DASHBOARD 
Actions • 
TRUST 
H 
Valid From 
SECURITY 
Basic 
Client Certificates 
Objects 
AUDIT LOG 
Create a New Client Certificate 
Load File 
KMIP 
SETTINGS 
Certificate Name 
Expires In (day 
Certificate Name 
Certficate Name 
Certificate Expiration 
08/09/2021 
Certificate Signing Request (CSR) 
CSR needs to be in beseö4 encoded PKCS#IO 
Certificate Password 
Certificate Password 
Confirm Password 
Confirm Password 
Cancel

Once this is done, select the certificate and click ‘Actions’ and select the ‘Download Certificate’ option.  This again will come in the requested .pem format.

H 
TRUST 
Basic 
Client Certificates 
Object! 
Create Certificate 
Delete Certificate 
Delete All Certificates 
Download Certificate

Back to vCenter, we now need to upload the certificate using the ‘Establish Trust’ option and selecting ‘Upload Signed CSR Certificate’.

Provider By Trust Key Control - 
ESTABLISH TRUST v 
KMS trust vCenter 
Make KMS trust vCenter 
Upload Signed CSR Certificate 
vcenter Trust KMS 
Make vCenter Trust KMS 
Upload KMS Certificate 
Key Management Servers 
T 
Address 
5696 
Connection Status 
Client trusts server 
vCenter Certificate 
KMS Certificate 
@ Valid until: Dec 31, 2049

Once uploaded, you will see that the connection is now showing as connected and has a valid certificate.

Key Providers 
ADD STANDARD KEY PROVIDER 
Key Provider 
HyTrust Key Control (default) 
Provider By Trust Key Control - 
ESTABLISH TRUST s 
MAKE DEFAULT 
EDIT 
REMOVE 
T 
5696 
Connection Status 
@ Connected 
Certificates 
@ Valid 
items 
Key Management Servers 
T 
C) 
smt-lab-kms-01 
Address 
10200.15_15 
Connection Status 
@ Connected 
vCenter Certificate 
@ Valid until: Aug 9, 
2021 
KMS Certificate 
@ Valid until: Dec 31, 2049

This is now setup and ready to begin looking at VM and vSAN Encryption.  Check out the next post which will go into both these options in more detail.

Thanks for reading.

Configuring ESXi for iSCSI Storage Using PowerCLI

Configuring host VMKernel adapters for iSCSI can be a time consuming process. PowerCLI can take away a lot if not all of the effort.

Below is an example of using PowerCLI to create a Standard Virtual Switch (vSS), configure a VMKernel adapter, set the VLAN, enable the software iSCSI adapter (if that’s what you are using), bind it to the required network adapter and finally, add a dynamic Discovery target and rescanning the HBA’s.

This is based on targeting a single host at a time and re-running it with the paramaters for each host.

#Load PowerCLI Modules
Import-module VMware.PowerCLI

#Variables
#vCenter or Host to Connect to 
$vCenter = "smt-lab-vcsa-01.smt-lab.local" 
#ESX Host to target
$ESXHost = Get-VMHost "smt-lab-esx-01.smt-lab.local"
#Name of the iSCSI Switch
$iSCSISwitchName = "vSS_Storage_iSCSI"
#vmnic to be used for iSCSI Switch
$iSCSISwitchNIC = "vmnic2"
#MTU size
$MTU = "9000"
#Name of the Portgroup for the VMKernel Adapter
$iSCSIVMKPortGroupName = "vSS_VMK_iSCSI_A"
#iSCSI VMK IP
$iSCSIIP = "10.200.33.50"
#iSCSI VMK SubnetMask
$iSCSISubnetMask = "255.255.255.0"
#iSCSI VMK VLAN ID
$VLANID = "300"
#iSCSI Portal Target
$Target = "10.200.33.1:3260"

#Connect to vCenter
Connect-VIServer $vCenter -Credential (Get-Credential) -Force

#New Standard Switch for iSCSI
$NewSwitch = New-VirtualSwitch -VMHost $ESXHost -Name $iSCSISwitchName -Nic $iSCSISwitchNIC -Mtu $MTU
$NewPortGroup = New-VMHostNetworkAdapter -VMhost $ESXHost -PortGroup $iSCSIVMKPortGroupName -VirtualSwitch $NewSwitch -IP $iSCSIIP -SubnetMask $iSCSISubnetMask -Mtu $MTU
Set-VirtualPortGroup -VirtualPortGroup (Get-virtualPortGroup -VMhost $ESXHost | Where {$_.Name -eq $iSCSIVMKPortGroupName}) -VLanId $VLANID

#Enable Software iSCSI Adapter
Get-VMHostStorage -VMHost $ESXHost | Set-VMHostStorage -SoftwareIScsiEnabled $True

#Bind the iSCSI VMKernel Adapter to Software iSCSI Adapter (credit to Luc Dekens for this)
$esxcli = Get-EsxCli -V2 -VMHost $ESXHost
$bind = @{
    adapter = ($iscsiHBA = $ESXHost | Get-VMHostHba -Type iScsi | Where {$_.Model -eq "iSCSI Software Adapter"}).Device
    force = $true
    nic = $NewPortGroup.Name
}
$esxcli.iscsi.networkportal.add.Invoke($bind)

#Add Dynamic Discovery Target
$ESXHost | Get-VMHostHba $iscsiHBA | New-IScsiHbaTarget -Address $Target

#Rescan Hba
Get-VMHostStorage -VMHost $ESXHost -RescanAllHba

The results –

v Physical Adapters 
vmnic210000 Full 
VLAN ID: 300 
v VMkernel Ports (1) 
vmk3 :
Ad apter 
Model: 'SCSI Software Adepter 
e vmhbe65 
Type 
'SCSI 
Sta tus 
Onllne
Properties 
Devices 
Paths 
Dynamic Discovery 
Static Discovery 
VMkemeI Adapter 
vmk3 
Network Port Binding 
Addm X Remove Vlew Details 
Port Group 
Advanced Options 
Port Group Policy 
Compllant 
Path Status 
Actlve 
Physical Network Adapter 
vmn.c2 (10 Gblt's, Full)
Properties 
Devices 
Paths 
Dynamic Discovery 
Advanced___ 
Static Discovery 
Network Port Binding 
Advanced Options 
Addm X Remove 
iSCSI server

Something you may also want to do is set the Path Selection Policy (PSP) to the commonly used; ‘Round Robin’. The first command will provide a list of attached storage, showing you the CanonicalName (which is what you need for the second command), the current Multipathing Policy and the size of the storage device.

Identify the device you wish to set the pathing policy on and substitute the Canonical Name (naa.xxxx) into the second command.

#Get storage
$esxhost | Get-ScsiLun -LunType disk | Select CanonicalName,MultipathPolicy, CapacityGB

#Set Path Selection Policy (PSP)
$esxhost | Get-ScsiLun -LunType disk -CanonicalName naa.6589cfc0000004ac4d8f1fb0d7d02184 | Set-ScsiLun -MultipathPolicy "RoundRobin"

You could of course take this further by importing all the data required for multiple hosts using an array, whether as a a manually created array in PowerShell, or by importing a csv or txt file to enable you to configure numerous hosts at once by making use of a ForEach loop.

Now, if you are using Virtual Distributed Switches (vDS), here is an alternative (I have assumed you already have an operational vDS in place).

#Load PowerCLI Modules
Import-module VMware.PowerCLI

#Variables
#vCenter or Host to Connect to
$vCenter = "smt-lab-vcsa-01.smt-lab.local"
#ESX Host to target
$ESXHost = Get-VMHost "smt-lab-esx-02.smt-lab.local"
#Name of the vDS
$iSCSISwitchName = "smt-lab-dc01_vDS_01"
#Name of the Portgroup for the VMKernel Adapter
$iSCSIVMKPortGroupName = "smt-lab-dc01_vDS_VMK_iSCSI_B"
#MTU size
$MTU = "9000"
#iSCSI VMK IP
$iSCSIIP = "10.200.34.51"
#iSCSI VMK SubnetMask
$iSCSISubnetMask = "255.255.255.0"
#iSCSI VMK VLAN ID
$VLANID = "301"
#iSCSI Portal Target
$Target = "10.200.34.1:3260"

Connect-VIServer $vCenter -Credential (Get-Credential) -Force

#New VMKernel Adapter on vDS
$NewPortGroup = New-VMHostNetworkAdapter -VMhost $ESXHost -PortGroup $iSCSIVMKPortGroupName -VirtualSwitch $iSCSISwitchName -IP $iSCSIIP -SubnetMask $iSCSISubnetMask -Mtu $MTU
Set-VDPortGroup -VDPortgroup (Get-VDPortGroup | Where {$_.Name -eq $iSCSIVMKPortGroupName}) -VLanId $VLANID

#Bind iSCSI VMKernel Adapter to Software iSCSI Adapter (credit to Luc Dekens for this)
$esxcli = Get-EsxCli -V2 -VMHost $ESXHost
$bind = @{
    adapter = ($iscsiHBA = $ESXHost | Get-VMHostHba -Type iScsi | Where {$_.Model -eq "iSCSI Software Adapter"}).Device
    force = $true
    nic = $NewPortGroup.Name
}
$esxcli.iscsi.networkportal.add.Invoke($bind)

#Add Dynamic Discovery Target
$ESXHost | Get-VMHostHba $iscsiHBA | New-IScsiHbaTarget -Address $Target

#Rescan Hba
Get-VMHostStorage -VMHost $ESXHost -RescanAllHba

A slight change to the cmdlts used; PortGroup > VDPortGroup.

Here are the results –

v smt-lab-dc01_vDS_01_uplinks 
> Uplink 1 (1 NIC Adapters) 
VLAN ID: 301 
v VMkernel Ports (1) 
vmk4 : 10.200.34_SO 
Virtual Machines (O)
Properties 
Devices 
Paths 
Dynamic Discovery 
Static Discovery 
VMkemeI Adapter 
vmk3 
Network Port Binding 
Addm X Remove Vlew Details 
Port Group 
(smt-lab-dc01 
Advanced Options 
Port Group Policy 
Compllant 
Compllant 
Path Status 
Actlve 
Acuve 
Physical Network Adapter 
vmn.c2 (10 Gblt/s, Full) 
vmn.c3 (10 GblVs, Full)

There are now two paths to my iSCSI device, one via a Standard Switch (vSS) and one via a Distributed Switch (vDS) across two subnets.

Storage Devices 
Refresh Attach 
Detach 
Name T 
Rename___ 
Turn on LED 
Turn Off LED 
Target 
Erase Pertltlons___ 
disk 
disk 
cdrom 
disk 
disk 
disk 
Mark as HDD Disk 
Mark as Local Mark as Perennlally Reserved 
Capacity 
FreeNAS 'SCSI Disk (nee.658gcfc0000004ac4d8fifbOd7d02184) 
FreeNAS [SCSI Disk (nee.6589cfcOOOOOOcaf3bc8066g7077d193) 
Local NECVMWar CD-ROM 
Local VMware Dlsk 
Local VMware Dlsk 
Local VMware Dlsk 
25000 GB 
5000 GB 
1600 GB 
2500 GB 
17500 GB 
Data store 
smvlab-ds-vmf._ 
Not Consumed 
Not Consumed 
Not Consumed 
smt-leb-ds-vsa___ 
smt-leb-ds-vsa___ 
Operational 
Attached 
Attached 
Attached 
Attached 
Attached 
Attached 
Name 
Hardware Acceleration 
Supported 
Supported 
Not supported 
Not supported 
Not supported 
Not supported 
Properties 
Enable Dlseble 
Runtime Name 
Paths 
Partition Details 
Acuve (I/O) 
Active (1/0)

Hope this has been helpful. It has saved me plenty of time throughout the countless builds and tear downs of my VMware home lab.

Thanks

Centos Based Certificate Authority For The VMware Lab

A useful thing for a home lab or VMware lab, is a certificate authority. There are Windows based CA’s as well as Linux based and many others. I wanted to take the Linux based route for my home lab to give me some administration time in Linux, being that Windows is my safe place! After a bit of googling, I settled on Easy-RSA as it looked like it would do what I needed in the lab. There are already a few guides out there for this, but this is my take on it for use in my VMware home lab.

I settled on CentOS 8 as a base OS. Why? Why not, I don’t have any Centos VM’s and I decided it would be good to use something other than Ubuntu or Photon.

Firstly, I stood up a low resource VM (1 vCPU, 1GB RAM) giving it a static IP and creating an admin account.

I then kicked off the update of all the install packages on the OS by first elevating to the root account using ‘SU’ and then running the upgrade command for the DNF package manager.

dnf upgrade

This prompts a ~600MB download after confirming you want to continue. Once the download completes it gets on with upgrading.

Once done, its time to install some additional packages starting with epel-release, easy-rsa and openssl. Lets quickly give some background to each.

epel-release (Extra Packages for Enterprise Linux) is a repository of popular packages which aren’t available by default. easy-rsa is one of the packages in this repository.

easy-rsa This is a utility for managing Public Key Infrastructure(PKI) aka Certificate Authority. Check out some info here.

openssl A widely used tool, in this case to create Certificate Signing Requests (CSR). I’ll let you read about this here.

Lets get to the install. You can run them as separate installs like this –

sudo dnf install epel-release
sudo dnf install easy-rsa
sudo dnf install openssl

or as a one liner –

sudo dnf install epel-release easy-rsa openssl

Now for ease of administration, create a directory in the admin users home directory and create a symbolic link so it remains updated. You also want to limit access to your admin user in my case ‘ca_admin’.

mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/
chmod 700 /home/ca_admin/easy-rsa

If you’re not familiar with chmod commands, ‘chomd 700’ = Protects a file against any access from other users, while the issuing user still has full access.

Now to initialise your new PKI. Change Directory (cd) to the easy-rsa directory you created in your admin users home directory and run the initialisation command.

cd ~/easy-rsa
./easyrsa init-pki

You will get a message showing it is complete and it will state the new pki directory that has been created inside the easy-rsa directory (/home/ca_admin/easy-rsa/pki)

You now need to create and populate a file called ‘vars’ in /home/ca_admin/easy-rsa and populate it with your organisation/lab information. You can achieve this with the vi editor.

set_var EASYRSA_REQ_COUNTRY "GB"
set_var EASYRSA_REQ_PROVINCE "Labshire"
set_var EASYRSA_REQ_CITY "Lab City"
set_var EASYRSA_REQ_ORG "Home Lab"
set_var EASYRSA_REQ_EMAIL "admin@lab.local"
set_var EASYRSA_REQ_OU "Lab"
set_var EASYRSA_ALGO "ec"(or rsa if you wish...)
set_var EASYRSA_DIGEST "sha512"

Once created, you are now ready to create the root certificate and private key by running the following command –

./easyrsa build-ca

You will be prompted to specify a passphrase which you need to keep safe as you will need it when issuing certificates. There will then be a second prompt to provide a common name; Enter you CA’s name. eg. CA01.

This process will have now created your root certificate and the private key (keep this safe). You will find them in the following locations /home/ca_admin.easy-rsa/pki/ca.crt (root certificate) and /home/ca_admin.easy-rsa/pki/private/ca.key (private key).

If you are using a Windows device to access your HomeLab, you are going to want to add the ca.crl file to the ‘Trusted Root Certification Authorities’ store on your Windows device so that any certificates issued are trusted. You can copy the ca.crt file using a tool such as WINSCP to transfer the file to a local directory to then install. You can do the equivalent on Mac and Linux OS’s too.

You will also need this handy for any certificates that require the full chain to be included.

I won’t go into every Certificate Signing Request (CSR) scenario as there are many. I will however, show you the commands needed to produce a certificate from a CSR.

To issue a certificate from a CSR, you will need to copy the .req or .csr file to a directory such as /tmp on your CA server, again using a tool like WINSCP.

You can then run the following commands to import the certificate signing request. The Common name is often the device name or FQDN.

cd ~/easy-rsa
./easyrsa import-req /tmp/<csr_file_name>.req <CommonName or FQDN> 
./easyrsa sign-req server <CommonName or FQDN>

The import command will import the .req or .csr file into /home/ca_admin.easy-rsa/pki/reqs (you can’t place the .req directly in here!) which is then processed by the sign-req command, again asking for the passphrase, leaving you with your new certificate in the /home/ca_admin.easy-rsa/pki/issued directory.

You can then use WINSCP again to transfer the file off the CA, and install it on the device or service in which you requested it from.

As always with any root CA, you don’t want it to become compromised. To help with this, keep it turned off when you’re not issuing, or administering your certificates.

I have also not included any Certificate Revocation List details as this isn’t something I need in my lab environment.

Now the VMware bit… below is the process for acquiring the CSR and installing the generated certificate on an ESXi host and a vCenter server using the methods above.

Standalone ESXi Host 6.7

First for a standalone ESXi Host, browse to – Host > Manage > Security & Users > Certificates

Select Import new certificate then select either ‘Generate FQDN signing request’ or ‘Generate IP signing request’.

You will be presented with a screen like this.

Copy this into a file with the extension .req. This can then be imported and issued using the method above.

Then, go back the the ‘Import new certificate’ wizard and import the certificate in the same format at the CSR into the box. (Open the .crt file using notepad)

Once complete close and open your browser and head back to your hosts web client and you will see you no longer have a certificate error.

vCenter Server 6.7

Log into your vCenter appliance using via SSH. Then run the following command –

/usr/lib/vmware-vmca/bin/certificate-manager

Select option 1, (you will be prompted to provide your SSO credentials), followed by option 1 again.

You will then need to provide the following information for the CSR.

As you complete the wizard you will have a .csr and a .key file in /tmp which again can be issued using the process above.

If using WinSCP you may hit the following error.

You will need to change over to the bash shell.

chsh -s /bin/bash root

You could then face another error…

root@vcsa02 [ ~ ]# chsh -s /bin/bash root
You are required to change your password immediately (password aged)
chsh: PAM: Authentication token is no longer valid; new one required

This is due to the password expiring. To change the password on the account run the passwd command

Further info on both of these errors can be found at these two VMware Articles. Here and here.

Once you have issued the certificate, you need to then copy the .crt file back to the /tmp directory along with the root certificate (or chain).

Now back to the Certificate Manager. Selecting option 1 to now import the certifictes. You will be prompted to provide the path and file name of each component. The certificate you created, the .key file that was created during the CSR generation and the root or CA chain certificate. Finally you will be asked to confirm you want to replace the Machine SSL certificate, type y.

It will take a few minutes, but eventually you will get confirmation that the task is complete and you can then reload your browser to see the Web Client is now showing a valid certificate.

Hope this has been useful. I will cover vCenter 7.0 Machine SSL certificate replacement in a future post.

Thanks for reading!

Configuring Encrypted vMotion With PowerCLI

Encrypted vMotion is a feature available in vSphere 6.5 onwards. It is something that is always used to secure vMotions of encrypted virtual machines, its a required option, but is optional for non encrypted virtual machines.

By default, non encrypted virtual machines will be set to ‘opportunistic’. If both the source and destination hosts support it (so ESXi 6.5 onwards), vMotions will be encrypted. If the source or destination does not support it, then the vMotion traffic will not be encrypted.

The ‘required’ option is exactly what it says, encrypted vMotion is required. If either the source or destination host does not support it, the vMotion will fail. As I’ve said, encrypted virtual machines have no choice, they have to use encrypted vMotion.

The final option is to set it to ‘disabled’, for when you don’t want it to even attempt encrypting vMotion traffic for a virtual machine.

To set this option on either a singular virtual machine or all virtual machines, you can use the options below. Firstly to view the current settings you can run this. If you want to target a single VM enter the VM name after Get-VM.

Get-VM | Select-Object Name, @{Name="vMotionEncrpytion";Expression={$_.extensiondata.config.MigrateEncryption}}
Name vMotionEncrpytion
---- -----------------
CentOS opportunistic
vRepDR opportunistic
vcsa01 opportunistic
pho01 opportunistic

Now to change these all to ‘required’ you can run the following:

$VMView = Get-VM | Get-View
                    $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
                    $Config.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
                    $Config.MigrateEncryption = "required"
            $VMView.ReconfigVM($Config)

You can confirm this by re-running the get command:

Name vMotionEncrpytion
---- -----------------
CentOS required
vRepDR required
vcsa01 required
pho01 required

To set them back to opportunistic, use the following:

$VMView = Get-VM | Get-View
                    $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
                    $Config.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
                    $Config.MigrateEncryption = "opportunistic"
            $VMView.ReconfigVM($Config)

As you can see, they are then back to the default setting.

Name vMotionEncrpytion
---- -----------------
CentOS opportunistic
vRepDR opportunistic
vcsa01 opportunistic
pho01 opportunistic

And finally, setting it to ‘disabled’:

$VMView = Get-VM | Get-View
                    $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
                    $Config.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
                    $Config.MigrateEncryption = "disabled"
            $VMView.ReconfigVM($Config)
Name vMotionEncrpytion
---- -----------------
CentOS disabled
vRepDR disabled
vcsa01 disabled
pho01 disabled

Here is a link to the official documentation on Encrypted vMotion for further information – here.

Thanks for reading!

Exporting and Importing Active Directory OU Structures

Recently I needed to build out some test Active Directory Forests that resemble production in order to complete some testing. One of the forests contained a significant amount of OU’s that I had no intention of manually recreating.

To run the New-ADOrganizationalUnit cmdlet, you need to provide the OU name and the Path where you want to create it. However, Get-ADOrganizationalUnit doesn’t provide the path, so you need to determine it from the DistinguishedName.

After a number of google searches, I couldn’t find exactly what I needed, so I began piecing together various bits of Powershell that I found. I ended up learning a bit of Regex in the process! Powerful tool if you know how to use it.

I came up with two versions in the end, you can see both below with the differences highlighted.

$OUs=Get-ADOrganizationalUnit -Filter * | select name,DistinguishedName,@{n=’OUPath’;e={$_.distinguishedName -replace '^.+?,',''}},@{n=’OUNum’;e={([regex]::Matches($_.distinguishedName, “OU=” )).count}} | Sort OUNum | export-csv C:\<Path_to_CSV>\OUTree.csv -NoTypeInformation
$OUs=Get-ADOrganizationalUnit -Filter * | select name,DistinguishedName,@{n=’OUPath’;e={$_.distinguishedName -replace '^.+?,(CN|OU|DC.+)','$1'}},@{n=’OUNum’;e={([regex]::Matches($_.distinguishedName, “OU=” )).count}} | Sort OUNum | export-csv C:\<Path_to_CSV>\OUTree.csv -NoTypeInformation

The first one effectively takes everything up to the first ‘,’ and replaces it with nothing, effectively removing the OU Name. The second one captures everything after the first ‘,’ and replaces the whole string with what was captured. Both have produced the same result in my scenario, but it was useful to understand both methods for future use of Regex.

Both also have a property called ‘OUNum’, this property counts how many time ‘OU=’ appears in the original DistigushedName string. OU’s need to be created in order, so that the parent OU exists before the child. This orders the OU’s in ‘tiers’ before exporting them to CSV. All OU’s in the root of the directory will get a value of 1, OU’s within these will get a value of 2 and so on. Credit to ‘David Z’ for this bit!

Once you have your data, you may or may not need to modify the domain. If you are importing it into a different domain, you’ll need to. In my case it was simple enough to do a find and replace in a text editor (eg. DC=lab,DC=local to DC=lab2,DC=local). You could look at using concepts from above to achieve this before exporting the data if you so wish.

Now you have your data, you need to import it. You can run the following in the target domain.

$OUs = import-csv C:\<Path_to_CSV>\OUTree.csv
ForEach ($OU in $OUs) 
          {New-ADOrganizationalUnit -Name $OU.Name -Path $OU.OUPath}

Hope this has been useful. Thanks for reading!

Creating Virtual Distributed Port Groups Using PowerCLI

I recently needed to create a new Distributed Port Group and set a specific load balancing policy on an existing Distributed Switch. Nothing to exciting, but a task many have to complete. As this is a common repeatable task, i put together this short .ps1 to allow a repeatable way of completing this.

You can find the file here on GitHub

Just populate the Variables section with required information like so…

Save the file, then run the the .ps1 file from PowerShell prompt. (Ensure you have the PowerCLI Module installed; see my previous post)

Note you must add .\ to the beginning of the file name if you are executing the file from the directory you’re already in

Enter credentials with sufficient privilege in vCenter.

You will then see an output similar to this:

If you now take a look in the Web Client you will see the freshly created Distributed Port Group.

Creating just a single portgroup could potentially be quicker in the Web Client. What isn’t quicker, is multiple.

If you have a requirement to create multiple Distributed Port Groups on a vDS, you can use this script to do so in one go.

Just populate the Variables section with required information like above, then run the the .ps1 file from a PowerShell prompt. (Ensure you have the PowerCLI Module installed; see this post.

This uses and Array Table to build your source data, in this example, the PortGroup Name and VLAN ID for each. You can add further rows (more Port Groups) to the array by repeating the line in the red box, or add additional attributes by repeating the text from the green box on each line.

There are many ways you could modify this script to change the source of data, including ‘Get-Content’ from a .txt file for instance.

You can get the script here.

This is just one way to create Port Groups using PowerCLI, have a play around and make it work for you!

Thanks for reading.

« Older Entries