Zsoldier's Tech Blog

Summary:
Needed to script configure all my 100+ ESXi hosts w/ a scratch location.  Having a permanent scratch location configured is helpful when an error such as a purple screen of death (PSOD) occurs on ESXi.  It is not a requirement, but definitely a best practice.
PreRequisites: Powershell 2.0 +PowerCLI 5.1 +vCenter 4.1 +Local or Shared DatastoreLocal is easy if you standardize on naming of a local datastore.  I'll focus on this in my script example.Shared Datastore essentially accomplishes a similar goal of a remote syslog server, you'll want to be sure to separate logs to their own individual directory.Scaling may become an issue unless you focus these shared datastores among clusters rather than all hosts.Details:

Summary:
Login syntax using LDAP to Cisco Fabric Interconnects.

Linux/Mac:
Syntax:
ssh ucs-authdomain\\username@UCSIPAddressORDNSName

Example:
ssh ucs-tech.zsoldier.com\\zsoldier@ucs.tech.zsoldier.com


Windows/Putty:
Syntax:
ucs-authdomain\username

Example:
ucs-tech.zsoldier.com\zsoldier

Summary:It had these ‘faults’ showing up on Chassis.  The error was rather vague, but one thing that hooked me was the idea that there was a ‘discovery policy’ incorrectly configured.Resolution:Find and change the discovery policy:Decommission the ChassisRecommission ChassisVoila, those errors should go away if you selected the correct discovery policy for your configuration.

Thought this was kind of a cool function of Netbackup 7.5.  It has the ability to post last good backup date to a vCenter custom attribute.  Here is the article:
http://www.symantec.com/business/support/index?page=content&id=HOWTO71014

The short of it is to simply add the extensions (Register extension, Unregister extension, Update extension) permissions to your NBU role on top of those perms listed here:
http://tech.zsoldier.com/2011/06/netbackup-perms-and-vsphere-4x.html
and
configuring vmware advanced attributes in netbackup 7.5+.
http://www.symantec.com/business/support/index?page=content&id=HOWTO70998#v62458854
<-- Pointed out by Michael in comments. Cause I forgot to add it.  -->

Summary:
Pain in my arse.  I was able to make it work this way, whether this is the correct way to do it is most definitely up for debate.  I started writing this on w/ vCO PS Plugin 1.0, so some things might need work.  I welcome corrections.

Details:
WinRM by default only allows users that are members of the administrators. See here how to add additional usersThe only way I’ve been able to make this work in Orchestrator is if the service account I’m using is a member of the administrators group on the powershell remote host. It works via standard WinRM or Powershell so a bit puzzled as to why I get access denied errors from vCO.  Still researching...  :-/Setup IIS Generate CSR from IIS Import CA generated CSR IIS Website -> SSL Settings -> Edit Bindings -> https://  -> Select imported SSL cert. Command Prompt (not powershell): winrm quickconfig -transport:https winrm set winrm/config/client @{TrustedHosts=”NameorIP of VCO host”} winrm set winrm/config/service/auth @{…

Free Trip to VMWorld 2012
Go here for details:
http://vdestination.com/2012/06/26/go-to-vmworld-2012-for-free/

The contest is sponsored by Veeam, Symantec, and Train Signal.

[Guest Post by Jeremy Reiman]

Summary:
ESXi hosts timing out during HA cluster election phase after cluster master is selected.  The HA Agent status in vCenter shows as unreachable on all hosts that timed out.
Symptoms:
ESXi host fails to enable HA Agent and shows error "operation timed out".Error message "[ClusterManagerImpl::IsBadIP] x.x.x.x is bad ip" showing in /var/log/fdm.log on ESXi hosts.TCPdump capture from ESXi host shows packets destined for IP address of other ESXi host are being sent to the MAC address of the firewall.  These should be going to the MAC address of the ESXi host management interface since both reside on the same VLAN.
Configuration Info:
ESXi host managment interfaces are on the same VLAN.ESXi 4.1 +Firewall is a Cisco ASA5500 running IOS 8.2(2).Firewall Switch Module running 3.2(5) is also applicable.All network ports are open on the firewall between the vCenter server and the ESXi hosts. Resolution:
Disable ProxyARP on the ESXi host management …

Summary:
This took me a little while to figure out.  Here are the basic steps.  This is so you can sign any scripts using your locally available domain CA.  By doing this, you can sign scripts and they will be authorized for use on your local domain.  This is so you can keep your powershell execution policy as remotesigned rather than unrestricted.

SSL Certs are something of an enigma that have always eluded my proper understanding.  So I took it upon myself to figure this one out.
Summary:
Replace default OCM cert w/ one that is CA signed.  Click below to continue.

Summary:
I happened to see someone searching for this and coming across my previous post on it’s wonkiness, so I figured I’d make a post showing how I went about configuring it w/ an Active Directory domain.  This only applies to the vcops-custom page.  The standard vCops-vsphere page uses vCenter’s authentication via role permissions.
Details:
Log into your vcops-custom page as an admin. (example http://yourvCOPsUIvmIP/vcops-custom)Select Admin –> SecuritySelect the Import from LDAP buttonSelect the add buttonNow see the screenshot below to see how to fill out the configuration screen:Below details how the auto-sync works:You’re pretty much done @ this point. Auto Sync occurs once every hour, so once you configure it, it’ll take approx. an hour before users are granted access.  The other caveat is that nested groups are not supported.  Users must be direct members of the security group you setup w/ Auto Sync.
Feel free to ask questions in the comments.  I’m always keeping an eye on …

Many moons ago back in April, I and several other vExperts were invited to Symantec HQ for an executive briefing.  What I thought was just going to be a sales pitch, turned into a deep discussion around virtualization philosophy and technical discussion around Symantec’s many products.  Hit the link to read more if you are interested in my experience.

This is something you’ll likely have to do on a rare occasion.  In case you do though, here is the info need to do so.Disable HA on cluster.SSH into ESX/ESXi boxRun the following:# Stops management services/sbin/services.sh stop# Runs uninstaller script/opt/vmware/uninstallers/VMware-aam-ha-uninstall.sh# Sometimes has problems removing the below directory, so we help it.rm -rf /opt/vmware/aam# Restarts management services/sbin/services.sh start

One of the nifty things about the current VMware View iPad App is it's ability to import a RSA token.  Unfortunately, the documentation on how to do this is a bit scarce.  These steps may work for Android too, but I don't have an Android tablet to test with.

PreReqs:

RSA Server 7.1 SP4 <-- This is what I tested against.View 4.5+ w/ RSA enabled.VMware View iPad application Simply go to your RSA self-service page and request a new token.  If it's enabled you should have an option like this: You'll want to select "I need a specific software token" then select "RSA SecurID Token for iPhone and iPAD/iPOD"
Once you or your RSA admin approve your request, you should get a link and activation code that looks something like this:
Joe, your new or additional software token request has been approved with the following comments from your administrator:
RSAAdmin: approved
Please ensure that the RSA SecurID application is installed on your device before attemptin…

Pretty sweet gift from @VMWare.

Summary:I had been having issues w/ our deployment of the  vCenter Operations vApp.  The Web GUI interface has two pages, https://vCopsServerName/vcops-vsphere and https://vCopsServerName/vcops-custom.  It seems vcops-vsphere simply uses vCenter privileges to determine whether you can login and what you can view.  vcops-custom however does not and has a separate set of permissions it uses to determine a user’s access authority.  They both however utilize the same useraccount table in the postgres database.Workaround:This KB contains the steps needed to workaround the LDAP import problem:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2013440Step 2 was incorrect as of this post date, it should read as follows:# su postgres
# psql -d alivevm I’ve let VMWare and @VMWareKB know of the typo.  So it should get corrected. Details:I found that when I login into vcops-vsphere, it uses my permissions on VC and creates a user object in the use…

Summary:
I’ve found this can occur when you attempt to deploy to vmfs w/ formatted blocks not equal to 1MB.  This only applies to vmfs 3.33 and earlier.  vmfs 5 or vSphere 5 formatted datastores should not see this issue as they are all formatted in 1MB block sizes.
Workaround:
Deploy OVF to a 1MB block sized datastore.
Side Note:
I’m wondering if deployment fails because the vmdk’s were originally created on 1MB datastore’s?

Summary:VM will not vMotion because CD-rom is detected as mounted by another user.  Option to disconnect or remove CD-rom is unavailable/grayed out under settings of VM.Resolution:Open the VM’s Console, select the CD-rom drive icon and select disconnect.As obvious as this seems, I found myself chasing a rabbit trying out methods to fix this issue.  This method worked in vSphere 4.1 Update 1.  Later revisions should too, not sure about earlier versions.

Summary:
This value appears after installing the Dell OMSA vib for ESXi 4.1.  Tried changing this value to 1 using PowerCLI proved a bit more difficult than I originally thought, even cheating w/ Onyx.
Example:
Using this:
$changedValue = New-Object VMware.Vim.OptionValue[] (1)$changedValue[0] = New-Object VMware.Vim.OptionValue$changedValue[0].key = "UserVars.CIMoemProviderEnabled"$changedValue[0].value = 1$_this = Get-View -Id 'OptionManager-EsxHostAdvSettings-00000'$_this.UpdateOptions($changedValue) I’d get this ‘useful’ error:
Exception calling "UpdateOptions" with "1" argument(s): "A specified parameter was not correct.
"
At line:1 char:21
+ $_this.UpdateOptions <<<< ($changedValue)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Solution:
Apparently the ‘value’ property needs to be declared as an int64 type.  By default, Powershell assumes the val…