IT Basement

TT: Join VMware vCenter Server Appliance to Active Directory

Razvan Oncescu — Tue, 10 Jan 2012 10:53:34 +0000

This step-by-step tutorial will show you how to join a vCenter Appliance server to an existing Active Directory.

The setup is pretty simple:

Active Directory = itbasement.net
VMware infrastructure = vSphere 5
vCenter = VMware vCenter Server Appliance (ver. 5.0.0.2968 Build 380565)

When I first tried to join my vCenter Server Appliance to my Active Directory through the web interface, I was getting this type of error:

“Cannot join domain, failed to open connection to required ports on DC”

After searchin more info on the topic I found this KB#2002626.

Let’s get started!

1. Connect to vCenter using SSH or directly through vSphere Client Console.
2. First, make sure you properly set the DNS so that it points out your Active Directory. To double check, you can run the command:

itb-vcenter:~ # cat /etc/resolv.conf

3. Next, you have to setup the hostname for this appliance:

itb-vcenter:~ # domainjoin-cli setname itb-vcenter

4. Now we can join the vCenter to our Active Directory:

itb-vcenter:~ # domainjoin-cli join itbasement.net administrator@itbasement.net Passw0rd
With Computer DNS Name: itb-vcenter.itbasement.net
SUCCESS

Good, our vCenter is now connected to the Active Directory.

5. We have one final step to complete,: add permission for a domain user/group to access the vCenter infrastructure.

I’m pretty sure that most of you know how to do this, but for those of you who don’t, here it is:
- Connect to vCenter with ViClient and at the datacenter level go to permissions as in the example bellow:
- Select Add.. and choose your domain, your user or group and click OK.
- Select the role you want to assign to the Grop/User and then click OK.

Basically, that’s all you need to do.
Have fun!

vSphere5: Remove iSCSI Target from shell

Razvan Oncescu — Tue, 13 Dec 2011 09:05:00 +0000

Today I had a little time to improve my vSphere Lab and I started by upgrading the iSCSI Storage (Openfiler).
I migrated all my VM’s and then I shutdown the old iSCSI without removing the iSCSI targets for ESXi. It turned out that this was a big mistake because one of the ESXi server become unresponsive.
The only way I was able to connect to the ESXi server was by acessing the troubleshooting console.
After searching the logs for clues it was obvious that I had to remove the iSCSI target from cli.

Anyway, first I wanted to see how does the ESXi sees this lost device/path and used the esxcfg-scsidevs command:

~ # esxcfg-scsidevs -l
t10.F405E46494C45400C4F4143537E4D22476F453D297361423
Device Type: Direct-Access
Size: 133216 MB
Multipath Plugin: NMP
Vendor: OPNFILER Model: VIRTUAL-DISK Revis: 0
SCSI Level: 4 Is Pseudo: false Status: dead
Is RDM Capable: true Is Removable: false
Is Local: false Is SSD: false

t10.F405E46494C45425362463E69485D254743613D2F6244655
Device Type: Direct-Access
Size: 400320 MB
Multipath Plugin: NMP
Vendor: OPNFILER Model: VIRTUAL-DISK Revis: 0
SCSI Level: 4 Is Pseudo: false Status: on
Is RDM Capable: true Is Removable: false
Is Local: false Is SSD: false

Then, to be able to remove the dead iSCSI connection I needed the name of the iSCSI target and this was very easy finding out using the vmkiscsi-tool command:

~ # vmkiscsi-tool -S vmhba32
STATIC DISCOVERY TARGET
NAME     : iqn.2006-01.com.openfiler:tsn.acf1f3fdb247
ADDRESS : 192.168.40.4:3260
BOOT     : No
LAST ERR : LOGIN: No Errors
STATIC DISCOVERY TARGET
NAME     : iqn.2006-01.com.openfiler:tsn.da6f7f008898
ADDRESS : 192.168.40.99:3260
BOOT     : No
LAST ERR : LOGIN: No Errors

Great, now I have everything I need to proceed! The following command helped remove the target:

~ # vmkiscsi-tool -S -r “192.168.40.4 iqn.2006-01.com.openfiler:tsn.acf1f3fdb247″ vmhba32

Then, I restarted the the Management agents and then checked to see if there were any errors in vmkernel.log reported.

1
2
3
4
5
6
7
8
9
10

/sbin/services.sh restart
~ # tail -f /var/log/vmkernel.log
2011-12-12T12:24:13.208Z cpu3:2649)WARNING: NMP: nmpDeviceAttemptFailover:562:Retry world restore device "t10.F405E46494C45400C4F4143537E4D22476F453D297361423" - no more commands to retry
2011-12-12T12:24:17.674Z cpu1:2662)Tcpip: 2236: msleep returned 4
2011-12-12T12:24:22.678Z cpu1:2662)Tcpip: 2236: msleep returned 4
2011-12-12T12:24:22.741Z cpu1:2156)ScsiPath: 4963: DeletePath : adapter=vmhba32, channel=1, target=0, lun=0
2011-12-12T12:24:22.741Z cpu1:2159)ScsiPath: 4963: DeletePath : adapter=vmhba32, channel=0, target=0, lun=0
2011-12-12T12:24:22.741Z cpu3:2156)WARNING: ScsiPath: 5022: Remove path: vmhba32:C1:T0:L0
2011-12-12T12:24:22.741Z cpu1:2159)WARNING: NMP: nmpUnclaimPath:1577:Physical path "vmhba32:C0:T0:L0" is the last path to NMP device "Unregistered Device". The device has been unregistered.
2011-12-12T12:24:22.741Z cpu1:2159)WARNING: ScsiPath: 5022: Remove path: vmhba32:C0:T0:L0

After removing the target the ESXi server become responsive and I could connect to it using the vSphere Client.

PS: I know that removing the old iSCSI storage this way isn’t in the best practice papers, but this happened in my lab where everything is allowed.

Cheers

Exchange: Export a list with all distribution lists and members

Razvan Oncescu — Tue, 03 May 2011 13:03:17 +0000

This is a very useful script for exporting all your exchange distribution lists including all their containing members.

1
2
3
4
5
6
7
8
9
10
11
12
13

$totalObj = @()
$temp = Get-DistributionGroup -ResultSize Unlimited |
ForEach-Object {
[array]$mem = Get-DistributionGroupMember -id $_
for ($i = 0; $i -lt $mem.Count; $i++) {
$member = $mem[$i].name
$obj = New-Object System.Object
$obj | Add-Member -MemberType NoteProperty -Value $_.Name -Name 'Distribution Group' -Force
$obj | Add-Member -MemberType NoteProperty -Value $member -Name 'Members' -Force -PassThru
$totalObj += $obj
}
}
$totalObj | Export-Csv -Encoding 'Unicode' c:\report\dlist.csv

How to Activate Windows Server 2008/R2 Server Core

Razvan Oncescu — Fri, 11 Mar 2011 22:28:59 +0000

How to Activate Windows Server 2008/R2 Server Core

1.First, log on to the Server Core console.
2.If you haven’t keyed in the product key during setup, type:

cscript C:\windows\system32\slmgr.vbs -ipk

3.Then after the first command is successful, type:

cscript C:\windows\system32\slmgr.vbs -ato

Video supported by: Microsoft

Windows 2008: RODC Administrative Role Separation

Razvan Oncescu — Mon, 07 Mar 2011 11:52:40 +0000

RODCs support local administration through a feature called administrative role separation.
Every RODC maintains a local database of groups for specific administrative purposes. You can add a domain account to these local roles to enable support of a specific RODC.

This can be done with Ddmgmt.exe command. To achive this there are some steps to follow:
1. From the command prompt of the RODC write: dsmgmt and press Enter;
2. Type local roles and press Enter,
3. Optionally you can press ? to display a list of commands or list roles to display a list of local roles.
4. Type add administrators, where username is the Active Directory defined username.

Show Example

PS C:\> dsmgmt
C:\Windows\system32\dsmgmt.exe: local roles
local roles: ?

?                                      – Show this help information
Add %s1 %s2              – Adds an account %s1 to the local role %s2
Connections               – Connect to a specific AD DC/LDS instance
Help                               – Show this help information
List Roles                     – List defined local roles
Quit                            – Return to the prior menu
Remove %s1 %s2      – Removes an account %s1 from the local role %s2
Show Role %s              – Show local role members

local roles: list roles
Administrators

Available roles:
Administrators
Users
Guests
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
Incoming Forest Trust Builders
Terminal Server License Servers
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Replicator
Print Operators
Server Operators
Backup Operators
Account Operators
local roles: add admin.branch administrators
Successfully updated local role.

Windows Server: Activate PowerShell

Razvan Oncescu — Wed, 02 Mar 2011 09:43:27 +0000

To activate powershell in Windows 2008 R2 use the following commands:

C:\>DISM /Online /Enable-Feature /FeatureName:NetFx2-ServerCore
C:\>DISM /Online /Enable-Feature /FeatureName:MicrosoftWindowsPowerShell
C:\>DISM /online /enable-feature /featurename=ServerManager-PSH-Cmdlets
C:\>DISM /online /enable-feature /featurename=BestPractices-PSH-Cmdlets

Run it from:

C:\Windows\system32\WindowsPowerShell

Windows 2008:Install unattended Active Directory on Windows 2008 Server Core

Razvan Oncescu — Tue, 01 Mar 2011 16:11:58 +0000

I hope you are familiar with the Server Core and you have the server up and running. If not, you can read about it in the article Windows 2008 Core Edition: Step-By-Step Install and Configure.

OK, let’s get started!

1. First of all we will have to cofigure an unattended text file witch is called “answer file”. The answer file is an ASCII text file that provides automated user input for each page of the Active Directory Domain Services Installation Wizard.

As well know there are different types of Active Directory installations and of course the answer file is slightly different of each one of them. A list of answer files can be found bellow:

Show: For new tree in new forest

[DCINSTALL]
InstallDNS=yes
NewDomain=forest
NewDomainDNSName=
DomainNetBiosName=
SiteName=
ReplicaOrNewDomain=domain
ForestLevel=
DomainLevel=
DatabasePath=””
LogPath=””
RebootOnCompletion=yes
SYSVOLPath=””
SafeModeAdminPassword=

Show: For child domain

[DCINSTALL]
ParentDomainDNSName=
UserName=
UserDomain=
Password= Specify * to prompt the user for credentials during the installation.
NewDomain=child
ChildName=
SiteName= This site must be created in advance in the Dssites.msc snap-in.
DomainNetBiosName=
ReplicaOrNewDomain=domain
DomainLevel= This value cannot be less than the current value of the forest functional level.
DatabasePath=””
LogPath=””
SYSVOLPath=””
InstallDNS=yes
CreateDNSDelegation=yes
DNSDelegationUserName= The account that is being used to install AD DS may differ from the account in the parent domain that has the permissions that are required to create a DNS delegation. In this case, specify the account that can create the DNS delegation for this parameter. Specify * to prompt the user for credentials during the installation.
DNSDelegationPassword= Specify * to prompt the user for a password during the installation.
SafeModeAdminPassword=
RebootOnCompletion=yes

Show: For a new tree in existing forest

[DCINSTALL]
UserName=
UserDomain=
Password= Specify * to prompt the user for credentials during the installation.
NewDomain=tree
NewDomainDNSName=
SiteName= This site must be created in advance in the Dssites.msc snap-in.
DomainNetBiosName=
ReplicaOrNewDomain=domain
DomainLevel=
DatabasePath=””
LogPath=””
SYSVOLPath=””
InstallDNS=yes
CreateDNSDelegation=yes
DNSDelegationUserName= The account that is being used to install AD DS may differ from the account in the parent domain that has the permissions that are required to create a DNS delegation. In this case, specify the account that can create the DNS delegation for this parameter. Specify * to prompt the user for credentials during the installation.
DNSDelegationPassword= Specify * to prompt the user for a password during the installation.
SafeModeAdminPassword=
RebootOnCompletion=yes

Show: For additional domain controller

[DCINSTALL]
UserName=
UserDomain=
Password=
SiteName= This site must be created in advance in the Dssites.msc snap-in.
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=
DatabasePath=””
LogPath=””
SYSVOLPath=””
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=
RebootOnCompletion=yes

Show: For read-only domain controller (RODC)

[DCINSTALL]
UserName=
UserDomain=
PasswordReplicationDenied=
PasswordReplicationAllowed =
DelegatedAdmin=
SiteName=Default-First-Site-Name
CreateDNSDelegation=no
CriticalReplicationOnly=yes
Password=
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=
DatabasePath= “”
LogPath=””
SYSVOLPath=””
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=
RebootOnCompletion=yes

2. After modifying all the parameters to reflect your environment you have to copy this file to the new core server.

Show: RODC Example

[DCINSTALL]
UserName=Administrator
UserDomain=itbasement
PasswordReplicationAllowed =razvo
DelegatedAdmin=Administrator
SiteName=Default-First-Site-Name
CreateDNSDelegation=no
CriticalReplicationOnly=yes
Password=*
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=itbasement.net
DatabasePath= “C:\Windows\NTDS”
LogPath=”C:\Windows\NTDS”
SYSVOLPath=”C:\Windows\SYSVOL”
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=Pa$$w@rd
RebootOnCompletion=yes

Show: Additional DC Example

[DCINSTALL]
UserName=Administrator
UserDomain=itbasement
Password=*
SiteName=Default-First-Site-Name
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=itbasement.net
DatabasePath=”C:\Windows\NTDS”
LogPath=”C:\Windows\NTDS”
SYSVOLPath=”C:\Windows\SYSVOL”
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=Pa$$w@rd
RebootOnCompletion=yes

3. Now, to run the Active Directory Domain Services Installation Wizard in unattended mode, we have to use the following command at a command prompt:

dcpromo /unattend::

Note: The placeholder represents the path of the answer file that will be used to install or remove AD DS. You must be logged on as a local administrator for the computer to run this command.

4. After the AD installation ends reboot the computer

shutdown /r /t /0

Or you can choose to install a replica from one command-line:

Show: Example of creating an AD replica without answerfile

dcpromo /unattend /username:itbasement\administrator /password:* /installDNS:yes /DNSonNetwork:yes /replicaORNewDomain:replica /replicaDomainDNSName:itbasement.net /DomainNetBiosName:itbasement /databasePath:”c:\NTDS” /logPath:”c:\NTDS” /sysvolpath:”c:\sysvol” /safemodeAdminPassword:VMware2010 /rebootoncompletion:yes

To remove a Domain Controller from Active Directory use the following answer files:

Show: For removal of AD DS

[DCINSTALL]
UserName=
UserDomain=
Password=
AdministratorPassword=
RemoveApplicationPartitions=yes
RemoveDNSDelegation=yes
DNSDelegationUserName=
DNSDelegationPassword=
RebootOnCompletion=yes

Show: For removal of AD DS from the DC in a domain

[DCINSTALL]
UserName=
UserDomain=
Password= Specify * to prompt the user for credentials during the installation.
IsLastDCInDomain=yes
AdministratorPassword=
RemoveApplicationPartitions=If you want to remove the partitions, specify “yes” (no quotation marks) for this entry. If you want to keep the partitions, this entry is optional.
RemoveDNSDelegation=yes
DNSDelegationUserName=
DNSDelegationPassword=
RebootOnCompletion=yes

Show: For removal of the last DC in a forest

The following links helped me to better understand the process:
KB947034 ; Petri.co.il

I hope this was helpful!

Windows 2008 Core Edition: Step-By-Step Install and Configure

Razvan Oncescu — Tue, 01 Mar 2011 10:51:08 +0000

I will start by writing a brief description about Server Core and then we will get deeper with some command-line stuff.

Now what is Server Core?
Well, Server Core is a minimal server installation option for computers running on the Windows Server 2008 operating system or later. Server Core provides a low-maintenance server environment with limited functionality.

A server running a Server Core installation supports the following server roles:

Active Directory Domain Services (AD DS)
Active Directory Certificate Services (AD CS)
Active Directory Lightweight Directory Services (AD LDS)
DHCP Server
DNS Server
File Services
Print Services
Streaming Media Services
Internet Information Services (IIS)
Hyper-V

A Server Core installation does not include full graphical user interface meaning that all the configuration is being done using the command-line. Once you have configured the server, you can manage it locally at a command prompt or remotely using a Terminal Server connection. You can also manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use. In R2, PowerShell can also be used either locally or remotely.

Now that you have a better understanding of that Windows 2008 Server Core edition, we will continue with a basic installation and configuration.

Step 1: Boot using a Windows 2008 / R2 media kit and select one of the Core versions as shown in the picture bellow:

Step 2: After the setup is finished Windows will boot up in a non-graphical interface as shown in the following image:

OK, now that the Windows installation is over we can write some interesting commands on the console!

First of all we have to connect to the internet by configuring an IP address:

netsh interface ipv4 set address name=”Local Area Connection” source=static address=192.168.0.5 mask=255.255.255.0 gateway=192.168.0.1

netsh interface ipv4 add dnsserver name=”Local Area Connection” address=127.0.0.1 index=1

netsh interface ipv4 add dnsserver name=”Local Area Connection” address=192.168.0.2 (DNS Server)

Then we have to change the server name. This can be done by the following command:

netdom renamecomputer WIN-JS8DELN0O6D /newname:ADcoreOLD /UserO:administrator /PasswordO:* /ReBoot:60

After the system boots up we will join him to a domain controller using the next command:

netdom join ADcore /Domain:itbasement.net /OU:ou=itBasement,dc=itbasement,dc=net /UserD:administrator /PasswordD:*

And reboot again!

shutdown /r /t 0

If you find hard to understand all the commands or you don’t want to complicate things you can choose to use the Core Configurator. You can find more info about CC in this link!

Matt Hester, Sr. from Microsoft has put together a video with a quick look guide over “Windows 2008 Core Edition”. I recommend watching it:

VMware: ESX 4.0 (or 3.5) Server Integration with Active Directory

Razvan Oncescu — Fri, 25 Feb 2011 15:58:33 +0000

A couple of months ago I had to integrate several ESX servers in the Active Directory for security purposes.Now why would we want to do that? A very good reason would be that you want to keep your VMware environment safe and simple.

OK, let’s get started!

Step One: Be sure that this feature is already configured or not:

/usr/sbin/esxcfg-auth –disablead

Step Two: Run the following command replacing the bloded text with the name of your domain:

/usr/sbin/esxcfg-auth –enablead –addomain=itbasemenet.net –addc=itbasemenet.net

Step Tree: Create the usernames:

/usr/sbin/useradd admin.user

* the username should be named the same as the one configured in the Active Directory. You don’t need to provide a password for this account since you will use the Active Directory password.

Step Four: Don’t forget to modify the ESX firewall to permit Active Directory Kerberos. Check the image below:

And that’s it!

VMware: Disable Web Access

Razvan Oncescu — Mon, 17 Jan 2011 12:48:58 +0000

Web Access provides a means for users to view virtual machines and perform simple operations such as power on and suspend. It also provides a way to obtain console access to virtual machines.

All of this is governed by the users permissions on vCenter Server. In some cases, you may want to disable web access in order to eliminate the risk from having an open interface that is not being used.

To completely delete the vSphere Web Access service from vCenter Server:

1. Select Start > Programs > Administrative Tools > Services.
2. Stop the VMware VirtualCenter Management Webservices service.
3. Use Windows Explorer to open C:\Program Files\VMware\Infrastructure\tomcat\webapps and delete the ui directory.
4. (Optional) Use Windows Explorer to open C:\Program Files\VMware\Infrastructure\tomcat\work\Catalina\localhost and delete the ui directory.
5. Start the VMware VirtualCenter Management Webservices service.

See VMware KB #1009420 for more details.

!!! Note that any upgrade to vCenter Server will recreate this file.

Extract from vSphere Hardening Guide April 2010.pdf