Wednesday, September 16, 2015

Powercli Get-Esxcli install VIB files

In my earlier blog Using Powercli to copy files from your computer to Esxi server I successfully able to install vib file using plink.exe tool but not through Powercli Get-Esxcli command. after lots of trial and error I have came to conclusion to install plain VIB you will have to use offline bundle only (If anyone knows the solution suggestions are welcome). I have downloaded offline bundle for Esxi web as a zip file and copied it on datastore.

Read my earlier blog for Using Powercli to copy files from your computer to Esxi server
Next is uninstalled the already installed software, I will be removing it using SSH again, my command is kept under c:\temp\command.txt and it contains line
esxcli software vib remove -n esx-ui

Next on the powershell console using plink tool i have executed command.txt on esxi server.
Write-Output "yes" |  plink.exe -ssh root@ -P 22 -pw Computer@1 -m 'c:\temp\command.txt'

It has given me message operation finished successfully and VIB is removed.
Now we will need to create a esxcli connection to server over powercli.  
$esx =  Get-VMHost | Get-EsxCli
all the session details will be saved in $esx. which can be used later against the connected esxi server.
$"/vmfs/volumes/datastore1/",$false,$true,$true,$true,$false,$null,$null, $null)

Above command is to install the offline bundle. make sure you are maintaining character caps and small letter while providing offline bundle path. You will get successful message on the server and it will require reboot.
Once i reboot the server and create I connected to esxi server again running connect-viserver, and Created connection to vmhost using esxcli and session is stored in $esx (to verify software is in the list and correctly installed).
$ | ft
Although there is another command to install esxi offline bundle using Install-VMHostPatch, its fairly easy.

Using Powercli to copy files from your computer to Esxi server

My next article: Powercli Get-Esxcli install VIB files
This step by step guide on coping files using Powercli, for this you will have to install powercli on you computer. Open powercli.
Next fire up command connect-viserver to connect your esxi or vCenter, think it as, you are connecting through vsphere client GUI, It will ask for credentials (I am connected here to my esxi directly.)
Then next you will see powercli is connected to esxi server. Now we will be coping file on the datastore, All the datastores are listed under vmstore: or vmstores: drive (This is a drive letter for esxi datastores, think it as your c: or any other drive), to go to datastore directory type

cd vmstore:\ha-datacenter\datastore1

I have only one local datastore on my esxi server and name is Datastore1, To view the list of all datastores you can run command Get-Datastore. I have created new directory, as you can see that is visible on GUI as well.
I have downloaded vib file and kept it on my computer under c:\temp (this is my favorite location to keep my testing stuffs)
Next command I am mounting datastore1 as a mapped drive on powercli, it will be visible on the same only., and my mapped datastore drive volume is vDATA. (also this step is not require but i am showing you it as an extra one, always good to have multiple tricks in your memory, to copy files you will need to use special command which I will be showing next, you can also use vmware drive vmstore: as it is already mapped incase if you want to skip below command)
Get-Datastore datastore1 | New-DatastoreDrive -Name vDATA
I am into datastore now by running command cd vDATA:\VIb, it will change the location of current drive.
Below is the special command to copy files to datastore and vice versa, your powershell native command copy-item will not work as windows and vmware both are different drive providers.
Copy-DatastoreItem -Item c:\Temp\esxui-3015331.vib -Destination vDATA:\VIB
and run dir to verify file has been copied, you can verify the same in GUI client also.
Now we have copied file we will be installing it, for the installation i will be using plink.exe tool, (I tried using Get-EsxCli to install this plain VIB file, tried all the possible parameters but every time it failed, if anyone know the correct parameters or if anyone is successful, suggestions are welcome, Just to add I am able to successfully install offline bundles through Get-Esxcli command Powercli Get-Esxcli install VIB files). Plink.exe is putty tool and I will ssh into esxi, but it will be completely automated.
To use plink we will need to be enable SSH on the server. To enable run below command.
Get-VMHost | Get-VMHostService | Where-Object {$_.Lable -eq 'SSH'} | Start-VMHostService
it will start ssh service on esxi.

 Next i created one text file on c:\temp and written one command. That command is actually going to be executed on esxi server, it will be completely automated. (If you check my earlier blogs, I have used plink tool heavily for the internal configuration which is not possible through GUI or Powercli example: Changing Motd banner and Download logs from esxi server where everything is completely automated through plink.exe) 

As below command is going to be run on esxi, make sure your folder name are proper in caps or small letters as esxi is case sensetive. File name is command.txt containing below command.
esxcli software vib install -v /vmfs/volumes/datastore1/VIb/esxu1-3015331.vib 

I have kept my plink file under c:\windows, this way I don't have to do extra configuration on environment variable, On my powercli console: 
Write-Output "yes" | plink.exe -ssh root@ -P 22 -pw Computer@1 -m 'c:\temp\command.txt'

Once you execute command you will see message operation finished successfully, not reboot required no need to put server into maintenance mode for this software, and the name of vib which has been installed.
below step you can do earlier as well when you finished coping file, but I prefer in the last what if copied file is corrupted. Remove-PSDrive vDATA will unmap mapped datastore drive.
Vib file i installed was vmware host web client. you can find more on information on about this cool fling from vmware.

Below is the summary from fling website for the ESXi Embedded host client.


This version of the ESXi Embedded Host Client is written purely in HTML and JavaScript, and is served directly from your ESXi host and should perform much better than any of the existing solutions. Please note that the Host Client cannot be used to manage vCenter. Currently, the client is in its development phase, but we are releasing this Fling to elicit early feedback from our users to help guide the development and user experience that we are creating. As such, the client is not fully featured and only implements a hand full of the most important features. Some of these include:

  • VM operations (Power on, off, reset, suspend, etc).
  • Creating a new VM, from scratch or from OVF/OVA (limited OVA support)
  • Configuring NTP on a host
  • Displaying summaries, events, tasks and notifications/alerts
  • Providing a console to VMs
  • Configuring host networking
  • Configuring host advanced settings
  • Configuring host services
We welcome any feedback and bug reports at this early stage. However, rather than reporting on missing features, we are very much interested in your thoughts on the layout, user experience, and performance of the host client.

Known Issues

  • On ESXi hosts which are assigned a VMware vSphere Hypervisor license, all modification operations will fail silently. We are working on a solution to this issue.
  • On ESXi hosts which have a sub-domain name with large, shared cookies a web console session may fail to initialize. A workaround is to clear cookies or run the host client in an incognito-type window.
  • For ESXi 5.5U2 and prior, and ESXi 6.0 hosts upgraded from any 5.5U2 or prior version, you will get a 503 error returned after visiting https://<esxhost>/ui/. To resolve this issue, please remove the line starting with /ui from /etc/vmware/rhttpproxy/endpoints.conf and restart rhttpproxy with /etc/init.d/rhttpproxy restart
  • For ESXi 5.5 hosts, in-browser consoles are not supported. Please use VMRC to access guest VM consoles.
  • For ESXi 5.5U2 and prior hosts, you must ensure to append a trailing / (forward slash) to the URL after /ui. The URL must be https://<esxhost>/ui/
  • For some Windows guests, send Ctrl-Alt-Del does not work.
If you need an offline bundle of the VIB for use with VUM, you can download it here.

Monday, September 14, 2015

Configuring Microsoft iSCSI Target datastore on Esxi server and multipathing Step by Step

In Microsoft Windows 2012 and above there is cool role is introduced by Microsoft. Name of the role is iSCSI Target Server under File and Storage services. (Although there is same software provided by Microsoft earlier now they have given the same as role inbuilt in Server 2012, Earlier version iSCSI Target configuration), I used it to configure my Microsoft Clustering LAB, as it required shared storage. You can use Microsoft windows 2012 iSCSI Target is better substitute to freeNas or Openfiler.

Userful Script on reporting

vSphere Datastores inventory report powercli - Volume 2

What is iSCSI Target Server? 
This server provides Block level storage. iSCSI Target (Server) shares LUNs with initiators (Clients) using iSCSI protocol over TCP-IP Network. Shared block storage act as local disk to the OS.

In this article I will be using iscsi target to present Datastores to ESXi Servers with Multipathing. Here I have Esxi Servers with two dedicated network cards carrying only Storage traffic IP series Both NIC cards are connected to separate switches and my iSCSI storage server has two Ethernet cards are connected to same Switch1 and switch2 respectively. This way I get redundancy if any one of my network card or any one of my switch fails still my traffic is flowing through another Path. In this Article I am going simulate the same thing.
As a start i want you to show how my Ethernet card IP address settings looks like. I have this configuration on my Windows iSCSI Target Server. There are 2 Ethernet cards and each terminated to its own switch. On the same switches my esxi server is connected.

On my esxi server I have completely separate virtual standard switch for Storage traffic. (Select esxi server from vcenter inventory, Select configuration tab, to Networking under hardware at left panel)
And this is my configuration for iSCSI-Storage 01 and 02 port group.  iSCSI-Storage01 has Active adapter  vmnic3  and others in unused (they will not be utilised) and vise versa setting on iSCSI-Storage02 portgroup. This is required to configure vmware multipathing.
Above was how my configuration on both iscsi target and esxi server looks, next I will be configuring iSCSI Target server from scratch. Open Server Manager, Click Manage at the right click top menu. And select Add roles and Features.
 Next 3 windows nothing to configure much click next trice
 Select checkmark iSCSI Target Server under File and storage Services, next is Feature nothing to configuration and click install after confirming the summary.
Once role is installed we will configure it.
On the server manager click File and storage Service on the right panel to configure further installed role.
 Select iSCSI and under task click New iSCSI Virtual Disk or click To create an iSCSI virtual disk, start the new iSCSI Virtual Disk Wizard.
Next provide the path where all the iSCSI virtual disks (vhdx) will be kept on servers local disk, Name the disk, it will suffix required extension vhdx automatically.
Next screen is what would be Lun size.  for size format I will be using vmware terminology.
Fixed Size -- Thick Provisioning
Dynamic Expanding -- Thin provisioning.
Differencing - Linked clone
Next Screen create a new iSCSI Target instance.
Name the target instance,  This is step where we will be adding esxi server IQN's I have added both esxi server's IQNs.
Where do you find those IQN's and what is IQN?
IQN is iSCSI qualified name it is same as something MAC address to NIC card, whenever Data is exchanged between iSCSI target and iSCSI initiator this IQN number is used as the identifier.

To find IQN on esxi server, go to Configuration tab of esxi server, select Storage Adapter from Hardware left panel, select iSCSI Software Adapter and you can copy past iSCSI name
Incase if are unable to fine iSCSI Software Adapter you will need to add it as show above and below screen will be pop up.
 Back to previous screen on windows. if you have found IQN number. Next screen has all the summary, start next.
It will take some time to fully create fixed virtual disk. an you will the result as one iSCSI target and attached disks, you can now add more disk you want. to the same target.
Here we are done with Windows server configuration and other all configuration is on Esxi server.
Go to iSCSI software adapter click Properties.
 On the Dynamic Discovery tab click and provide iSCSI server any of one IP, don't type all the IPs.
 Esxi will detect all the Target ports and they will be visible in the Static Discovery Port.
Next we need to configure Port binding in the Network Configuration tab click add and add both the iSCSI vmkernal and associated Physical adapter for both adapter do add bindings. (Above I had already make only one vmnic active to vmkernel port and others are in unused, without that step you will not see iscsi adapters in the binding or they will not be complient)
You should see something like this once you add both VMKernel port groups. Click close to rescan (refresh and discover luns presented for iSCSI target server)
Once rescan is completed you will see one LUN is visible right click it go to Managed Paths.
On the Managed Paths you will see there are 4 paths redundancy available. And path's status is active. 
Here I will simulate some real production scenario, what will happen if one of the physical switch is done. Lets pull the network cable from one of the ESXi Storage dedicated network card.
I pulled cable from vmnic3 and my 2 paths are dead and 2 paths are still available, Pretty cool haa....

Sunday, September 13, 2015

Powershell - Domain Controller inventory and Transfering / moving FSMO roles between DC

Powershell is always best when doing automation task on Active Directory. I was building some long automation script bringing down my AD infrastructure and wanted to automate many task where migration of FSMO role from one DC to another DC was one of them in my workflow.

We can know what (Flexible Single master operations) fsmo role is on what Domain controller using Active directory users and computers, Active directory Schema snap-in and Active directory domain and trust. (To view active directory Schema snapin you will have to register regsvr32 schmmgmt.dll), Select top root, right click go to all tasks and open Operation Master, you can also transfer the role by clicking button change. (To move role from AD002 to AD001 you will have login on Ad001 and do the further process).

I will not go into much details on GUI and will show you demo on powershell. One of the advantage of using powershell is, you can move FSMO role for AD001 to AD002 and vice versa from any DC, not alike GUI.

First we will collect the small inventory of my Active Directory. Log in to any DC and Run Powershell as administrator. You can run simple one netdom query fsmo to know all the roles details but here I will run native PS commands and want to more details from one liner.
First command need to be run is Import-Module ActiveDirectory. it is a plug in to you AD, (On Powershell v4 and above this commmand however is not required, it loads them automatically when you run cmdlets falls under ActiveDirectory module).

Get-ADDomainController -Filter * | Select HostName, IPV4Address, OperatingSystem, OperationMasterRoles, IsGlobalCatalog, IsReadOnly, Enabled, Site

Above command shows some useful information in list, specially what I am looking for is OperationMasterRoles right now, if you see all my roles are hosted on AD001 domain controller. and AD002 is empty on OperationMasterRoles.

Above command is giving you below information.
hostname: it s full FQDN, it will show your computernamd and domain name,

IPV4Address: IP version 4 address,
OperatingSystem: Operating system is self explanatory
OperationMasterRoles: FSMO roles
IsGlobalCatalog: is server Global catalog - true or false
IsReadOnly: is server Read Only RODC - true or false
Enabled: Many times we decommission AD and metadata is remained behind.
Site: Which site is Domain controller in.

Once we know what is placed where, we are ready to move roles from AD001 to Ad002. For this run below command marked in yellow and green (green marked can be changed according to your need). Make sure you type the Identity hostname is netbios name only (No fqdn) and in the operations master role, you can specify all the roles at a time or specific FSMO roles you want to transfer.

Move-ADDirectoryServerOperationMasterRole -Identity AD002 –OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator -Confirm:$false
Once you moved FSMO roles, verify what changes has been occur, run Get-AdDomainController (inventory command) again and verify the changes. As per below now 3 roles are transferred to AD002.
There is a tip here, Powershell makes your work very easy, it has assigned each FSMO role a number between 0-4, as below. while using move command you can use numbers instead of typing each FSMO role name, which is lot easier to remember and you might not make typo error.

0 – PDCEmulator
1 – RIDMaster
2 – InfrastructureMaster
3 – SchemaMaster
4 – DomainNamingMaster

As per below screenshot After running Move fsmo role command it is asking for me for confirmation because I have forgot to give parameter -confirm:$false in the last. Once you transfered roles again run inventory command to see the details and compare them with previous report.

Move-ADDirectoryServerOperationMasterRole -Identity AD002 –OperationMasterRole 1, 2

Get-ADDomainController -Filter * | Select HostName, IPV4Address, OperatingSystem, OperationMasterRoles, IsGlobalCatalog, IsReadOnly, Enabled, Site
Currently all roles are on AD002 now I will move / transfer all FSMO Roles at a time to AD001 using number coding only.

Move-ADDirectoryServerOperationMasterRole -Identity AD001 –OperationMasterRole 0,1,2,3,4 -Confirm:$false
Verify running inventory command and verify with earlier screenshot. easier than GUI huh...

Saturday, September 12, 2015

Local Administrator Password Solution (LAPS)

Local Administrator Password Solution (LAPS)
Microsoft has offered a software LAPS (Local Administrator password solution), it solves the problem of common password of local administrator account on the every computers in a domain. For example on all domain joined computer’s Administrator password will be unique and only domain Admins or specific groups are authorized to view that password. LAPS only works on Domain Joined computers. Below are the some advantages of using LAPS.

  • Periodically randomize local administrator passwords to ensure that password updates to Active Directory succeed before modifying local secrets and passwords.
  • Centrally store secrets in the existing Active Directory infrastructure.
  • Control access through Active Directory access control list (ACL) permissions.
  • Transmit encrypted passwords from computers to Active Directory via encryption using the Kerberos version 5 protocol and the Advanced Encryption Standard (AES) cypher by default.
So lets deep dive and deploy it. You can download LAPS from Microsoft web site
There is 64 bit and 32 bit installable is available, I will be using 64 Bit only as all my Windows OS in my infrastructure is 64 bit only, and second don’t forget to download those word docx files, Specially the LAPS_OperationsGuide.docx has lot more instructions, In fact I did all my lab testing and written this article using Operations Guide only, Its very much written thoroughly on each component of LAPS.
LAPS Requires Schema to be updated of your Active Directory, That is the reason my first step will be verifying I am on Domain controller holding Scheama Master role. To verify and find which role holds by which domain controller open cmd prompt. Type

Netdom /query fsmo.

It shows as below the list, my Schema master is hosted on DC AD001.vCloud.lab and by running hostname command I can verify I logged on correct domain controller.

Once I verified, open the folder where LAPS is copied, that folder is also shared because later we want to install same software on domain joined client machines as well. Run LAPS msi file. Setup is very simple, click NEXT on first page.
Accept the licensing part. Click Next.

Next click on each component of LAPS and select will be installed on local Hard Drive.

Fast client UI
is GUI Software where we can see password in clear text.
Powershell modules are installed for management and commands for initial configuration or post configuration.
GPO editor Template, deployed in Group policy, we will see them later.

Click next. And Install software.

Once installation is completed finish it and open Group policy to deploy LAPS on Servers. This step I will not go into great details step by step, I have already written article for the same, how to install software using group policy. But still you can follow the below screen shot for your reference, as you can see all my computers are in Computers OU under vCloud.lab and I have created once Group Policy Object and linked to Same computers OU. LAPS is on UNC path \\ad001\softwares\LAPS folder. And in the last, and after restart of my computers you can verify software is installed in programs and features in control panel.

If you don’t want to use Group Policy and want to install software on selected computers you can use my any of technique Multiple ways to Install software remotely.

Open Powershell (Run as administrator) on the AD001 (running schema master role). Run command to import module,
Import-Module AdmPwd.PS

Next update the schema, make sure you have correct permissions to perform this task. (You are a part of Schema Administrator).
It will install required attributes in AD.

Next command will Grant computer accounts in Computers OU to be able to write/update their password in the active directory. With below command they will write to self update active directory.
Set-AdmPwdComputerSelfPermission –OrgUnit ‘Computers’

This command is not necessary but I can see who has permissions to view Local administrator’s password, by default System and Domain Admins have permissions to view those password. Here I will add another group account Server_Admins to view them password of servers.
Find-AdmPwdExtendedRights -Identity 'Computers'

Next command adds Server_admins group as delegated and they can view the password now.
Set-AdmPwdReadPasswordPermission –OrgUnit ‘Computers’ –AllowedPrincipals ‘vcloud.lab\Server_Admins’

This the checkpoint that we have done with AD level configuration and next step is configuration on Client side.
Here create another Group policy for the same Computers OU, you will see there are 2 Policies now first is to deploy software and another is LAPS_Policy for LAPS policy at client side. edit the new created policy, you will find under Computer configuration >> Policies >> Administrative Templates New policy template is available with the name LAPS. There are Main 2 settings we need to configure,
Enable Local admin password management - should be enable, it will activate the deploied LAPS on client servers.
Password Settings – Here you can select how should be the password complex.

Once Required changes are done Close the group policy editor and login to any of client machine and run gpupdate /force to apply changes immediately so we can view the results of LAPS.

Next on the same domain controller where we install LAPS go to installation folder c:\Program files\LAPS (if you are using 32 bit application you software will be installed on program files x86 folder). Run AdminPwdUI.exe as administrator. And search for the computer names, you will see each computer account has unique password for administrator.
Even if you don’t have AdminPwdUI tool instlled  you can view the password from dsa.msc Active Directory Users and Computers MMC. For this Advanced Feature must be checked in View Menu.

Right click and goto properties of computer account, Go to Attribute Editor tab and find the Attributes ms-Mcs-AdmPwd. If you are not a member of domain admins for server_admins group as I added earlier, you won’t be able to see this information.

Last and final step log in on Client001 with the above administrator account password. If it is successfull means deployment is good. I tried this step and i was good on this step.