Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Migrating move back from Distributed virtual switch to Standard virtual switch - VMKernal Adapter - Part 2

November 20, 2017 08:03PM

In this article I will be migrating VMKernel virtual adpaters from distributed virtual switches to standard virtual switch, in earlier article I addressed Copy or clone distributed virtual switch portgroups to standard switch portgroups - Powercli, this helps automating, creating Portgroup. Here I am migrating esxi server from one vCenter to another vCenter, If you don't migrate ESXi servers from DVSwitch to SSwitch first, you will encounter with many problem and can cause unnecessary downtime and unrecoverable errors. So it always a best practice to follow correct steps. 

Part1 Copy or clone distributed virtual switch portgroups to standard switch portgroups - Powercli
Migrating move back from Distributed virtual switch to Standard virtual switch - VMKernal Adapter - Part 2

Here in the in the screenshot I selected ESXi001 server, go to configure tab, select verify you both the standard switch and DVswitch are visible with Portgroups, here I have only 2 vmnics physical adapter on my production servers and they are assigned to dvSwitch under DV uplink ports, and Newly created Standard switch doesn't have any physical vmnic adapter assigned. 

configure vmware vsphere web client esxi vcenter server virtual switches, uplink, vmnic, vmkernel migration distributed virtual switch,  dvswitch to standard virtual switch

Before starting this activity go to networking >> distributed virtual switch.

vmware vsphere web client, vcenter esxi, networking navigator, distributed virtual switch portgroup migration.png

Right click on dvSwitch, go to Settings and click Edit Health check, from the pop up box enable VLAN and MTU and Teaming and failover, These settings allow you to identifies common configuration errors that health check.

  • Mismatched MTU settings between physical network adapters, distributed switches, and physical switch ports.
  • Mismatched virtual switch teaming policies for the physical switch port-channel settings.
  • Mismatched VLAN trunks between a vSphere distributed switch and physical switch.

The network health check monitors the following three network parameters at regular intervals:

  • Network adapter teaming: Checks whether the physical access switch ports EtherChannel setting matches the distributed switch distributed port group IP Hash teaming policy settings.
  • VLAN: Checks whether vSphere distributed switch VLAN settings match trunk port configuration on the adjacent physical switch ports.
  • MTU: Checks whether the physical access switch port MTU setting based on per VLAN matches the vSphere distributed switch MTU setting.

vmware vsphere web client, dvswitch, distributed virtual switch settings, Edit Health check settings, VLAN and MTU enabled, Teaming and Failover enabled..png

Next Host and Clusters view.

     A. Select Esxi server from list which you want to migrate from DVSwitch to standard switch.
     B. Go to Configure tab on the right.
     C. In the Networking select Virtual switches 
     D. Select distributed vswitch, Note down the physical network adapter, I have 2 nics here and removing only one physical NIC.
     E. Click on the Manage the physical network adapters connected to the selected vswitch button,
     F. This opens a new popup box and lists uplink ports, select second physical vmNic adapter, from uplink 2 port.
     G. Click X red button to remove the one uplink - physical network adapter, make sure you are removing only one physical vmnic from list,

Once you remove one NIC from virtual switch it shows red alert icon on ESXi and alert message in triggered alarm network uplink redundancy lost, this can be ignore for now while migration. 

vmware vsphere web client, remove uplink port vmnic from dvswitch distributed virtual switches, manage physical network adapters virtual portgroup, vlanid

In next, attach removed empty vmnic adpater to standard virtual switch.

     A. Select standard virtual switch from list in virtual switches.
     B. Click on the Manage the physical network adapters connected to the selected vswitch button.
     C. On the popup box click + plus icon, In the failover order group by default the active adapters is selected and keep the same setting.
     D. Add unassigned vmnic1 network adpater from list. click Ok twice as shown.

vmware vsphere web client standard switch to distributed virtual switch movement, standard virtual switch active standby unused adpaters, migration portGroup

Here in the screenshot I can see one NIC adapter is successfully migrated and assigned to virtual standard switch. Both virtual switch has at least one network card now, and good for next step.

vmware vsphere web client virtual switches standard sswitch, vmnic1 manage physical network adapter, cdp lldp, migrate switch and create portgroup, networking virtualization

Next I will migrate VMkernel network adapter as first step from DVswitch to standard vswitch. Select SvSwitch and click button Migrate VMkernel network adapter to selected switch. This will start new wizard. Also note down vMotion vmkernel port group VLAN id, As I am migrating it first to see the impact.

vmware vsphere web client esxi vcneter distributed virtual switch vmotion vmkernel virtual portgroup, virtual switches, migrate a vmkernel network adapter to the selected switch

In the Migrate VMkernel network adapter to vswitch wizard box select VMkernel network adapter you want to migrate to the standard switch. I am selecting first vMotion port group to move to standard vSwitch. If there are any issue, this will give me idea before migrating Management Network.

dvSwitch, migrate vmkernel network adapters to standard switch select vmkernel network adapter vmk1 vmtion, vmware vsphere web client, vcenter esxi, tcp ip stack, ip settings, port properties

In the next screen of Configure settings, Provide vMotion adapter a Network label. and VLAN id, this can be taken from existing vMotion virtual distributed portgroup. 

vmware vsphere web client migrate vmkernel network adapter to vswitch standard, configure setting vlan id network label specify vcenter esxi

Next analyze impact page appears, Review the impact this migration might have on some network dependent services, one of the service is iSCSI, Overall impact status is no Impact and good to press next button. In the ready to complete page review your settings selections before finishing the wizard. This shows existing settings and new settings. If all looks good click finish button to proceed.

esxi migrate vmkernel network adapter to virtual standard switch from distributed virtual dvswitch vmkernel adapter, vlan id, network label, analyze

Here on distributed virtual switch I can verify vMotion vmkernel port group is migrated successfully as it is not visible. Assigned port groups shows only filtered ones those have VMs and VMkernel are assigned and not empty. 

vmware vsphere web client configure esxi vcenter distributed switch migrate to virtual standard switch, assigned port groups filter applied, Migrate VMs to another network screenshots

Using same wizard Migrate a Management VMkernel network adapter to selected standard virtual switch. Once its done my standard virtual switch is showing both vMotion and Management VMkerenl port group visible on it. If there are any issue while migrating for VMKernel port to stadard switch, dvSwitch health check will always be handy.

vmware vsphere web client, vcenter esxi, standard switch migrate vmotion and management network from distributed virtual switch, dvswitch

Useful Articles
VMWARE VCENTER 6.5 UPGRADATION ERROR
PART 2 : CONFIGURING ESXI ON VMWARE WORKSTATION HOME LAB
POWERCLI - CREATE DATACENTER AND ADD ESXI HOST IN VCENTER
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
Copy or clone distributed virtual switch portgroups to standard switch portgroups - Powercli

Set Powershell execution policy with Group Policy

November 17, 2017 02:45PM

In this article I will be covering configuring Windows PowerShell execution policy using Group Policy, to configure environments properly ahead of time for better management, doing this takes less time to get your work done in timely fashion. For example, I gave few ps1 PowerShell script to some of my nontechnical end users to collect information for specific period when issue occur. But next day they came to me with issue and not able to run script, as script execution policy was restricted disabled. Even though provided SOP, it was not performed.

I solved the issue for few users using below article, but when it comes to configure setting more users, or entire organization, it is not good to do it manually. This can be done using another automation way Group Policy.

Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
Powershell Trick : Execute or run any file as a script file

Open Group policy management tool either on Active Directory or from client where RSAT tool is installed. Collapse and search for Group Policy Objects. Right click on it, click New, On the New GPO pop up box provide new GPO a name.

Powershell Execution policy group Policy object management gpp domain and forest, default domain controller policy.png

Once new group policy is created successfully, right click on it and Edit it, Collapse and select Computer Configuration\ Administrative Templates: Policy definition\ Windows Components\ Windows Powershell\ Turn on Script Execution. This policy allows you to set powershell execution policy. By default it not configured.

Group Policy management, Group Policy object WIndows Powershell edit GPO, Administrative templates, turn on script execution

Double click Turn on script Execution and select script policy of your choice. click enable, for demo purpose I am choosing Allow all script, which is equivalent to unrestricted. For more on different policies you can check on Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled

This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. 

  • The "Allow all scripts" policy setting allows all scripts to run.
  • The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.
  • The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher.
  • If you disable this policy setting, no scripts are allowed to run.

Note: This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."

group policy turn on script execution allow all scripts, only signed scripts, local scripts and remote signed scripts powershell, object

Next once the policy is enabled it shows the state enabled. and next step is to linking GPO to domain or OU, here for demo purpose I am attaching it to vcloud-lab domain. Right click the domain and link an existing GPO. Select the policy from list and click ok. 

Group Policy Management editor, Gpo, group policy objects, link an existing gpo, select gpo, look in the domain, turn on windows powershell turn on script execution enabled state, run script

Once GPO is linked it shows under domain as shortcut and confirm the Settings that policy is configured correctly.

Group policy management powershell executon policy administrative templates, windows component, policy exectuion powershell

Next step on the end user client machine open PowerShell as administrator, Although this step is not required and every default 90 minutes computer policy is downloaded, synced and refreshed with GPO. To expedite process and show demo, Here I am running Get-ExecutionPolicy to see the current execution policy type. It is restricted and doesn't allow to execute ps1 file. Next update GPO using gpupdate /force, this will pull settings from GP.  Once update is successful, reopen PowerShell, and check policy again running Get-ExecutionPolicy, It is changed to Unrestricted now, for more details check running command gpresult /r, in the applied group policy objects, policy is visible and applied.

Administrator windows Powershell, Get-executionpolicy, gpupdate force, gpresult r html, applied group policy objects, group policy client

Useful Articles
Installing, importing and using any module in powershell
Microsoft Active directory additional features - AD Recycle Bin Powershell
CONFIGURING AND MANAGING MICROSOFT WINDOWS NANO SERVER

Copy or clone distributed virtual switch portgroups to standard switch portgroups - Powercli

November 13, 2017 12:11PM

Migrating ESXi server from one vCenter server to another vCenter server is very easy task if complete networking is on standard virtual switches. When migrating ESXi server with distributed virtual switches to another VC is also easy but requires extra steps. First it is recommended to move back from DVSwitch to SSwitch before migrating esxi to another vCenter. Failing to do so will create issues and make exiting DVswitch on esxi server to go in zombie state and won't operate properly If you want to make changes to virtual machines networks or need to add new virtual Portgroups or any other operations need to perform those are not allowed on same as host is not part of DVswitch, and DVswitch and its portgroup configuration is only possible through original vCenter where it is built. Again removing it from Esxi host is very hectic task and can be done using esxcfg or esxcli commands in shell. So always make sure you do it properly in first place. Below is the error if don't remove host from dvswitch and directly move to another vCenter.

     "The distributed Virtual Switch corresponding to the proxy switches a4 1c 33 73 ac 8f 23 ac-c5 2e 8a 6a b9 ca f0 ce on the host does not exist in vCenter or does not contain the host."

Part1 Copy or clone distributed virtual switch portgroups to standard switch portgroups - Powercli
Migrating move back from Distributed virtual switch to Standard virtual switch - VMKernal Adapter - Part 2

Here are some screenshots from my environment. This is part 1 of the series, I have few ESXi in cluster, all the esxi servers are already on DVSwitch and I don't have any Standard switch. I have plenty of dvportgroups. Here I will be creating one SSwitch and cloning those dvportgroups on it. I need portgroup name and vlanid. Creating it manually on multiple Esxi is error prone, time consuming and will require special attention as portgroup names are case sensitive.

vmware vsphere vcenter esx powercli, cluster, dvswitch distributed standard, New-VirtualPortGroup, Get-vdswitch script error handling, hosts and clusters, networking configure, portgroup, standard vswitch.png

To make this task easy I have written below script. Copy script in Copy-DvsPortGroupToSSwitch.ps1 file. once it is executed, This will ask for vCenter server FQDN or IP, ClusterName where Esxi host exist and DVswitch which portgroup you to replicate on newly created SSwitch. Supply vCenter user name and password for authentication. As a result it shows vCenter server it connected to, creates new standard virtual switch name SvSwitch100, and all portgroups on it. Just to mention portgroups are created with default settings.

vmware vsphere vcenter esx powercli, cluster, dvswitch distributed standard virtual switch, New-VirtualSwitch, New-VirtualPortGroup, Get-vdswitch script error handling

Same can be verified on the VMWare vSphere Web Client, under esxi, configure tab and Virtual switches, this script helps you to create consistent vSwitch and vPortgroups across hosts.

vmware vsphere vcenter esxi, cluster new virtual switch, distributed virtual switch, vswitch, create using powercli, clone dvswitch, copy dvswitch.png

Below is the script, copy it in the file. to run it correctly use below article to setup your Vmware powercli environment.
VMWARE VSPHERE POWERCLI INSTALLATION AND CONFIGURATION STEP BY STEP
POWERCLI INITIALIZE-POWERCLIENVIRONMENT.PS1 CANNOT BE LOADED BECAUSE RUNNING SCRIPTS IS DISABLED

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
#requires -version 4
<#
.SYNOPSIS
    Clone/Copy dvswitch (Distributed virtual switch) portgroups on standard virtual switch.
.DESCRIPTION
    The Copy-DvsPortGroupToSSwitch cmdlet creates new standard switch named 'SvSwitch100' on esxi host and clone portgroups from existing distributed standard switch and create it on 'SvSwitch100'.
.PARAMETER vCenter
    Prompts you for vCenter server FQDN or IP address to connect, vc parameter is an alias, This value can be taken from pipline by property name.
.PARAMETER Cluster
    Make sure you type a valid ClusterName within the provided vCenter server. New vSwitch name 'SvSwitch100' is created on all esxi hosts withing this cluster, and existing DvSwitch PortGroups cloned to newly vSwitch created.
.PARAMETER DVSwitch
    This ask for existing distributed virtual switch (dvswitch). All the portgroups from this distributed vswitch is copied to vSwitch 
.INPUTS
    VMware.VimAutomation.ViCore.Impl.V1.Inventory.ClusterImpl
    VMware.VimAutomation.Vds.Impl.V1.VmwareVDSwitchImpl
    VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.VirtualPortGroupImpl
    VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.VirtualSwitchImpl
.OUTPUTS
    VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.VirtualPortGroupImpl
    VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.VirtualSwitchImpl
.NOTES
  Version:        1.0
  Author:         Kunal Udapi
  Creation Date:  12 August 2017
  Purpose/Change: Clone or copy existing distributed virtual portgroups from dvswitch to Standard virtual switch
  Useful URLs: http://vcloud-lab.com
.EXAMPLE
    PS C:\>.\Copy-DvsPortGroupToSSwitch.ps1 -vCenter vcsa65.vcloud-lab.com -Cluster Cluster01 -DVSwitch DVSwitch-NonProd-01

    This command connects vcenter 'vcsa65.vcloud-lab.com', copy/clone dvswitch portgroups from 'DVSwitch-NonProd-01' and create new vswitch and copied portgroups on all esxi host in the cluster name 'cluster01'
#>
[CmdletBinding(SupportsShouldProcess=$True,
    ConfirmImpact='Medium', 
    HelpURI='http://vcloud-lab.com', 
    SupportsTransactions=$True)]
Param (
    [parameter(Position=0, Mandatory=$true, ValueFromPipelineByPropertyName=$true, HelpMessage='Type vCenter server IP or FQDN you want to connect')]
    [alias('vc')]
    [String]$vCenter,
    [parameter(Position=1, Mandatory=$true, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid Cluster Name within vCenter server')]
    [alias('c')]
    [String]$Cluster,
    [parameter(Position=2, Mandatory=$true, ValueFromPipelineByPropertyName=$true, HelpMessage='Type valid distributed virtual switch (dvswitch) name')]
    [alias('dvs')]
    [String]$DVSwitch
)
Begin {
#$Cluster = 'Cluster01'
#$DVSwitch = 'DVSwitch-NonProd-01'
    if ( -not (Get-Module  vmware.vimautomation.core)) {
        Import-Module vmware.vimautomation.core
        Import-Module vmware.vimautomation.vds
    }
}
Process {
    if ($global:DefaultVIServers.Name -notcontains $vCenter) {
        try {
            Connect-VIServer $vCenter -ErrorAction Stop
        }
        catch {
            Write-Host $($Error[0].Exception) -ForegroundColor Red
            break
        }
    }
    try {
        $ClusterInfo = Get-Cluster $cluster -ErrorAction Stop
        $DvSwitchInfo = Get-VDSwitch -Name $DVSwitch -ErrorAction Stop
    }
    catch {
        Write-Host $($Error[0].Exception) -ForegroundColor Red
        break
    }

    $AllEsxis = $ClusterInfo | Get-VMhost
    $DvPortGroupInfo = $DvSwitchInfo | Get-VDPortgroup | Where-Object {$_.IsUplink -eq $false}

    foreach ($esxi in $ALLEsxis) {
        $ExistingSwitchs = $esxi | Get-VirtualSwitch
        $esxiName = $esxi.name
        if ($ExistingSwitchs.Name -notcontains 'SvSwitch100') {
            $vSwitch100 = $esxi | New-VirtualSwitch -Name SvSwitch100 -Mtu $DvSwitchInfo.Mtu
            $NvSwitchName = $vSwitch100.Name
            Write-Host "$([char]8734) " -ForegroundColor Magenta -NoNewline
            Write-Host "Created $NvSwitchName on $esxiName" -BackgroundColor Magenta 
            Foreach ($DvPortGroup in $DvPortGroupInfo) {
                $vPortGroupName = $DvPortGroup.Name
                $vLanID = $DvPortGroup.ExtensionData.Config.DefaultPortConfig.Vlan.VlanId
                $NewPortGroup = $vSwitch100 | New-VirtualPortGroup -Name $DvPortGroup.Name -VLanId $vLanID
                Write-Host "`t $([char]8730) " -ForegroundColor Green -NoNewline
                Write-Host "Created New PortGroup $vPortGroupName With vLanID $vLanID" -BackgroundColor DarkGreen
            }
        }
        else {
            Write-Host "$([char]215) " -ForegroundColor Red -NoNewline
            Write-Host "SvSwitch100 already present on $esxiName skipping..." -BackgroundColor DarkRed 
            Continue
        }
    }
}
End {
    Disconnect-VIServer $vCenter -Confirm:$false
}

Here I want to show what happens if you try to rerun the script again, It will detect that SvSwitch100 is already present and does not execute further. I have stored my script under c:\temp.

.\Copy-DvsPortGroupToSSwitch.ps1 -vCenter vcsa65.vcloud-lab.com -Cluster cluster01 -DVSwitch DVSwitch-NonProd-01

× SvSwitch100 already present on esxi002.vcloud-lab.com skipping...

vmware vsphere vcenter esx powercli, cluster, dvswitch distributed standard virtual switch, New-VirtualSwitch, New-VirtualPortGroup, Get-vdswitch script error handling, clone copy portgroups, migrating esxi host with dvswitch, configure esxi

Download link, This script is also available on Github.

Useful Articles
VMWARE VCENTER 6.5 UPGRADATION ERROR
PART 2 : CONFIGURING ESXI ON VMWARE WORKSTATION HOME LAB
POWERCLI - CREATE DATACENTER AND ADD ESXI HOST IN VCENTER
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB

VMware hot-extend was invoked with size is not supported: Virtual Machine HDD VMDK

November 4, 2017 05:19PM

Last day I received some critical tasks on production to increase Virtual Machine Hard disk VMDK size, on around 200 vms. For 99.99% I have my own VMWare PowerCLI scripts repository to automate my tasks to complete it before time. While running script I was getting errors, To further troubleshoot I tried to increase the disk size using vSphere web client, --> Virtual Machine Edit Settings. Expanding vmdk that is larger than 2Tb was still failing and getting same error as below.

A specified parameter was not correct.
Hot-extend was invoked with size (8323596288 sectors) >= 2TB. Hot-extend beyond or equal to 2TB is not supported.
The disk extend operation failed: One of the parameters supplied in invalid

vmware vsphere web client virtual machine vm HDD VMDK extend 2 tb disk reconfigure virtual machine hot add disk not supported, Edit Settings, hot-extend 2 tb

Same error can be seen on VM tasks and events as in error stack. There is a great KB article no 2058287 in VMware docs, which is very helpful to resolve the issue. But what I found is (When virtual machine is powered on) Hot extending virtual disk bigger than 2 TB is not supported on ESXi hosts 6.0 and 5.5, You must be using ESXi 6.5.

Get downtime on VM, shut it down and extend it as per requirement.

vmware vsphere web client virtual machine vm HDD VMDK extend 2 tb disk reconfigure virtual machine hot add disk not supported, Edit Settings, hot-extend 2 tb

Below are the few points if you want to go with large size VMDK (Virtual Machine virtual disks)

  • For large capacity virtual disks, An ESXi 5.5 or later host version is required. You can clone or storage vMotion/migrate (SvMotion) greater than 2 TB to only ESXi 5.5.x and 6.x host. 
  • Virtual Machine vmdk disks must be on VMFS-5 Datastores, The maximum supported VMDK size on VMFS-5 datastore can be increased to 62 TB, However the maximum supported VMDK size on VMFS-3 is still 2 TB.
  • If VMFS disk are on NFS drive, the maximum supported size is the little smaller than 62 TB and 1% less than the maximum file size supported by the NFS file system.
  • To support larger virtual hard disks than 2 TB, VM guest operating system must support it and for using larger disk make sure you use GUID partition table (GPT) partitioning scheme, while initializing and formatting disks.
  • If virtual machine has configured in FT (Fault Tolerance), disk expansion is not supported.
  • vSAN 5.5 is not supported but vSAN 6.x supports 62 TB.
  • Virtual Machine with BusLogic parallel drive controllers are not supported.
  • Make sure Virtual Machine Hardware version is to at least 5.5 version (VM hardware version 10)
  • Virtual Machine should not have any snapshots if you want to extend disk. Supported tested article RESOLVED : ADDING VIRTUAL HARD DISK GRAYED OUT ON VIRTUAL MACHINE
  • You cannot relocate RDMs larger than 2 TB to datastores other than VMFS-5 or, to hosts older than ESXi 5.5.
  • Make sure you have adequate space on datastore. And for further more troubleshooting you can use vmkfstools to troubleshoot.

Source VMWare article - 2058287

Related articles
VMWARE VCENTER 6.5 UPGRADATION ERROR
RESOLVED : ADDING VIRTUAL HARD DISK GRAYED OUT ON VIRTUAL MACHINE
ESXI VIB SOFTWARE INSTALLATION ERROR
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol

vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall

November 1, 2017 01:55PM

In my earlier article I wrote about Configure syslog on VMware ESXi hosts: VMware best practices using VMWare vSphere web client GUI. Configuring syslog server on multiple esxi host servers manually by clicks is very boring task, As automation is everywhere, use it to doing with better way in VMWare Powercli. for more on Powercli check my below articles

VMWARE VSPHERE POWERCLI INSTALLATION AND CONFIGURATION STEP BY STEP
POWERCLI INITIALIZE-POWERCLIENVIRONMENT.PS1 CANNOT BE LOADED BECAUSE RUNNING SCRIPTS IS DISABLED

Once logged into vCenter server using PowerCLI, Try below command to view existing information for syslog server on Esxi. Get-VMHostSysLogServer -VMHost esxi001.vcloud-lab.com, if you have multiple servers comma separate and use like Get-VMHost Esxi001, Esxi002 | Get-VMHostSysLogServer to get information in bulk. As in below screenshot I can see esxi001 has syslog information configuration. and server esxi002 doesn't.

Next to configure and modify setting use Set-VMHostSysLogServer -VMHost Esxi002.vcloud-lab.com -SysLogServer 'udp://192.168.34.15:514', Again if you have multiple server use the same technique to setup as shown above Get-VMHost Esxi001, Esxi002 | Set-VMHostSysLogServer -SysLogServer 'udp://192.168.34.15:514'.

For more on syslog port number and how to use them differently check Configure syslog on VMware ESXi hosts: VMware best practices.

vmware vsphere vcenter esxi web client, powercli powershell, get-vmhostsyslogserver vmhost, set-vmhostsyslogserver syslogserver host udp tcp ssl port 514.png

Next enable esxi security profile firewall. To get the details about syslog firewall status use Get-VMhostFireWallException -VMhost esxi001.vcloud-lab.com -Name syslog. To know firewall information of multiple server, input name separated by comma (,). Check for the Status of Enabled, it should be true. To change it to true use Get-VMHostFireWallException -VMHost esxi002.vcloud-lab.com -Name Syslog | Set-VMHostFirewallException -Enabled:$True.

vmware vsphere vcenter esxi web client, powercli set-vmhostsyslogserver syslogserver host udp tcp ssl port 514, Get-VMhostFirewallException syslog, enabled, port 1514 set-vmhostfirewallexception, .png

There is tip in the last if you want to remove syslog server and make it null use below one liner cmdlet.
Set-VMHostSysLogServer -SysLogServer $null -VMHost Host

Another tip is syslog configuration can also be changed using another cmdlet Set-AdvancedSetting. To get the current configuration run as as below.
Get-VMHost esxi001.vcloud-lab.com | Get-AdvancedSetting -Name Syslog.Global.Loghost

And to change the syslog.global.loghost information.
Get-VMHost esxi001.vcloud-lab.com | Get-AdvancedSetting -Name Syslog.Global.Loghost | Set-AdvancedSetting -Value udp://10.168.34.15:514 -Confirm:$false

vmware vsphere esxi powercli get-vmhost, get-advanced settings syslog.global.Loghost Set-advancedsettings, Get-vmhostsyslogserver port 514 udp tcp ssl value

Useful Articles
PART 2 : CONFIGURING ESXI ON VMWARE WORKSTATION HOME LAB
POWERCLI - CREATE DATACENTER AND ADD ESXI HOST IN VCENTER
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB

Configure syslog on VMware ESXi hosts: VMware best practices

October 30, 2017 01:59PM

Syslog is a way for VMWare vSphere esxi servers or other network devices to send event messages to a logging server – usually known as a Syslog server (Inbuilt vSphere tool called as VMWare syslog collector). The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. Logs are collected and stored centrally, so it can easily backed up, viewed, retrieved, processed. Syslog is a great way to consolidate logs from multiple sources into a single location.

Vmware vsphere Syslog collector sends alerts to administrator check messages events centrally

Configuring Syslog server on esxi servers is a part of best practice, So all the logs are forwarded centrally for troubleshooting. Select Esxi host, navigate to Configure tab, in the Advanced system setting, click Edit, and search for syslog keyword, it list all the settings related to logs, In the setting modify Syslog.global.logHost and add your Syslog server information. In below format syslog can be added. I you want to output esxi logs to multiple remote syslog collectors, Multiple servers are supported and must be separated with comma (,). 514 is default port no for syslog and can be changed on remote syslog server, 1514 is used for SSL.

  • udp://syslogServer:514
  • tcp://syslogServer:514
  • ssl://syslogServer:1514
  • syslogserverIp_or_FQDN
  • udp://syslogServer:514, syslogserverIp_or_FQDN, ssl://syslogServer:1514

‚ÄčvSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall

VMware vSphere Web Client configure esxi Advanced System Settings modify Syslog.global.loghost syslog client service daemon

Next step configuring and opening firewall ports on esxi server, Select esxi, Navigate to Configure tab, in the Security profile on the Firewall click Edit, from the list enable syslog by clicking checkbox. In the last click Ok.

vmware vsphere web client esxi server configure security profile, edit, name syslog enable firewall ports 514 allow connection from any ip address

If you don't see any logs are getting collected, for troubleshooting purpose you can check the connectivity between esxi and syslog server also check the the Port reachability using nc tool (telnet) (if you are using udp port protocol type to gather logs you won't get any report using telnet and it will fail, instead you can use windows portquery tool from microsoft to whether port is listening). I am using opensource sexilog appliance to gather logs, and seeing syslogs are getting collected.

VMWare vsphere syslog Collector esxi configure udp tcp port 514 collect central logs configure firewall service ports, syslog log dir

VMWare Best practices
vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
POWERCLI AND VSPHERE WEB CLIENT: JOIN ESXI INTO ACTIVE DIRECTORY DOMAIN CONTROLLER

Reset/Restart HP ILO (Integrated Lights-outs) using putty

October 28, 2017 08:41PM

This blog article is my another part of Resolved: HP ILO this page cannot be displayed ERR_SSL_BAD_RECORD_MAC_ALERT, I found few more servers which were pinging, able to telnet ILO ip port 80 and 443 (ssl), But still webpage was either can't be displayed or site can't be reached, tried following above article but no luck, This behavior is due to HP ILO (web service) is hung, to resolve it you have to reboot server by removing power cable and ILO network cable,

HP ILO integrated lights out g7 this page cannot be displayed ILO hung reboot, restart, reset

Draining power means you will require downtime or wait for maintenance window or approval. To avoid complete server reboot there is a quick solution restart ILO card instead using putty, connect to ILO directly, once it is connected successfully fire below commands. First command changes directly and second command restart/reset ILO card only (ILO has its own small bootable image with web server).
cd /map1
reset

If results are status=0 and status_tag=COMMAND COMPLETED, it is completed successfully. Monitor the ILO status by running continuous ping as while restart ILO connection will be lost, Once it is reachable try connecting ILO through browser in most cases it should be working..

HP ILO not accessible, esxi ilo reset restart Integrated Lights out

Useful Articles
Resolved: HP ILO this page cannot be displayed ERR_SSL_BAD_RECORD_MAC_ALERT
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 1 : INSTALLING ESXI ON VMWARE WORKSTATION HOME LAB
PART 1 : INSTALL ACTIVE DIRECTORY DOMAIN CONTROLLER ON VMWARE WORKSTATION

Resolved: HP ILO this page cannot be displayed ERR_SSL_BAD_RECORD_MAC_ALERT

October 28, 2017 02:12PM

Recently I was involved with configuring few old generation 7 HP servers. I wanted to install ESXi server on the same as well upgrading firmware, This was required ILO to be working. when checked using Internet explorer I got issue this page can't be displayed (before loading it was showing certificate error on the page). This issue was for across all the HP ilo servers. Even tried using google chrome but the same issue this site can't be reached.

Reset/Restart HP ILO (Integrated Lights-outs) using putty

To diagnose and troubleshoot issue further, I used Port Query tool and ping, 80 and 443 ports were listening and no firewall blocking issue found, Everything was green and no communication issue found. I observed google chrome error ERR_SSL_BAD_RECORD_MAC_ALERT and tried to concentrate on the same.

hp ILO ipmi Err_SSL_BAD_RECORD_MAC_ALERT, Ssl 1, 2, 3 port query ui result tcp port listening, port 80 -433, ping

Error ERR_SSL_BAD_RECORD_MAC_ALERT represents, google chrome  doesn't support SSL/TLS 1.0 protocol, It means this link will open on internet explorer with few settings, On the IE click settings button, choose Internet Options, In the Advanced tab, uncheck Use TLS 1.0, 1.1 and 1.2 and check Use SSL 2.0 and 3.0.

hp ILO ipmi Err_SSL_BAD_RECORD_MAC_ALERT, internet explorer webpage cannot be displayed ssl support, tls 1 and ssl 2 and 3 unsupport advanced internet options

Once complete settings is done, reopen refresh (delete cache) IE, and you will see ILO (Integrated Lights-Out) web page is loaded successfully. If you are still facing issue try my another article Reset/Restart HP ILO (Integrated Lights-outs) using putty.

Resolved HP ILO page cannot be displayed issue ssl v 2certificate error issue port ok tls 1

Useful Articles
Reset/Restart HP ILO (Integrated Lights-outs) using putty
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 1 : INSTALLING ESXI ON VMWARE WORKSTATION HOME LAB
PART 1 : INSTALL ACTIVE DIRECTORY DOMAIN CONTROLLER ON VMWARE WORKSTATION

Add multiple proxy addresses with Microsoft PowerShell in Active Directory Groups

October 26, 2017 03:45PM

This article is second part of POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR, In this part, I will be changing proxy addresses on active directory groups using PowerShell script. This is helpful while migration of bulk users and groups to Microsoft Office 365.Active Directory domain controller Powershell, get-Adgroup, proxyaddress, get-aduser, set-adgroup, set-aduser email, mail, groupcatogary change information

To use it copy below script in Add-ADGroupProxyAddress.ps1 file and the group information in Groups.txt, it is actually a csv file and can be opened with excel file and the sample tables contents in the files are as below. 
   -----------------------------------------------------------
   | Group      | emailid                                      |
   | ----------------------------------------------------------|
   | Group1    | Group1@vcloud-lab.com       |    
   | Group2    | Group2@vcloud-lab.com       |
   -----------------------------------------------------------

Headers of the table should be Group and emailid, Varify it with Import-Csv cmdlet. run command .\Add-AddGroupProxyAddress.ps1 -Path C:\temp\Groups.csv. Once information is set correctly it shows info of Group on console.

This code is available on Github.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<#  
  .Synopsis  
   Add smtp id to existing active directory Group proxyaddress.
  .Description  
   Run this script on domain controller. It will add addition record to proxy addresses in Group properties, and keep the existing as it is.
  .Example  
   Add-ADGroupProxyAddress -CSVFile c:\tenp\Group.csv
     
   It takes input from CSV file and add the smtp records in respective user proxy address attributes.
  .Example
   CSV file data format and example
   ----------------------------------------------
   | Group      | emailid                        |
   | --------------------------------------------
   | Group1    | Group1@vcloud-lab.com           |
   | Group2    | Group2@vcloud-lab.com           |
   ----------------------------------------------
  .OutPuts  
   GroupName ProxyAddresses
   -------- --------------
   Group1   {sip:Group1@testaccount.com, smtp:Group1@vcloud-lab.com}
   Group2   {sip:Group2@testaccount.com, smtp:Group2@vcloud-lab.com}
   
  .Notes  
   NAME: Add-ADGroupProxyAddress
   AUTHOR: Kunal Udapi
   CREATIONDATE: 01 DECEMBER 2016
   LASTEDIT: 3 February 2017  
   KEYWORDS: Add or update proxyaddress smtp on active directory Group account  
  .Link  
   #Check Online version: http://kunaludapi.blogspot.com
   #Check Online version: http://vcloud-lab.com
   #Requires -Version 3.0  
  #>  
#requires -Version 3   
[CmdletBinding()]
param(  
    [Parameter(Mandatory=$true,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$true)]
    [alias('FilePath','File','CSV','CSVPath')]
    [String]$Path) #param
Begin {  
    Import-Module ActiveDirectory
} #Begin

Process {
    $Groups = Import-Csv -Path $Path
    #$Groups = Get-ADGroup -Filter * -SearchBase "OU=TestOu,DC=Rageframeworks,DC=com" -Properties ProxyAddresses

    Foreach ($u in $Groups) {
        #$smtpid = "smtp: {0}.{1}@kumarthegreat.com" -f $u.givenName, $u.Surname
        Try {
            $Group = Get-ADGroup -Identity $u.Group -ErrorAction Stop
            Write-Host "$($Group.SamAccountName) exists, Processing it..." -BackgroundColor DarkGray -NoNewline 
            $emailid = "SMTP:{0}" -f $u.emailid
            Set-ADGroup -Identity $u.Group -Add @{Proxyaddresses=$emailid} 
            #$cpemailid = "smtp:{0}" -f $u.cpemailid
            #Set-ADGroup -Identity $u.Group -Add @{Proxyaddresses=$cpemailid} 
            Write-Host "...ProxyAddress added" -BackgroundColor DarkGreen
        } #Try
        catch {
            Write-Host "$($Group.SamAccountName) does not exists" -BackgroundColor DarkRed
        } #catch
    } #foreach ($u in $Groups) 
    #Get-ADUser -Filter * -SearchBase "OU=TestOu,DC=Rageframeworks,DC=com" -Properties ProxyAddresses | select username, ProxyAddresses
    $TempFile = [System.IO.Path]::GetTempFileName()
    $Groups | foreach {
        $Group = $_.Group
        Try {
            Get-ADGroup -filter {Name -eq $Group} -Properties mail, proxyAddresses -ErrorAction Stop | select Name, Mail, GroupCategory, @{N='ProxyAddresses'; E={$($_.proxyAddresses -split ", ") -join "`n"}}
        } #try
        catch {
            Write-Host "$Group does not exists" -BackgroundColor DarkRed
        }
    } | Out-File $TempFile #foreach
} #Process
end {
    Get-Content -Path $TempFile
}

Useful articles
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY 
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE (CHANGE) MANAGER NAME IN ORGANIZATION TAB OF USER
POWERSHELL ACTIVE DIRECTORY: ADD OR UPDATE PROXYADDRESSES IN USER PROPERTIES ATTRIBUTE EDITOR
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file

Find next available free drive letter using PowerShell

October 25, 2017 11:09AM

Below is my one-liner small PowerShell code for finding next available free unassigned first drive letter, I use it frequently for automating mapping shared drives. This is based on Get-PSDrive -PSProvider FileSystem, it shows the all in use drive, Generally A, B (floppy drive not for use as disk or mapped drive) and C are always in use on Microsoft OS as root drive, I am skipping those drive while checking. .Net Object [Char] used to represent a Unicode character, 68..90 represented to letters D..Z. This converted Unicode characters and Get-PSDrive is compared using If statement and shows the next available drive letter which does not exist or in use. Below is the one-liner main code.

1
(68..90 | %{$L=[char]$_; if ((gdr).Name -notContains $L) {$L}})[0]

Once I have result stored in $FreeDrive variable, I use it one of the in below example cmdlet for mapping remote shared drive. Also useful while automating new physical drive adding and assigning drive letter. (Alternative command for mapping shared drive is Net Use)
New-PSDrive -Name $FreeDrive -PSProvider FileSystem -Root '\\Server\c$' -Persist

Powershell find free available drive letter get-psdrive, char notcontains, New-PSDrive Psprovider root persist

Here it is another script I recently used to find last free drive letter on remote server for some re-purposing my further other script tools. This requires CIM cmdlets and available on Powershell version 4 and above and uses CIMClass win32_LogicalDisk to get list of drive letter from remote machine. Copy paste script in PowerShell $PROFILE file.

Code given above can also be used using my earlier article POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Function Search-FreeDriveLetter {
    [CmdletBinding(SupportsShouldProcess=$True,
        ConfirmImpact='Medium',
        HelpURI='http://vcloud-lab.com')]
    Param
        ( 
            [String[]]$ComputerName = $env:COMPUTERNAME,
            [ValidateSet('Dcom', 'WSman', 'Default')][String]$Protocol = 'Dcom'
        )
    Begin {
        #$Protocol = 'Dcom'
        #$ComputerName = $env:COMPUTERNAME
        $CimOption = New-CimSessionOption -Protocol $Protocol
        $AllDriveLetters = 90..68
        $Credential = Get-Credential
    }
    Process {
        foreach ($Computer in $ComputerName) {
            try {
                $CimSession = New-CimSession -Name $Computer -SessionOption $CimOption -Credential $Credential -ErrorAction Stop
            }
            catch {
                Write-Host "Connecting $computer failed ..." -BackgroundColor DarkRed
            }
            $CurrentDriveLetters = Get-CimInstance -ClassName Win32_LogicalDisk -CimSession $CimSession
            ForEach ($SingleDriveLetter in $AllDriveLetters) {
                $D2ZLetter = [String][Char]$SingleDriveLetter
                $TestDriveLetter = "{0}:" -f $D2ZLetter
                $ListCheck = $CurrentDriveLetters.DeviceID -contains $TestDriveLetter
                $TestPath = Test-Path $TestDriveLetter
                If ($ListCheck -eq $false -and $TestPath -eq $false) {
                    $TestDriveLetter
                    Break
                }
            }
        }
    }
}

After Executing Search-FreeDriveLetter Machine01, Machine02, it will prompt for username and password to connect remotely. This script I used in VMware infrastructure where I wanted to initialize and add disk in VMs.

Powershell search-freeDriveLetter free drive find ciminstance, cimsession, get-ciminstance, cimsessionoption cim cmdlet

Useful Articles
Powershell Active Directory: Show treeview of User or Group memberof hierarchy ##How to use $PROFILE to store function
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
Installing, importing and using any module in powershell

View older posts »