Browsing Posts published by Huw

In this article I am setting up a vCenter appliance and configuring it with Active Directory.

 

1 – Download and deploy appliance

Log onto vmware.com and browse to the download section.

Log onto one of your ESXi hosts and deploy via the VI client.

I would also check the time on the ESXi hosts is correct and matches the time on your Active Directory DCs.

Follow the wizard, once complete you should have a running appliance.

 

2- Setup Appliance

Log on to the appliance using the link specified above (e.g. 10.0.0.1:5480). Note that the default username is root with a password of vmware.

Run through the wizard using the default settings.

Enter IP information on below section. Enter the Active Directory DNS servers.

Make sure the time zone is correct

 

3 – Configure Active Directory Integration

Go to the below tab and enter your active directory details. You will need to reboot the appliance once entered.

Then log onto the vCenter web client. This is on https://IP-OF-VCSA:9443

Note if you get an SSL error when trying to log into the web client you may need to regenerate the SSL certificate and reboot the appliance.

Once you have logged on go to the below section and add the active directory details. E.g.

Primary Server URL = ldap://FQDN-of-your-1st-DC

Secondary Server URL = ldap://FQDN-of-your-2nd-DC

Base DN for users = specify the active directory DN

Domain alias = your domain name

Base DN for groups = as above specify the active directory DN

Authentication type = Password

Username and password = enter the details of an active directory account

Click ok and then I would recommend rebooting the appliance.

Once rebooted you will need to log onto the appliance and manually add any active directory groups you want to give permissions to – see below.

THE END

 

This article explains how to upgrade the firmware on a Cisco SGE or SFE 2000 series switch. The firmware files are uploaded using TFTP so you will need to have this installed on whatever computer you are using to update from (i.e. your PC).

Download Firmware Update and Copy to TFTP

  • The current release for the SFE 2000 series switches (v3.0.2) can be found here
  • The current release for the SGE 2000 series switches (v3.0.2) can be found here
  • Once downloaded you should extract the firmware update file (.ros) and copy to the TFTP directory on your PC. I am using Solarwinds TFTP.

Note I have copied the .ros file into the TFTP directory

Upload to Switch

  • Log onto the switches web interface and navigate to the below screen.

  • Once you have filled out the appropriate info as shown above click on “apply”. This will initiate an upload of the file from your PC.
  • Once complete click “done” and navigate to the “active image” section

  • Change the active image after reboot. For example if the current active image is “Image 1″ change the after reset image to be “Image 2″. If the active image is “Image 2″ change the after reset image to “Image 1″.
  • Click Apply.

Reboot Switch

  • You must then reboot the switch. Go to the below screen and click on reset.

The switch will reboot and the firmware update should be complete.

THE END

This article explains how to install an SSL certificate on a Watchguard SSL100. I have purchased the certificate from godaddy.

If you found this article useful please click on my referral link before ordering your SSL certificate – cheers! http://www.godaddy.com/itbook

 

Step1 – Download and Install OpenSSL

NB – The SSL100 requires the certificate to be PEM formatted with a separate private key.

I recommend using openssl to generate the certificate signing request (CSR). You can download this from www.openssl.org

I recommend downloading the version shown below.

Once downloaded please install this. If prompted to install any dependencies (e.g. Microsoft Visual C++ 2008 Redistributable Package) then please do so before installing openssl.

Step2 – Use OpenSSL to generate CSR

Open an elevated command prompt and change to the openssl-win32 directory (i.e. enter the commend cd \openssl-win32\bin). Then enter the below.

openssl genrsa -out wgnet.key 2048

openssl req -new -key wgnet.key -out wgnet.csr

Lastly you need to convert the private key into PKCS#8 format. Enter the command

openssl pkcs8 -topk8 -in wgnet.key -out wgnet.pk8

You have now generated 3 files – wgnet.csr, wgnet.key and wgnet.pk8

Step3 – Use CSR to generate SSL certificate

In this example I am buying the certificate from godaddy (http://www.godaddy.com). I chose godaddy as their certificates are easy to rekey incase of any errors or lost certificates. They are also cheap.

If you found this article useful please click on my referral link before ordering your SSL certificate – cheers! http://www.godaddy.com/itbook

You require a standard SSL certificate.

Once purchased go to manage your certificates and setup the certificate you have just bought.

Open the wgnet.csr file in notepad.

Copy the contents into the CSR window as shown below.

Follow the wizard through. You will need to run through domain validation before the certificate is issued.

Step 4 – Install Certificate

Once you have completed domain authentication you will get an email from godaddy with a link to download the certificate. Note below I have chosen the certificate type “other”.

Log onto the Watchguard SSL and go to manage system – certificates.

Click on add server certificate

Select the certificate you downloaded from godaddy and the key file you created in step 2. Use the password also created in step 2.

Then to make the certificate live go to “administration service” and select the server certificate you just added – as shown below.

Select “save” and then “publish”.

Then go to “device settings”. Select the new certificate here also. Note this will cause the device to reboot as shown below.

Once the device is back up select publish to make your changes live. You can then test this externally.

Again, if you found this article useful please click on my referral link before ordering your SSL certificate – cheers! http://www.godaddy.com/itbook

THE END

This article explains how to restore a single file from a Windows server using Veeam Backup and Recovery v6.5

Open Veeam Backup and Recovery and click “restore”, then choose “Guest files (windows)”

Select the server

They select the backup you want to restore from.

Browse through to the file you want to restore. I recommend copying this to another location and then renaming the document – e.g. WordDoc1-RESTORED.docx

THE END

Installation:

Pre-Install

  • Check that “virtualization technology” is enabled in the BIOS

Load ESXi software

  • Where possible download the vendors version of ESXi. For example Dell provide their own customized ISO that contains Dell specific settings for SNMP etc.
  • (Alternatively you can use the Dell Uniform Server Configurator – you will still need the Dell ESXi ISO however.

  • After downloading the ISO from the Dell Website I have booted the server off it and install ESXi.

  • Choose keyboard layout and enter root password

  • After reboot press F2 to enter the configuration screen

  • Configure the IP address, subnet mask, default gateway, DNS servers, hostname and suffix.

Patching

It is far, far easier to patch using virtual center if one is available.

Patching via command line

If the server connects to virtual center then I recommend using the “update” plugin to patch the host. Otherwise you will need to manually install the patches from the command line (either via the VMA or the vSphere CLI). Below are the commands to patch from the command line (warning it is likely that further patches will be released in addition to the below):

Please replace XXXX with the host ip address of your ESX server

Please replace YYYY with the root password

vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201010001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201011001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201104001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b ESXi410-201107001.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b update-from-esxi4.1-4.1_update01.zip
vihostupdate.pl –server XXXX –username root –password YYYY -i -b OM-SrvAdmin-Dell-Web-6.5.0-2247.VIB-ESX41i_A01.zip

Patching Using VC

You will need to have the update manager plugin install on the VC.

Then use the update manager tab to patch the servers.

Install Custom Updates

If using a Dell server download and install the Equallogic Openmanage VIB.

Import the patch into the repository

Create a baseline for the patch

Configure

If you haven’t got the Vmware VI client installed on your PC already you will then want to download the VI client to enable you to manage this server. You can get this by opening a web browser and entering in the IP of the ESXi server (as shown in the diagram above).

Although I have configured the below settings via vi client you can also set these on the console of the ESXi server.

  • Click on the link highlighted above and install the VI client. Note that this downloads the client from the web and not from this server. It may take a few minutes.
  • Once installed open the vi client and connect to the ESXi server IP as shown below. Note the default username is root with no password.

You may now want to customise your install.

Add other NICs to vSwitch:

This will improve performance and add a degree of fault tolerance with the network cards.

Setup NTP:

Note that VMs will likely pickup the time from the ESXi server so it is important the time is correct

I recommend using the NTP servers:-

  • 0.pool.ntp.org
  • 1.pool.ntp.org
  • Tick.usno.navy.mil
  • Tock.usno.navy.mil

License VMware:

You will need to Register with Vmware and they will email you a license. Once you have this you can enter this on the below screen.

Setup iSCSI

If connecting to an iSCSI SAN you will need to setup iSCSI.

Create VMkernal ports

As below. Note the iSCSI heartbeat port must have the lowest vmk number.

Enable jumbo frames (if used on iSCSI network).

Change the MTU for the vSwitch

For each port group change the MTU to 9000

Change each of the iSCSI port groups to use an active and standby adapter. Each (iSCSI) port group should use a different active and unused adapter. i.e. the active adapter on iSCSI 1 is the unused adapter on iSCSI 2 and vice versa.

Add and Enable iSCSI adaptor

An iSCSI software adaptor should appear. Go into the properties of this and bind with VMkernel adapters.

Setup CHAP (If used)

Bind VMkernel ports

Connect to SAN

In the below example I have entered the Group IP of the iSCSI SAN

You should then rescan the adaptor

You should now be able to see LUNs from the SAN

Setup vMotion

In a multiple server environment with shared storage (e.g. SAN) you will want to setup vMotion to enable live migration of VMs.

Add a new (VMkernel) vSwitch and select the VMNIC you have setup for vMotion

Allocate a range on the vMotion subnet, click next and finish.

 

Health Monitoring (If using Virtual Center)

You can configure virtual center to send email alerts for specific events. You will need to setup your email server to allow smtp relay from the virtual center server. This is setup at the VC level so may already be enabled.

Configure Virtual Center Server settings

Configure the alert you want to be emailed about

Setup Scratch Location (if installed on SD or USB card)

VMWare recommend a persistant scratch location for temporary data such as logs, diagnostics, system swap etc. If you have install ESXi on an SD or USB card there may be no space for this. In this instance I have created a LUN specifically for scratch data.

Create a folder on the LUN for the new server

Go to “advanced settings” then “ScratchConfig” and specify the location you have just created (i.e. /vmfs/volumes/DatastoreName/foldername)

You will need to reboot for these changes to take effect.

 

Add other NICs to vSwitch0

It is recommended to add multiple NICs to vSwitch0 (to enable VMs to communicate over multiple NICs).

 

In this example I am installing the VMWare Storage Appliance onto ESXi servers that have existing running VMs. This is known as a brownfield installation.

Basics

  • The VSA Manager must be installed on a 64-bit Windows vCenter machine that runs vCenter Server version 5.0 or later.
  • vCenter does not need to be on the same subnet as the cluster
  • The VSA cluster service must be installed on a machine in the same subnet as the cluster
  • Once installed you cannot add another ESXi host to a running vCenter cluster
  • You can resize the size of the VSA storage after installation
  • You will need at least 2GB free space on the machine where you are installing the VSA cluster service.
  • The VSA Cluster Service is only necessary in two node configurations

Scenario

  • 2x ESXi servers in head office
  • 1x ESXI server in branch office

Pre-requisites

  • You must have a vcenter server, with a data center created and the ESXi hosts added

Heap Size

  • I recommend changing the heap size on each ESXi server in the cluster to 256 (see below).

EVC mode

You have 2 options:-

  • Power off all the virtual machines before installing the VSA, or
  • Change the dev.properties file to raise the EVC baseline

The dev.properties file is located on the system where the vCenter Server is installed, under the C:\Program Files\VMware\Infrastructure\tomcat\webapps\VSAManager\WEB-INF\classes. Change the line evc.config.baseline=lowest to evc.config.baseline=highest

Switch Configuration

The switching setup is very important, therefore I recommend writing out what NICs are used for what. I recommend using VLANs to isolate cluster traffic so you will need to know the physical switch port that each VMnic connects to.

ESXi1

VMnic

Switch

Port

Active Use

Standby Use

Vmnic0

1

1

VM Network

Management Network

VSA Front End

Vmnic1

1

2

VSA Front End

VM Network

Management Network

Vmnic2

1

13

VSA-Back End

VSA-VMotion

Vmnic3

1

5

VSA-VMotion

VSA-Back End

ESXi2

VMnic

Switch

Port

Active Use

Standby Use

Vmnic0

2

1

VM Network

Management Network

VSA Front End

Vmnic1

2

2

VSA Front End

VM Network

Management Network

Vmnic2

2

13

VSA-Back End

VSA-VMotion

Vmnic3

1

17

VSA-VMotion

VSA-Back End

I then created a VLAN on the switches for the VSA-Back End (and VSA-VMotion) NICs. This is to isolate the traffic from the main network.

vSwitch Configuration

  • On each ESXi server create the vSwitches as shown below. Note that the Port-group names are case sensitive.
  • You will need to enable vMotion on the VSA-VMotion port group and assign an IP address.

As per the table in the switch section you need to set one active and one standby adaptor for the port groups.

Vmnic

Active for

Standby for

Vmnic0

VM network

Management Network

VSA-Front End

Vmnic1

VSA-Front End

VM network

Management Network

Vmnic2

VSA-Back End

VSA-VMotion

Vmnic3

VSA-VMotion

VSA-Back End

You can set the active/standby adapters for a port group on the below tab.

Install VSA Cluster Service

In the example below I am installing the VSA cluster service on the VMWare Management assistant. You will need to connect to the vMA and have internet access from the vMA. Alternatively there are Windows and Linux versions that can be downloaded and installed on separate OSes. I am not sure if VMWare support installation of the cluster service on the VMA so I would recommend installing it on a separate Windows or Linux VM.

From the vMA enter the below commands (for more information about this install see the excellent guide here):-

  • sudo zypper –gpg-auto-import-keys ar http://download.opensuse.org/distribution/11.1/repo/oss/ vMA-SLES-11.1
  • sudo zypper refresh
  • sudo zypper se gettext
  • sudo zypper in gettext-tools

From the VMware website download the VSA cluster service for Linux (VMware-VSAClusterService-5.1.1.0-858549-linux.zip). Create a folder(tmp) under the /home/vi-admin folder and copy the zip file into that.

Once the copy has completed enter the below commands

  • cd /home/vi-admin/tmp
  • unzip *.*
  • cd V*
  • cd setup
  • sudo ./install.sh

Apparently the above errors are not important

Installation of VSA Manager

On the VC download “VSA Manager” from the VMWare website (in this instance I used VMware-vsamanager-all-5.1.0-859644.exe)

Once installed open the vi client on the virtual center and you should see a VSA manager tab.

Run through the installer and choose the appropriate data center. Then select the hosts to go into the cluster

Note I have entered the IP of the VMA for the cluster service IP address.

Fill out the necessary IP info

Note that the VSA size below is 1TB. This will actually create 2x 500GB VSA datastores. You may want to check if any of your VMs have drives larger than the size of the VSA datastores. The reason it creates 2x 500GB datastores is that each server must replicates the other server’s datastore.

If you choose to format the disks immediately it may take a while.

Note that I have not used dedicated VLANs for the cluster front-end and back-end portgroups. As mentioned about I have created port based VLANs on the switch to isolate the back-end traffic.

I was initially concerned by the below message but I can confirm that after installation it did not wipe the datastores on which the existing VMs resided.

After a short while the installation will complete.

The VSA manager tab should now be populated with information about the cluster and storage. Note the “change password” option. As mentioned above it is recommended to change your password.

The Cluster is now installed and you now have the option to migrate your running VMs onto the VSA storage (e.g. VSADs-0 and VSADs-1)

THE END

When installing vCenter 5.1 you may get the error message:

“Error 32010. Failed to create database users. There can be several reasons for this failure. For more information, see the vmMSSWLCmd.log file in the system temporary folder”

You can find the location of vmMSSQLCmd.log in

The reason for the error should be in this file. In my instance it was because the passwords chosen for the RSA_DBA and RSA_USER accounts did not meet windows complexity requirements. I changed the passwords to something more complex and the install completed successfully.

THE END

If you found this article useful please click on my referral link before buying your godaddy certificatewww.godaddy.com

When trying to purchase a SSL SAN certificate you may run into problems if your Active Directory domain uses a non-standard domain name e.g. if it ends with .local

For example godaddy with fail giving you the error message

One or more SANs is not a fully qualified domain name. You must drop the invalid SANs

Please note:After November 1, 2015, Go Daddy will no longer provide SSL certificates without a fully-qualified domain name or IP address, such as ‘mail’, ‘intranet’, or 10.0.0.1

This is due to a change in legislation for certificate authorities designed to improve security.

In the example below I have tried to register 5 FQDNs:-

  • Mail.yourdomain.net
  • Autodiscover.yourdomain.net
  • Autodiscover.yourdomain.local (this is a non-standard FQDN)
  • Servername (this is a non-standard FQDN)
  • Servername.yourdomain.local (this is a non-standard FQDN)

As you cannot register the non-standard domains you will not be able to register

  • Autodiscover.yourdomain.local (this is a non-standard FQDN)
  • Servername (this is a non-standard FQDN)
  • Servername.yourdomain.local (this is a non-standard FQDN)

You can only register

  • Mail.yourdomain.net
  • Autodiscover.yourdomain.net

This means that you will need to reconfigure your exchange server to use your public domain name (e.g. mail.yourdomain.net) on your internal network. Otherwise you may get Outlook certificate error messages stating “The name on the security certificate is invalid or does not match the name of the site”.

Create DNS Zone for your public internet domain

By creating an Active Directory zone for your public DNS name you can change what IP address is resolved. E.g. mail.yourdomain.net should resolve to an internal IP. This is known as split brain DNS.

dns

 

 

 

 

 

 

As you are creating a DNS zone for your public domain name you will need to enter any host records you use e.g. www for your website. All exchange DNS records should point to the exchange server’s internal IP.

This allows you to use your public FQDN internally. This reduces the number of DNS names you need to register, e.g. just two.

  • Mail.yourdomain.net
  • Autodiscover.yourdomain.net

Note I have created host records for “mail” and “autodiscover”. Therefore please order the SSL certificate with just the 2 FQDNs e.g. mail.yourdomain.net, autodiscover.yourdomain.net

Set Exchange to Use the Public FQDN

You can view what URLs exchange is using by running the “test e-mail autoconfiguration” program in Outlook.

You will need to set exchange to listen on the public FQDN for a number of key services. To do this need to open the Exchange Management Shell and enter the below commands changing the FQDN (mail.contoso.com) and change the servername (CAS_Server_Name)

Exchange 2007

  1. Change the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To change this URL, type the following command, and then press Enter:Â

    Set-ClientAccessServer -IdentityCAS_Server_Name-AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

  2. Change theInternalUrlattribute of the EWS. To do this, type the following command, and then press Enter:

    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx

  3. Change theInternalUrlattribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press Enter:

    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab

  4. Change theInternalUrlattribute of the UM Web service. To do this, type the following command, and then press Enter:

    Set-UMVirtualDirectory -Identity “CAS_Server_Name\unifiedmessaging (Default Web Site)” -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

  5. Open IIS Manager.
  6. Expand the local computer, and then expandApplication Pools.
  7. Right-clickMSExchangeAutodiscoverAppPool, and then clickRecycle.

exchange2007

 

 

 

 

 

Note you can check the current settings using the get-clientaccessserver command.

Exchange 2010

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER: Set-ClientAccessServer -Identity CAS_Server_Name AutodiscoverServiceInternal Uri https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER: Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER: Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab
  5. Open IIS Manager.
  6. Expand the local computer, and then expand Application Pools.
  7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

Confirm Working

By running test email autoconfiguration in Outlook the URLs used for exchange should have changed to the public addresses.

THE END

In this article I am setting a 3 network card aggregate link between an ESXi host and a Cisco 2960. Note that LACP is only supported on distributed vSwitches on ESXi 5.1 and not on ESXi 5.0 and below. You will need to know to which port on the switch your nics connect.

 

DvSwitch Configuration

To create a distributed vSwitch (DvSwitch) go to the below section in the vi client

Create a new DvSwitch

Select the host and network adaptors

Continue through the wizard and select exit.

Set the below options to enable the aggregate link for the ESXi server.

Â

Cisco Switch Configuration

Below are the commands to create a 3 port aggregate connection. The NIC on my ESXi server I want to aggregate connects to switch ports g0/2, g0/3 and g0/4. Note that I am using the default vlan (vlan 1) for my network connections. Also note the the channel-group mode must be set to “on” and not “active”.

 

interface Port-channel1

description aggregate for ESXi

flowcontrol receive desired

!

interface GigabitEthernet0/2

flowcontrol receive desired

channel-group 1 mode on

spanning-tree portfast

!

interface GigabitEthernet0/3

flowcontrol receive desired

channel-group 1 mode on

spanning-tree portfast

!

interface GigabitEthernet0/4

flowcontrol receive desired

channel-group 1 mode on

spanning-tree portfast

 

Verify

Use the “show etherchannel summary” command to verify the aggregate link. The important section below is “Po1(SU) “ the U stand for “Up”.

TRI-COLO-SW1#sh etherchannel summary

Flags: D – down P – bundled in port-channel

I – stand-alone s – suspended

H – Hot-standby (LACP only)

R – Layer3 S – Layer2

U – in use f – failed to allocate aggregator

M – not in use, minimum links not met

u – unsuitable for bundling

w – waiting to be aggregated

d – default port

Number of channel-groups in use: 2

Number of aggregators: 2

Group Port-channel Protocol Ports

——+————-+———–+—————————————-

1 Po1(SU) – Gi0/2(P) Gi0/3(P) Gi0/4(P)

Explanation

Command

Grant full access to all mailboxes

get-mailbox -server <exchange server Name> | Add-MailboxPermission -User “domain\userid” -AccessRights FullAccess

Move mailbox to another server

New-MoveRequest identity username TargetDatabase “database name”

Update Default Global Address List

Update-GlobalAddressList -Identity “default Global Address List”

Grant relay permission to send connector

Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Remove Move Request

Remove-MoveRequest -identity boardroom

If a move fails you need to remove the move request before generating another one

Get information on size and number of items in mailbox store

get-mailboxstatistics -database “name-of-mail-database”

Get information on an individual mailbox

get-mailboxstatistics -identity administrator

Check autodiscover

Test-OutlookWebServices

Create hub site

Set-AdSite “Site A” -HubSiteEnabled $true

Approve in-policy requests from all users for the room mailbox “board room”.

Set-CalendarProcessing -Identity “boardroom” -AutomateProcessing AutoAccept -AllBookInPolicy $true

Prevent a user from deleting any items

Set-mailbox <username> LitigationHoldEnabled $true

Create a retention tag to delete emails older than 90 days from the “deleted items” folder

New-RetentionPolicyTag “AllUsers-DeletedItems” Type DeletedItems Comment “Items older than 90 days are deleted” RetentionEnabled $true AgeLimitForRetention 90 RetentionAction PermanentlyDelete

Exports list of all user email addresses to a text file

get-recipient | select name -expand emailaddresses | where {$_.smtpAddress} | Select-Object Name,smtpAddress | export-csv c:\AllEmailAddresses.txt -noType

Upgrade Recipient Policy from older version of Exchange

Set-EMailAddressPolicy “Default Policy” -IncludedRecipients “AllRecipients”