SSO in vSphere 5.5 and Active Directory Integration

I was recently installing vSphere 5.5 and was working through the steps to install and configure it.

First thing I’d like to say is that the SSO installation is a lot, lot simpler in 5.5.  No more do you have to pre-create the SSO DB, and run SQL scripts to build the SPs and users. 
I’m all for ease!
 

One thing that tripped me up a little however is the new Identity Sources menus and requirement to give your AD SSO Service account  in the form of a DN.

So.. to make sure that adding the SSO Identity Source goes smoothly, prepare your SSO account in the DN Form:

CN=SSO Account,OU=ServiceAccounts,OU=Users,DC=Domain,DC=COM

 

 

 

 

 

Hopefully that helps someone out!

 

Chris.

PowerCLI Copy-VMGuestFile Cmd-let

Hi all,

 

This is one of my most used, and favourite cmdlets in PowerCLI.  It allows you to copy a file to a guest VM from where ever you’re running your PowerCLI session and vice-versa. 

 

What’s the benefit of that I hear you ask?

What if you have a template that you haven’t assigned an IP address to, and that you don’t want to assign an IP to due to stringent policies in place by your company, but you still really need to get that file up to the VM?

Basically any restriction on network access and this command can help you out.

It uses TCP port 902 to transfer the file, so you must have that port open for this to work!  You can test this just by trying to open a console session to the VM in vCenter.

So to utilise this cmdlet:

Copy-VMGuestFile -Source *Source path from your local machine*  -Destination *Path to required destination in the VM*  –VM *vmname*  -HostUser *Admin account for the ESX\ESXi host the VM is resident on* -HostPassword **** -GuestUser “Domain or Computername\Username for the VM OS”  -GuestPassword ****** -LocalToGuest (or -GuestToLocal) **Defines the direction of the file copy**

 

You can also use credential store xml files to authenticate using the –guestcredentials and –hostcredentials parameters.

There are some pre-requisites to be met before you use this cmdlet however:

·         You must have VMTools installed in the guest
·         You must run this cmdlet from the 32-bit version of PowerCLI
·         It only runs on the following OSs:

XP 32-bit SP3

2003 32-bit SP2

2003 64-bit SP2

Windows 7 64-Bit

Windows Server 2008 R2 64-Bit

RHEL 5

 

·         For vCenter Server/ESX/ESXi versions earlier than 4.1, you need the VirtualMachine.Interact.ConsoleInteract privilege. For vCenter Server/ESX/ESXi 4.1 and later, you need the VirtualMachine.Interact.GuestControl privilege.
To run this cmdlet against vCenter Server/ESXi 5.0 and later, you need VirtualMachine.GuestOperations.Modify privilege.

Hopefully you’ll get as much use out of this as I do!

 

Chris.

VMDK Location Check Script

Hi everyone,

 

As a part of the clean-up of my first post, there was a requirement to move the VMDKs from the 3^rd Parties datastores, to our own datastore cluster.

Because of wanting to stagger the VMDK migrations I decided to write a separate script rather than tacking it on this on to the end of the previous script.

 

The first portion is producing some nice reporting.  I used the Convertto-html cmdlet for this and works quite well I think!

After the report is produced the decision is there to be made by the user as to whether there is the space to migrate the requesteded amount of VMDKs.

 

The script is designed to be run peace-meal as personally I didn’t like the idea of terabytes of data flooding the storage network!

 

Here it is:

 

#######################################################################

# Script Name: VMDK_Location_Check.ps1

# Purpose: To migrate VMDKs from non-compliant datastores

#

#

# Created by: Chris Lawrence http://hoipoiloi.blogspot.com

# Date: 01/08/2013

#######################################################################

 

#Variables.  Please amend as required:

#How many VMDKs you want to move at once

$X = 5

#Datastore you want to move the VMDKs to

$Datastore = Get-datastore -Name "Your Datastore"

 

#------------

#Sets some manadatory variable

$Administrator = [Environment]::UserName

$Path = "C:\Users\$Administrator\Documents"

$VMDKLocation = Get-vm | Get-HardDisk | Where {$_.filename -notmatch "DATASTORE"}

$TotalGB = $VMDKLocation | Measure-Object CapacityGB -Sum

$GBsInX = $VMDKLocation |Select -First "$X" | Measure-Object CapacityGB -Sum

$FreeSpace = $Datastore.freespaceGB - $gbsinX.sum

$FreeSpace = "{0:N0}" -f $Freespace

 

#------------

#Report creation

#Pre-define some table and header styles using HTML

$Header = @"

<style>TABLE {border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}

TH {border-width: 1px;padding: 3px;border-style: solid;border-color: black;background-color: #A74AC7;}

TD {border-width: 1px;padding: 3px;border-style: solid;border-color: black;}

</style>

"@

 

#Create some HTML code using the Convertto-html cmdlet.

$Frag1 =  $totalgb | ConvertTo-HTML -Property Count, Sum -As Table -Body "<H2>Total VMs and Total GBs non-compliant</H2>"

$Frag2 =  $GBSinX | ConvertTo-HTML -Property Count, Sum -As Table -Body "<H2>Total specified VMs and GBs to be moved</H2>"

$Frag3 =  ConvertTo-HTML -Body "<H2>Free space is $Freespace(GBs) in $datastore once $X machines have been made compliant</H2>"

$Frag4 =  $VMDKLocation | ConvertTo-HTML -Body "<H2>Complete list of the non-compliant VMs</H2>" -Property Parent, CapacityGB, FileName -As Table -Head $Header

#Combine these html fragments to one report:

ConvertTo-Html -Body "$Frag1 $Frag2 $Frag3 $Frag4" -Title "VMDK Location Report" | Out-File $path\Report.html

Invoke-Expression -Command  $path\Report.html

 

      Write-host -ForegroundColor Green "

      If the amount of free space is acceptable, hit ENTER to

      run the SvMotion portion of the script

      If not press Control-C to quit the script"

Read-Host

 

$Datastores = $vmdklocation | Select -First "$X"

      Foreach ($VM in $Datastores)

{

Move-VM -VM $VM.parent -Datastore "Datastore" -RunAsync

}

 

You can put as many of the  Where {$_.filename -notmatch "DATASTORE"} lines in as you want, depending on how many datastores you have that are within your “compliant” list.  Just repeat the comment separated by a | .  So:

Where {$_.filename -notmatch "DATASTORE"} | Where {$_.filename -notmatch "DATASTORE"}

 

Other than that, happy scripting!

 

Chris.

The Case of the Really Slow vCenter Logons

My latest client had implemented vSphere 5.1 by themselves.  They had done a good job, following some in depth architectural processes. 
All was working well and the infrastructure was hosting a relatively small amount of production VMs successfully.
The only thing was, that authentication to vCenter was taking an incredible amount of time.  They were using SSO (as it was vSphere 5.1) to authenticate against a large, multi-domain AD forest.

Using the:

Measure-command {Connect-viserver –server *****} command I got a decent benchmark:

Days              : 0

Hours             : 0
Minutes           : 0
Seconds           : 238

238 seconds!?!?

My initial thought was that the slowness was solely due to the fact that the Domain Controller used to authenticate against was located in a different country, accessed across a WAN link.  Changing the identity source to a local DC would surely make a huge improvement?  I made the relevant changes in SSO to point locally and ran the command again:

 

Days              : 0

Hours             : 0
Minutes           : 0
Seconds           : 36

 

Better! But not good enough..
I scratched my head for a few more days, until I began thinking about the level in AD SSO was searching at.

If SSO had to wade through hundreds of thousands of AD objects to find the User Group Membership, of course it would take a while.  So I checked the Base DN for Users and Base DN for Groups fields in SSO Administration and sure enough they had both been set at the very top level of the domain.

I queried AD to find which OU the groups and vCenter users were located in and entered this DN (Distinguished Name) in to the Edit Identity Source form.

I ran the measure-command again and got:

Days              : 0

Hours             : 0
Minutes           : 0
Seconds           : 6

That’s was more like it! 

 

NB: If you decide to make this change, make sure you put some thought into where the OU is within AD.  You don’t want to end up specifying an OU that’s too deep within the AD structure meaning that you exclude some of the people who should be logging on!

 

Chris.

 

VM Migration Script

Hi Guys!

Hopefully this is the first of many posts!

So I've been working for a client who had a requirement to migrate their VMWare environment from a third party provider to a completely separate,  in-house VMWare environment.  Obviously we wanted to make this transition as easy as possible, so out came PowerCLI!

The core of this script relies heavily on LucD's great Raiders Of The Lost VMX post:

The environment is NFS based and we were lucky enough that we had access to the 3rd-Parties NFS datastores. We simply mounted their datastores into our environment so we could view the datastores.
The 3rd party guys powered down the VMs and once giving us the thumbs up, we ran the script. Based on the VMs listed in the CSV in the $Path = "C:\DATA\Scripts\VM_Migration\vmlist.csv" variable a search is performed on the datastores.
We then perform a series of additional tasks:

• Error checking. Is the VM now listed in the inventory properly? Confirmation written to a log on the script users desktop.
• Changes the vmnic to a hard set network name (It would be trivial to feed this information via a variable but in my case the we were migrating to were all the almost all the same)
• Upgrades the VM hardware to hardware version 9. (They were running 4.1 still)
• Powers the VM on (and answers the VM question you're prompted with)

The scope is there to perform all sorts of additional tasks by adding simple one liners (Upgrading VMtools!) however in this case it's all that was needed.

Here is my script:

#######################################################################

# Script Name: VMMigration.ps1

# Purpose: To migrate VMs from on VM environment, to another 

#environment based on only VM name

#

# Created by: Chris Lawrence

# Date: 10/06/2013

#######################################################################

 

# Set variables

#-----------------

Write-host

 -ForegroundColor Green "

Please Note!

 

###################################################################

# It is a pre-requisite of this script that the VM names match #

# the VMX files exactly. If they do not then please press Ctrl-C #

# and rectify prior to running Script. #

# Please make sure that the list of VMs is in a CSV file and is #

# available in C:\DATA\Scripts\VM_Migration\ Hit ENTER to continue#

# Also please REMOVE any trailing spaces from the vmlist.csv! #

###################################################################"

Read-Host

 

$Administrator = [Environment]::UserName
$Date1 = Get-Date -format d_M_yyyy

$Path = "C:\DATA\Scripts\VM_Migration" 

$VMlist = get-content -path "$Path\VMlist.csv"

 #Gets a list of all connected datastores with the exception of local ones

$DatastoreList = Get-Datastore | where {$_.Name -notmatch "Local"}  

$Cluster = Read-host "Which Cluster is this batch of Virtual Machines to be host in?

 

Please make sure that you type the cluster name EXACTLY as in the inventory"

$VMFolder = Get-Datacenter -Name "**Your Datacentre**" | Get-Folder -Type VM -Name "Discovered Virtual Machine"

 

 

Start-Transcript -Path "C:\Users\$Administrator\Desktop\PowerCliTranscript_$Administrator_$Date1.log"

 

#This preps the variable for string input

$SearchResult

= @()

ForEach

($NFSDS in $DatastoreList) { 

$ds = Get-Datastore -Name $NFSDS | %{Get-View $_.Id}

 $SearchSpec = New-Object VMware.Vim.HostDatastoreBrowserSearchSpec

 $SearchSpec.matchpattern = "*.vmx"

 $dsBrowser = Get-View $ds.browser

 $DatastorePath = "[" + $ds.Summary.Name + "]"

 $SearchResult += $dsBrowser.SearchDatastoreSubFolders($DatastorePath, $SearchSpec) | where {$_.FolderPath -notmatch ".snapshot"} | %{$_.FolderPath + ($_.File | select Path).Path}

 }

#-----------------

 

#Cross references the inputted list of VMs with the list of VMX file locations in variable $Searchresult to produce a list of relevant VMX file locations.

#This preps the variable for string input

$VMXPath

= @()

ForEach

($VM in $vmlist) {

$VMXPath += $Searchresult -match "$VM.vmx"

}

 

#--------------

 

Foreach

($VMFilepath in $VMXPath) {

 

#Selects a random ESX server for the VM to be hosted upon (You can't select the cluster in PowerCLI). This should allow DRS enough time to level out the resource load.

$ESXHost = Get-Cluster $Cluster | Get-VMHost | where {$_.Powerstate -eq "PoweredOn"}

 

 

$ESXHost = Get-Random -InputObject $esxhost

 

#Adds the vmx file to the the inventory

 

New-VM -VMFilePath $VMFilepath -VMHost $ESXHost -Location $VMFolder -RunAsync

 

Write-Host -ForegroundColor Green "Added $VMFilePath to the vCenter Inventory"

 

Write-Host -ForegroundColor Green "A log entry has been added to VM_Migration_$Administrator_$Date1.log on the desktop"

 

 

$Date = Get-Date

 

Out-File -Append -InputObject "$Date $Administrator $VMFilepath added to inventory" -Encoding Unicode -FilePath C:\Users\$Administrator\Desktop\VM_Migration_$Administrator_$Date1.log

 

start-sleep -seconds 15

 

}

 

#--------------

#Error checking. Confirms that each VM is now listed in the inventory and writes to the log file accordingly.

Foreach

 

  

($VM in $VMList) {

  

$Date = Get-date

 

 

$VMCheck = get-vm | %{$_.Name -Contains "$VM"}

 

If

 

(

 

$VMCheck

 

 

-contains "True" ) {write-Output -InputObject "$Date : $VM added correctly to inventory. Migration success!" >> "C:\Users\$Administrator\Desktop\VM_Migration_$Administrator_$Date1.log"}

 

ELSE

{

 

write-Output -InputObject "$Date : $VM migration ERROR!" >> "C:\Users\$Administrator\Desktop\VM_Migration_$Administrator_$Date1.log"}

 

}
 

Write-host -ForegroundColor Green "

 

Check the Log File. The next section attempts to power on the

 

Virtual Machines. Hit Enter to continue"

 

  Read-Host

 

Write-host

 

-ForegroundColor Green "

Powering on VMs..."

 

 ForEach ($VM in $VMlist) {

  Get-VM -Name $VM | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName "**Your VLAN**" -Confirm:$False

Set-VM -VM $VM -Version v9 -Confirm:$False

 Start-VM -VM $VM -Confirm:$False

start-sleep -seconds 15

 

Get-VM -Name $VM | Get-VMQuestion | Set-VMQuestion -Option “I moved it” -Confirm:$false

 }

 

Stop-Transcript

 

 

 

 

 

Happy Migrating!

Chris.