Jonathan Medd's Blog

vCenter Certificate Automation Tool – what is “the Original Database Password”?

Having installed vCenter 5.1 U1a, it was time to replace certificates. Using the vCenter Certificate Automation Tool to replace self-signed SSL certificates with full certificates you will be taken through various menus to replace each certificate:

When the time comes to replace the vCenter Server certificate, you will firstly be in Menu 4 and then selecting Option 2, Update the vCenter Server SSL Certificate (starting to sound like a dreaded phone call to a utilities or government call centre yet? It’s almost as painful):

One of the questions prompted by selecting this option is “Enter the vCenter Server original database password”, preceded by some horrible warnings about what might happen if you get it wrong!:

I’m not sure if the choice of the word ‘original’ is deliberate here or potentially misleading. Luckily for me this was for a new install, not an upgrade and since I was using Windows Authentication I took it to mean the password of the AD service account for vCenter. Using this was successful for me, what it means if you have historically changed the vCenter service account, moved from a SQL User or currently a SQL user is not immediately clear. I would take it to mean the current account used (Windows or SQL) by vCenter to connect to the database.

Would be interested to hear of others’ experiences.

vCenter Server 5.1 installation fails with “Wrong input – either a command line argument is wrong…”

While installing a fresh vCenter 5.1 recently I was presented with this really helpful error message at the point where you are registering a vCenter Server administrator user or group with vCenter Single Sign On:

Wrong input – either a command line argument is wrong, a file cannot be found or the spec file doesn’t contain the required information, or the clocks on the two systems are not synchronized. Check vm_ssoreg.log in system temporary folder for details.

There’s a VMware KB article which references this, but wasn’t quite my problem. Additionally it states that “This issue is resolved in VMware vCenter Server 5.1.0a”, where I was using vCenter 5.1 U1a and you would hope that the fix would be kept in for a later release

A communities post here suggested that it may be related to the SSO install option I had chosen below for HA and the fact that the group above was local not AD based:

Switching the local Administrators group above for an AD based group then permitted me to continue the install.

Failed to verify the service account. Error code: [87] – when installing vCenter

While installing vCenter 5.1 recently I experienced the following error at the point where you confirm the AD account to use for the vCenter service:

Failed to verify the service account. Error code: [87]

At first I figured I was mis-entering the credentials, but it turns out to be an issue if the user AD account for the vCenter service is the same name as the vCenter computer account.

Renamed the AD account and started the install again.

Windows Server 2012 on vSphere 5.0 – The Case of the Missing D:\ Drive

I sincerely hope this saves somebody else some time because I had a fair amount of head scratching with this today. Installed a Windows Server 2012 VM on vSphere 5.0 U2, pretty standard install with a C:\ drive for OS, Software etc and D:\ for data. This particular server needed to run SQL Server 2012, however the install kept repeatedly failing with the error “Could not find the Database Engine startup handle”. Initially I suspected that it might be a problem with a corrupt ISO as there are numerous postings around that and some, such as the below, suggesting that it could be an issue with mounting an ISO (I was pretty dubious about this though).

http://mbmccormick.com/2012/12/sql-server-2012-could-not-find-the-database-engine-startup-handle/

Having messed around with extracting the ISO, copying the files locally and other methods, eventually I tracked down in the SQL Server install log that it seemed to be having an issue reading and writing files to and from the D:\ drive during setup. During the SQL Server install wizard I’d specified that the path for databases, logs etc would be D:\. So I re-ran the installation and this time left the default of C:\ for everything and voilà, it worked!

No big deal I thought, I’ll simply change these locations post install. However, when I went to change the database server properties (or attempt to create a database) I was greeted with a dialogue box which only displayed the C:\ drive as accessible, no sign of D:\.

Although clearly Windows was happy that a D:\ drive was present.

This started ringing other bells because during the time I had been spending copying extracted ISO files around the $Admin share of D:\ had not been accessible (which I was going to look into later – should have done it then!)

Googling Researching this issue landed me at this forum post on SqlServerCentral.com - Sql Server 2012 can’t see 2nd drive. In there they link to this VMware KB article - Disabling the HotAdd/HotPlug capability in ESXi 5.x and ESXi/ESX 4.x virtual machines . Essentially what is happening is that Windows is marking the drive as Removable (i.e. like a USB drive) and consequently some operations that we would normally expect to be available are not. If you look in the taskbar the drives are potentially removable – although in practice if you try to they are not because they are in use.

You can get round this either by applying the suggested workaround from VMware which is to add devices.hotplug = false into the .vmx file for the VM or in Windows  disable a security policy in gpedit.msc under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access .

I went for the former which you achieve by:

Connect to the ESXi/ESX host or vCenter Server using the vSphere Client.
Power off the virtual machine.
Right-click the virtual machine and click Edit Settings.
Click the Options tab.
Click General > Configuration Parameters > Add Row.
Insert a new row with the name devices.hotplug and a value of false.
Power on the virtual machine.

Once powered on Removable Devices are no longer present:

The D:\ drive is available over the network via the $Admin share and SQL is now able to see the D:\ drive:

Incidentally, I blogged about this similar issue back in 2010 and at the time put the devices.hotplug setting into standard templates for Windows Servers; looks like I’ll need to do that for Windows Server 2012 too! Never seem to hear much about other people having issues with this problem though, would like to hear in the comments if it has caused you issues too…..

London VMUG – July 4th 2013

The next London VMUG will take place on July 4th 2013 and it looks like a great line up as usual. I’m particularly looking forward to hearing the session about some real world experiences with vCenter SSO.

I also heard a rumour that there may be a few copies of a new vCloud book given away…….

.

Learning Points From PowerShell Scripting Games Event #4

Event 4 for the PowerShell Scripting Games 2013 has closed, here are a few learning points I picked up on from entries submitted.

1) Random AD Users

The first part of this event is to work with 20 randomly selected users from Active Directory. Initial thoughts might be that this is pretty straightforward. If you use the Get-ADUser cmdlet from the AD module then you could do something like this:

Get-ADUser | Get-Random -Count 20

This might be OK for small testing environments, but could potentially have some performance issues in an AD with thousands of users. It doesn’t matter so much for this event really, but don’t forget to consider potential performance issues for the real world.

For instance, if you did have an AD environment that size you could restrict the amount of users returned with:

Get-ADUser -ResultSetSize 500 | Get-Random -Count 20

Also for this event you don’t need to bring back all of the properties of a user, just those you need to export to the report. Use of the Properties parameter would speed up the query in a large environment too.

Get-ADUser -ResultSetSize 500 -Properties Department,Title,LastLogonDate,PasswordLastSet,Enabled,LockedOut

2) Testing for additional commands

Since the AD team were slightly late to the party in terms of PowerShell and typically it was one of the first things people wanted to use PowerShell for, there are a number of different methods for accessing AD via PowerShell. You can use ADSI or .NET, the 3rd party set of cmdlets from Quest or since Windows 2008 R2 the Microsoft AD module.

In terms of this event, any of these approaches really is fine. However, I saw a few different approaches for how to test whether a snapin or module was potentially available for use, for instance checking if a cmdlet was present.

I would test it by checking if the snapin or module was installed on the system. Since Get-PSSnapin returns an error if the snapin doesn’t exist you might want to take two slightly different approaches depending on what you are working with.

try {

$PSSnapin = Get-PSSnapin Quest.Activeroles.ADManagement -Registered -ErrorAction Stop
 Add-PSSnapin Quest.Activeroles.ADManagement
}
catch {

"blah blah cloud"
}

or

if ($Module = Get-Module ActiveDirectory -ListAvailable){

 Import-Module ActiveDirectory
}
else {

"blah blah cloud"
}

Learning Points From PowerShell Scripting Games Event #3

Event 3 for the PowerShell Scripting Games 2013 has closed, here are a few learning points I picked up on from entries submitted.

1) Filter to the left

Some cmdlets in PowerShell have their own filtering capabilities, which can make queries of large data sets more efficient. However, not all cmdlets do have this capability and you will need to pipe the results to Where-Object instead. It’s always worth checking the help and examples for a cmdlet first to see the best way to filter and if it has an option to do so then use it!

I’ve seen quite a few entries do this

Get-WmiObject Win32_LogicalDisk -ComputerName "localhost" | Where {$_.DriveType -eq 3}

This will get you the right results, but better is to use the filter parameter of Get-WmiObject

Get-WmiObject Win32_LogicalDisk -Filter "DriveType=3"

2) ConvertTo-Html: PreContent and PostContent Parameters

Quite a few entries made nice use of these parameters to add additional content to the HTML output generated. For instance you could add an h2 header before the <table> with PreContent

Get-WmiObject Win32_LogicalDisk -filter "DriveType=3" | Select-Object Name,Size | ConvertTo-Html -PreContent "<h2>Local Fixed Disk Report</h2>" | Out-File Report.html

It’s possible to include PowerShell code as part of these parameters, so to fulfill one of the other requirements to place the date and time at the bottom of the report you could do something like this:

Get-WmiObject Win32_LogicalDisk -filter "DriveType=3" | Select-Object Name,Size | ConvertTo-Html -PreContent "<h2>Local Fixed Disk Report</h2>" -PostContent "<br><hr><p> $(Get-Date)" | Out-File Report.html

VCP-IaaS: Exam Resources

I recently passed the VCP-IaaS exam and thought I would share the resources I used in case it is useful for anyone else. This is the exam which gives those already certified as VCP on vSphere, the VCP-Cloud certification.

1) I took the VMware vCloud Director: Install, Configure, Manage [V5.1] course as my primary source. I enjoyed the course and felt it had a good mix of theory and hands on work. There are plenty of new networking concepts to grasp, so it was good to have many whiteboarded descriptions of them from a knowledgeable instructor. One thing to watch out for is that the course covers version 5.1, but the exam as of this date is still 1.5 – so you need to make sure you are aware of the key differences. Not many of significance for the exam, but the instructor did a good job of pointing them out. Why the exam is still testing 1.5 when 5.1 has been out since September 2012 I’m not sure!

2) The instructor told us that the previous version of the course for version 1.5 contained vCenter Chargeback content, but it had been removed from this course. It’s covered in the exam though, so a bit annoying that it’s no longer in the course. However, I found a free self-paced online course, VMware vCenter Chargeback Manager Fundamentals [V2.5]. Having sat through this I can see why it was removed from the vCD training course (boring). Apart from some technical information needed on setting it up, it’s mostly aimed at beancounters, but useful for getting enough info you need for the exam.

3) As always with any VMware exam make sure you read the blueprint and ensure you work through the mock exam. The blueprint is particularly helpful since it links to the correct versions of PDFs for the versions of vCD and vCenter Chargeback being tested on the exam.

4) Whether you install vCD in your homelab or not the online Hands-On-Labs from VMware contains one lab for vCD and two for vShield which are well worth doing for additional practise.

5) It’s always good to get some practise questions in to get you used to the typical kind of question you might be used in the exam. So in addition to the mock exam, I also used the vCD practise tests from Paul McSharry.

6) Gregg Robertson has a useful list of VCP-IasS resources on his blog.

5) One thing to get to grip with are the vCD networking naming terms, external, internal, isolate, direct, routed, various combinations of those terms etc and what they refer to. Between the training course, various blog sites and the exam, different terms often seem to be used to be used for the same concepts which led to some confusion for me during the exam.

6) As of the date publishing this post there is a 50% off code for any VCP exam available from this page on the Pearson Vue site.

In summary I felt that as with the vSphere VCP exam if you have enough hands-on-experience combined with a good understanding of the theory fundamentals, then you should be fine.

Learning Points From PowerShell Scripting Games Event #2

Event 2 for the PowerShell Scripting Games 2013 has closed, here are a few learning points I picked up on from entries submitted.

1) Win32_Processor

This event is a bit of a sneaky one and if you haven’t been affected by the issue before then you may not know it. The particular issue I am referring to  here is that “The number of physical hyperthreading-enabled processors or the number of physical multicore processors is incorrectly reported in Windows Server 2003“. The issue is essentially this:

“Before you apply this hotfix, the WMI classes and the WMI properties exhibit the following behavior.

Win32_ComputerSystem

• The NumberOfLogicalProcessors property is not available.
• The NumberOfProcessors property returns the number of logical processors that are available on the system.

Win32_Processor

• The number of Win32_Processor instances that are returned is equal to the number of logical processors that are available on the system.
• The NumberOfCores property is not available.
• The NumberOfLogicalProcessors property is not available.

After you apply this hotfix, the WMI classes and the WMI properties exhibit the following behavior.

Win32_ComputerSystem

• The NumberOfProcessors property returns the number of physical processors that are available on the system.
• The NumberOfLogicalProcessors property returns the number of logical processors that are available on the system.

Win32_Processor

• The NumberOfLogicalProcessors property returns the number of logical processors on the current instance.
• The NumberOfCores property returns the number of cores on the current instance.
• The number of Win32_Processor instances that are returned is equal to the number of physical processors that are available on the system.

”

This tripped me up once when I received back inconsistent results from a large server estate where I was querying via WMI the number of processors per server. Luckily in that environment I was able to deploy the hotfix everywhere, but you might not be able to and potentially you may have further inconsistencies with Windows 2000 servers that can’t be fixed. This event contains a Windows 2000 server, so you may need to code around it.

The initial thought would be to check the OS version, but then you would have to detect if the hotfix was installed if it was a 2003 box – probably too much work. So what we could do is check for the NumberofCores property on a WMI query for Win32_Processor and if it doesn’t exist calculate the number of cores and sockets via other means. I haven’t tested this on Windows 2003 minus hotfix or 2000 yet, but you should be able to count the number of unique SocketDesignations returned to determine the number of sockets.

$Processors = Get-WmiObject Win32_Processor
if ($NoOfCores = $Processors.NumberOfCores){

$NoOfSockets = ($Processors | Measure-Object).Count
}
else {

$NoOfCores = 'N/A'
 $NoOfSockets = ($Processors | Select-Object SocketDesignation -Unique | Measure-Object).count
}

2) Using Add-Member when creating custom objects

Event 2 requires you to output results and it’s good to see many people doing this by creating their own objects to output. A number of entries use the Add-Member cmdlet to add properties to their custom object. While this is a perfectly valid way to do it and was the technically prescribed way  in PowerShell v1, I prefer a couple of different approaches and in this previous article explain why – mainly around performance. So I would do something like this (note that it does require PowerShell v3)

[pscustomobject] @{
 Name = $_.Name
 NoOfCores = $NoOfCores
 NoOfSockets = $NoOfSockets
#etc........
}

Hope this helps!

Learning Points From PowerShell Scripting Games Event #1

Event 1 for the PowerShell Scripting Games 2013 has closed, here are a few learning points I picked up on from entries submitted.

1) Get-ChildItem -Recurse

When you need to retrieve files from paths with subfolders the Recurse parameter of Get-ChildItem makes this really easy. For instance

Get-ChildItem -Path C:\Application\Log -Filter *.log -Recurse

is a really easy way to return everything below C:\Application\Log. In the specific instance of this event, this is OK because you only have three subfolders, but potentially there could be a lot more and some of them might not be relevant.

So a better way to do this might be to use wildcards in your path. For instance here we know that all of the subfolders that we are interested in contain the string ‘app’ so we could use something like the below:

Get-ChildItem -Path C:\Application\Log\*app*\*.log

Note you can use the * wildcard not only for part of the filename, but also the directory and you can combine multiple wildcards.

2) Copy-Item followed by Remove-Item

The goal of the event is to archive files from the expensive storage to cheaper, archived storage. Some examples used a two-step process to do this with:

Copy-Item.....

Remove-Item.....

(and some did not even include the Remove-Item, so the files are duplicated) No need to do that, you can use Move-Item to make it a one step process.

3) Maintaining the Folder Structure at the Destination

Make sure you read all of the requirements for the event. One of which was to maintain the folder structure at the destination archive. So something like the following will simply end up with all of the log files in one unmanageable folder.

Get-ChildItem -Path C:\Application\Log\*app*\*.log -file | Move-Item -Destination C:\Archive

Since we are not using the Recurse parameter in the initial query, an attempt to move the file will fail because the path does not exist. Instead we can do something similar to the touch command in Unix to first create an empty file, then overwrite it with the file move.

Get-ChildItem -Path C:\Application\Log\*app*\*.log | ForEach-Object {New-Item -ItemType File -Path "C:\Archive\$($_.Directory.Name)\$($_.Name)" -Force; Move-Item $_ -Destination "C:\Archive\$($_.Directory.Name)" -Force}

Looking forward to seeing entries for the next event. Remember you can still join in and there are plenty of prizes to be won!