vNiklas Virtualization blog

Hi

I was informed that my script in the last post was not enough because @pfuhli has a bit more complex environment and then the Move-VM cmdlet is not sufficient because it moves the whole vm to the new datastore, no matter if the vmdk´s where located on different before.

As in some cases you have an virtual platform with different datastores for different performance levels and one VM has it´s vmdk configured to get the best throughput. So i  did this with help from a script that Luc Dekens did in a communities post, mine added some functionality as his only moved the config file.

please comment if you find something crazy, I have now started to get the hang of why I would use functions , yes i should add some error-checking, that will be in version 0.3

Probably it would take some time to get through 500 VM´s but instead of manual work it is worth it.

# Move VMs with sVMotion where vmdk is on different datastores and
# lastly move the config file to the same datastore as hard disk 1
#
# Niklas Åkerlund / RTS 20111127
# Part of code from Luc Dekens http://communities.vmware.com/message/1680735

# Here i extended Luc´s function for moving only config
function Move-VMs{
    param($vm)
	Write-Host $vm
    $HDDs = Get-HardDisk -VM $vm    
	# a foreach loop to move vmdk
	$HDDs | %{
		# Get the datastore name of the old
		$oldDS = $_.Filename.Split(']')[0].TrimStart('[')
		# as @pfuhli said the new lun has a preceding letter that differs from the old.
		$newDS = "N" + $oldDS 
		# Here i check which is the first hdd to later move the config there
		if ($_.Name -eq "Hard disk 1"){
			$dsNameHDD1 = $newDS
		}
		$newDS = Get-Datastore $newDS
		Set-HardDisk -HardDisk $_ -Datastore $newDS -Confirm:$false
	}
	
	# This part is for moving the config file
	$HDDs = Get-HardDisk -VM $vm
	$spec = New-Object VMware.Vim.VirtualMachineRelocateSpec 
	$spec.datastore = (Get-Datastore -Name $dsNameHDD1).Extensiondata.MoRef
    $HDDs | %{
        $disk = New-Object VMware.Vim.VirtualMachineRelocateSpecDiskLocator
        $disk.diskId = $_.Extensiondata.Key
        $disk.datastore = $_.Extensiondata.Backing.Datastore
        $spec.disk += $disk
    }
    $vm.Extensiondata.RelocateVM_Task($spec, "defaultPriority")
}

Get-VM | %{ 
	Move-VMs $_ 
}

Before running it on all VM´s i would test it on a few and then when feeling comfortable, you can move all

I have after reading a tweet written the simplest script for a SAN exchange, my script just look for the VMs associated with one datastore and storage vmotion them to an new datastore with no downtime of course this requires Enterprise or higher in your vSphere licensing.

I have done some assumptions that there is equally many datastores provisioned in the new as the old and that no VMs have RDMs and vmdk on several datastores.

The Get-Datastore cmdlet can filter using wildcards like *c2* if your naming convension is complex and you need to find your old/new datastores objects.

For each old datastore i wait 30 minutes before starting on the next, maybe this must be set a bit higher depending on how long the storage vmotion takes and how large the datastores/vmdk´s are. Maybe we should put a sleep after starting move of each VM?! I have not yet had the pleasure testing in a large environment yet..

# Move VMs to new datastore using SVMotion
#
# Niklas Akerlund /RTS
#

# I want all old and new datastores as objects in arrays
$OldDatastores = Get-Datastore vmfs-volumes-old0*
$NewDatastores = Get-Datastore vmfs-volumes-new0*
$i = 0

# Get all VMs in each old datastore and move them
Foreach ($OldDatastore in $OldDatastores){
	$VMs = Get-VM -Datastore $OldDatastore
	
	Foreach ($VM in $VMs)
	{
		# Move the VM to a new datastore
		$VM | Move-VM -Datastore $NewDatastores[$i] -RunAsync
		
	}
	
	$i++
	# we want to give the SVMotions a little time before taking the next datastore 
	Start-Sleep 1800
}

I would recommend testing on a single datastore or a few VMs and when feeling comfortable running on all datastores..

I have today started creating a script that is sort of a check that when installing new hosts, all of them are configured the same.

It is still very simple but yet kind of powerfull, we can easily see in the html report if some vmk nic is on the wrong IP subnet or not Jumboframes activated, the following screen dump shows the report, yes it is no fancy headlines and stuff yet

I am going to work a lot more such as built in error checking and try to get some nice colors if a value differs with the other hosts, and also reporting on vSwitches and portgroups that they have the right uplinks etc, but that will have to be tomorrow or another day

# Check for Host Configuration and report
#
# Niklas Åkerlund / RTS
#

$vCenter = "vcenter.demo.local"
$AdvConf = @()
$Cluster = "Cluster1"

# We only want to get info from hosts that are online
Connect-VIServer $vCenter

$VMHosts = Get-Cluster -Name $Cluster | Get-VMHost | where {$_.ConnectionState -eq "Connected" }

# Get the cluster config 
$ClusterConf = Get-Cluster -Name $Cluster | Select-Object Name,HAEnabled,HAAdmissionControlEnabled,HAIsolationResponse,VMSwapfilePolicy,DrsEnabled,DrsMode,DrsAutomationLevel | ConvertTo-Html -Fragment


# Get Basic Conf 
$BaseConf = $VMHosts | Select-Object Name,Model,NumCPU,MemoryTotalMB,Version,Build,VMSwapfileDatastore | Sort-Object Name | ConvertTo-Html -Fragment

#adv config settings
foreach ($VMHost in $VMHosts){ 
		$into = New-Object PSObject
		Add-Member -InputObject $into -MemberType NoteProperty -Name VMHost $VMHost.Name
		$AdvScratch = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name ScratchConfig.ConfiguredScratchlocation
		$AdvScratch = [string]$AdvScratch.Values
		Add-Member -InputObject $into -MemberType NoteProperty -Name ScratchLocation $AdvScratch
		$AdvSwap = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name ScratchConfig.CurrentSwapState
		$AdvSwap = [string]$AdvSwap.Values
		Add-Member -InputObject $into -MemberType NoteProperty -Name Swapstate $AdvSwap
		$AdvSyslogRemote = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name Syslog.Remote.Hostname
		$AdvSyslogRemote = [string]$AdvSyslogRemote.Values
		Add-Member -InputObject $into -MemberType NoteProperty -Name SyslogRemote $AdvSyslogRemote
		$AdvSyslogLocal = Get-VMHostAdvancedConfiguration -VMHost $VMHost -Name Syslog.Local.DatastorePath
		$AdvSyslogLocal = [string]$AdvSyslogLocal.Values
		Add-Member -InputObject $into -MemberType NoteProperty -Name SyslogLocal $AdvSyslogLocal
		$AdvConf += $into

}

$AdvConf = $AdvConf | Sort-Object VMhost | ConvertTo-Html -Fragment

# Vmk ports and their MTU

$NetConf = $VMHosts | Get-VMHostNetworkAdapter | where {$_.Name -match "vmk"} | Select-Object VMHost,Name,IP,VMotionEnabled,FaultToleranceLoggingEnabled,ManagementTrafficEnabled,Mtu,PortGroupName | Sort-Object Name,VMHost | ConvertTo-Html -Fragment

# Create the html report from the different parts 
ConvertTo-Html -body "RTS Install documentation <p> $ClusterConf <p> $BaseConf <p> $AdvCOnf <p> $NetConf" -Title "RTS Installationscheck" | Out-File install.html

Today i realized that i was kind of vulnerable with my Mac. Of course if anyone get the hands on your computer that is not good. Todays post will give you a little heads up and  some of you will secure your MacBooks from immediate access. There are always ways to get hold of your data but don´t do it to easy.

I had totally missed the firmware password, which is used as a security add-on that prevents any user to take your Mac and boot into rescue mode and then reset your password.

So how do you reset password on someones computer then,

Reboot the Macbook and press the “Option + R” , then you will get the recover boot

As you can see in the Utilities menu list there are some different tools, the one we want is the Terminal, and there you type “resetpassword”, without any cd or external osx media you get a root terminal to use..

You will get a fine graphical dialog asking what volume and what account you want to reset password on!

So how can we make it a bit more difficult to do this then? Still not impossible but at least more difficult and time consuming

The highlighted menu option in the first picture “Firmware Password Utility” is the one we want and set a password that is going to be asked for every time we want to do some alternative booting (Recover mode, usb hdd, DVD )

So now i have activated this and how does it work, if i boot ordinary i will not get any log in promt at boot asking me to enter firmware password, but if hold down the “option” key i will get a password prompt asking me for the firmware password, the following image shows how this looks like.

This is of course no security for your data that you store on your drive, if the evil forces want your data they can take out the hdd and connect it to another computer to get data. If you are running around with sensetive data you should also enable filevault and encrypt your profile and files. In System Preferences under Security and Privacy you can enable the FileVault. As it clearly says in the warning, if you loose your password and recovery key your data is gone! And it has to be the password that you set it up with, it will not work with a reset password.

Described in several google hits there are ways to reset the firmware password also, I have not tried those yet but i will..

I also use TrueCrypt to save files and stuff on encrypted volumes.

Yes powershell can be used to administer your Active Directory, but you could do some serious damage also. I will show you one particular case where things can go very wrong and how to recover from it.

To use cmdlets for AD you simply start your powershell console and type

Import-Module ActiveDirectory

You get quite a few cmdlets to help you automate your user administration, if you write the following in your console it will list all of them.

Get-Command *-AD*

Well now to the problem, as a domain admin you do have some privileges and say that you want to disable some user accounts and you forget to add a searchbase or your filter does not do as you wish and in one line you have disabled all accounts in your domain, including admin. IF and i say IF you realize that misstake and quickly go in and enable the accounts again, you are safe, but if you log out of your session you wont be able to log in again with any account

Get-ADUser -Filter * | Set-ADUser -Enabled $False

try to log in as domain administrator and you will get this, on any DC (as long as your replication is working and if it is not you have other problems, trust me)

So how do we fix this then? luckily there is a way to do this and it is quite easy. You have to find a windows iso and as in this case a Win 2008 r2, start it in repair mode and start a CMD

when the command promt is started do this (i found it in another blog from Matheu the difference here is that i use net user administrator /active:yes to enable instead of change password)

• Go to c:\windows\system32
• Rename Utilman.exe to Utilman.exe.bak
• Copy cmd.exe to Utilman.exe
• Reboot on Windows
• Do the keyboard shortcut Windows + U when on the logon screen
• net user administrator /active:yes
• log on with the domain admin account
• Reboot on the DVD to put back the original Utilman.exe

Instead of panicking and try to restore your AD you can easily as i described log in again. This is of course a big security thing to consider in a virtual environment where users that have access to the virtual infrastructure but are not domain admins can manipulate virtual Domain controllers to get access to the administrator password “net user Administrator newpasswd123″. Here is a link to all net user commands.

So if i am going to do some account disabling i would include a searchbase in my Get-ADUser to not get the Administrator locked out by mistake and actually take the right OU to modify users on.

Get-ADUser -Filter * -SearchBase "OU=Employees, DC=Test, DC=local" | Set-ADUser -Enabled $False

In my test environment i used two DC´s and both the lock and unlocking replicated quite fast. There is maybe a way with the Active Directory Domain Services Recovery without having to do a restore, i will look into that and do a follow up post if i find any easy ways!

I got a question what network card some VMs had in a datacenter, as a best practice you should use VMXNET 3 where it is possible because it gives the best performance.

So i wrote this very simple script in a few lines that do a csv export of all VMs and what kind of NIC they have, of course one could extend it with OS and stuff but that will have to be next time cause my schedule is kind of tight.

When you use the wizard to set up a Windows 2008 R2 the vSphere set an E1000 NIC by default and that is not what we want, so set up a correct template or remove this nic and add a new when installing single machines!

# Get the Virtual Network Adapter
#
# Niklas Åkerlund / RTS
$VMs = Get-VM *
$Data = @()
foreach ($VM in $VMs){
$NICs = $VM.NetworkAdapters
foreach ($NIC in $NICs) {
$into = New-Object PSObject
Add-Member -InputObject $into -MemberType NoteProperty -Name VMname $VM.Name
Add-Member -InputObject $into -MemberType NoteProperty -Name NICtype $NIC.Type
$Data += $into
}
}
$Data | Export-Csv -Path e:\temp\admna\NICs.csv -NoTypeInformation