I forget the firmware of the original chassis, something like 1.0-something. It should have been 0.-something. That original chassis is still around, but being physically moved to a different datacenter, so I can’t check the actual version. It really seemed like a beta product and shouldn’t have been released yet.

So, why am I writing this? We got a new chassis running on version 1.4(3q) and none of the issues I had previously are there, in regards to the hosts dropping offline.

I hammered it as hard as I could and the blades are 100%. I felt it was only right to provide an update and give my ‘stamp of approval’. When I get the original chassis back online, I’ll update the firmware and see how it goes…

With the addition of get-vmhosthba in PowerCLI, you can get this information somewhat easier. At line 46

$hbas = Get-View (Get-View (Get-VMHost -Name $vmhost).ID).ConfigManager.StorageSystem

becomes

$hbas = Get-VMHostHba -vmhost $vmhost -Type FibreChannel

Since that pulls only fibre channel HBAs, the foreach changes to simply $hba in $hbas, and the if statement is no longer needed (line 47-50):

foreach ($hba in $hbas){
$wwpn = "{0:x}" -f $hba.PortWorldWideName
Write-Host -foregroundcolor green `t "World Wide Port Name:" $wwpn
}

Here’s the new version –> Get-WWN.ps1

 <– I would get this far, reboot 3 times, then Windows Server 8 would die, as follows.

 <– First option would end up back here

 <– Second option above ends up here

I tried the typical bootcfg commands, but it couldn’t read the boot.ini. Some other tests were showing the disk was read-only, which was strange. William’s post was for 2008 R2 and not Windows Server 8, but it worked for the most part. I did have a few other issues I worked through, continue reading for those and how I fixed them.

Do as instructed in the post I referenced (create an empty Windows 2008 R2 VM), accept most defaults, except set the NICs to None. I tried the E1000, but it would blue screen with ‘dpc_watchdog_violation’ every time. I used VMXNET3, but VMware Tools installation would hang at the VMXNET3 drivers. I did find that the E1000E worked 100% without the tools needing to be installed.  You have to add the NIC AFTER VM creation.  Once the VM is created, change the guest OS to ESXi 5.x, save it, now go back and add two (2) E1000E adapters (you could probably only add 1), save it again. Setting OS to ESXi 5 will also add some cpu masking, which we’ll address later. You need to make sure you add hypervisor.cpuid.v0 = “FALSE” in the vmx file, you can do this however you like, I used vi.

<– The stuff in Blue was from setting guest OS to ESXi 5. Yellow depicts my E1000E, and Red is what I added.

Also make sure you set CPU/MMU Virtualization to Intel VT-x/AMD/V and Intel EPT/AMD RVI:

Make sure it saved, now go back into the VM settings in the GUI, Options Tab, and CPUID mask. I clicked Reset All to Default, then set Level 1 ecx to “—- —- —- —- —- —- –H- —-” as pointed out in Williams post, save everything and check the vmx file, it will look a little different. Now you’ll need to also add mce.enable = “TRUE” (in red).

 <– The stuff in Blue here is after resetting the CPUID Mask, then Red is what I added.

After I did all this, the server booted up fine after installing Hyper-V version 3.  I discovered the mce.enabled thing HERE after some googling.

Not sure if this matters, but I did NOT install VMware Tools prior to enabling the Hyper-V role. When I talked about it previously, I never got it to work right, so left that step out until the role worked.  After Hyper-V is installed, I installed ‘Typical’ VMware tools and all is well.

Good luck!!

The main guts of the script use Set-VMHostAuthentication, and that’s really it. To address the bug we have to use Set-VMHostFirewallDefaultPolicy to turn of the fw (or allow all incoming/outgoing), join the domain, then turn it back on. The rest of the script is logic, checking for needed stuff.

Take note I used $host.ui.PromptForCredential again, since I could let the user know which creds I need, AD versus ESXi login. I basically used the Get-WWN script as a template and changed/added what I needed.

When populating the $VMHosts variable, it only pulls hosts with ESXi version 5.*. Later in the script, you’ll see another check for version number, that’s for standalone hosts. I need to check when connecting directly to the host, then $foreach.movenext if it’s not 5.*, but I haven’t figured out an efficient way to get that done. A little help maybe?

Usage:Join-Domain.ps1 -VMHosts ("host1","host2","host3") -domain my.domain or Join-Domain -vc vcenterserver -container cluster1 -domain my.domain

I left container as required so you can target what you want. I tested it against a few clusters with different versions of ESXi, and everything seemed to work well.

One strange thing, though, is the host connection state has to be ‘connected’. If it’s in maintenance mode, set-vmhostauthentication won’t work. Why? I dunno, bug imo, it should work in either connected or maintenance mode.

I slapped this together quickly, so if you notice anything wrong, please let me know. If you know of another way, please tell me, too, I’m always happy to learn other ways to do things.

Script (also attached at the bottom below the code block):

param([string]$vc = "vc", [string]$container = "container", [string[]]$VMHosts = "VMHosts", [string]$domain = "domain")
 
Add-PSSnapin VMware.* -ErrorAction SilentlyContinue
 
#usage info
function usage()
	{
	Write-host -foregroundcolor green `n`t"This script is used to join ESXi 5 hosts to the AD Doamin provided."
	Write-host -foregroundcolor green `n`t"You can either specify -VMHosts as an array:"
	write-host -foregroundcolor yellow `n`t`t"Join-Domain -VMHosts (`"host1`",`"host2`",`"host3`") -domain my.domain"
	Write-host -foregroundcolor green `n`t"or specify -vc and -container, where container is a host name, cluster, folder, datacenter, etc:"
	write-host -foregroundcolor yellow `n`t`t"Join-Domain -vc vcenterserver -container cluster1 -domain my.domain" `n
    write-host -foregroundcolor green `t"You can use either -VMHosts or -vc and -container, not a combination of them."
    write-host -foregroundcolor red `n`t"remember, -domain is required!" `n
	}
 
function JoinDomain{
    #We need AD creds to join
    $AD_creds = $host.ui.PromptForCredential("AD Credentials Required", "Please enter Domain credentials to join computers: user@$domain", "", "")
 
    if ($esx -eq 1)
        #do this only if connecting directly to ESX hosts
        {
        $VMHosts_creds = $host.ui.PromptForCredential("ESX/ESXi Credentials Required", "Please enter credentials to log into the ESX/ESXi host.", "", "")
        }
 
    if ($vcenter -eq 1)
        #do this if connecting to vCenter to populate VMHosts
        {
        connect-viserver $vc > $NULL 2>&1
        write-host -fore green "Pulling ESXi 5 hosts from $container in $vc"
        $VMHosts = get-vmhost -location $container | ? {$_.Version -like "5.*"} | sort name
        }
 
        foreach ($VMHost in $VMHosts){
        if ($esx -eq 1)
            #do this only if connecting directly to ESX hosts
            {
            connect-viserver $VMHost -credential $VMHosts_creds > $NULL 2>&1
            }
		Write-Host -foregroundcolor green "Server: " $VMHost
        $getvmhost = get-vmhost $vmhost
		if (($getVMhost.Version -like "5.*") -and ($getVMHost.ConnectionState -eq "Connected"))
        {
            #the next step is for 5.0 without update 1, there's a bug addressed in update 1
            $getvmhost | Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $true -AllowOutgoing $true > $NULL 2>&1
            #what actually joins the machine to the domain
            $getvmhost | get-vmhostauthentication | Set-VMHostAuthentication -Domain $domain -Credential $AD_creds -JoinDomain -confirm:$false > $NULL 2>&1
            #lets turn this back on
            $getvmhost | Get-VMHostFirewallDefaultPolicy | Set-VMHostFirewallDefaultPolicy -AllowIncoming $false -AllowOutgoing $false > $NULL 2>&1
            write-host -fore green "done with $vmhost"
            if ($esx -eq 1)
            #disconnect from the current ESX host before going to the next one
            {
                disconnect-viserver -confirm:$false
            }
		}
        Else{Write-host -fore red `n`t "Skipping $VMHost, hosts cannot be in maintenance mode, retarded, I know, must be in a `'Connected`' state."`n}
	}
    if ($vcenter -eq 1)
        #disconnect from vcenter
        {
        disconnect-viserver -confirm:$false
        }
}
 
if ((($VMHosts -eq "VMHosts") -or ($domain -eq "domain")) -and (($vc -eq "vc") -or ($container -eq "container") -or ($domain -eq "domain")))
    #if VMHosts, vc, container, or domain is blank
	{
	usage
    break
	}
 
elseif (($VMHosts -ne "VMHosts") -and (($vc -ne "vc") -or ($container -ne "container")))
    #if VMHosts and vc or container is used
	{
	usage
    break
	}
 
elseif ((($VMHosts -ne "VMHosts") -and ($domain -eq "domain")) -and (($vc -eq "vc") -or ($container -eq "container") -or ($domain -eq "domain")))
    #if only VMHosts is used and domain was blank
	{
    usage
    break
    }
 
elseif (($VMHosts -eq "VMHosts") -and (($vc -ne "vc") -and ($container -ne "container") -and ($domain -eq "domain")))
    #if vc and container are used, but domain is blank
	{
    usage
    break
	}
 
elseif (($VMHosts -ne "VMHosts") -and (($vc -eq "vc") -or ($container -eq "container") -or ($domain -eq "domain")))
    #if only VMHosts is used, set our esx variable to 1
	{
    $esx = 1
    JoinDomain
    }
 
elseif (($VMHosts -eq "VMHosts") -and (($vc -ne "vc") -and ($container -ne "container")))
    #if vc and container are used, 
	{
    $vcenter = 1
	JoinDomain
	}

Here’s the actual .ps1 file: Join-Domain.ps1

It does have the VMware View client, which uses PCoIP, and it works well. Some of the Google framework must be stripped because Google+ cannot be installed, and I had to side-load a really old version to get it to install. I haven’t tested beyond that, like hangouts and such.

The voice & video calls work well on our network (not published externally), and I like that I can use my BT headset to talk on my desk phone. I’ll even receive emails on it (via EAS push) before they show up on Outlook.

What I did notice was how 3D rendering looks different in Quadrant versus my phone (MyTouch 4G), there are no textures in the graphics section. I’ve noticed some of the animated windows aren’t as fluid as my Gtablet either. The Gtablet is Tegra 2, but still, you’d think the 1.6GHz Atom coupled with whatever GPU it has would be better.

Also, over time, the clock seems to drift. On several occasions, it’s more than 2hrs off. I assumed it was because the tablet was off AND the battery died: however, after being plugged in 100% of the time over night, it was off. I unplugged it and left it until this morning and at 8:46am it thought it was 6:17am. That’s a large difference.

What I also noticed is that over time it will disconnect from the VOIP network. I tried disabling & re-enabling wifi, but when disabled, I still have the wifi icon on the top. The only way I’ve found to get it back is a reboot. I didn’t realize this was a windows tablet :P

The interface itself is kind of lacking, in that navigating an email you’re writing (moving the cursor around to change stuff) is cumbersome and causes me to want to break things at times. All the more reason I like my optical track pad, much like the track ball on my old Nexus 1 and MyTouch 3G, maybe I’m just spoiled. The email client is ‘eh’ too, but I’m sure you could install whatever email client floats your boat, given it’s available for the Cius.

I still use the tablet, but I think it could benefit from more aftermarket support. Dell’s coming out with a new Atom-based tablet with Win8, and I’d like to find a way to fit that on the Cius, but I just don’t have the time.

It’s snappy, runs the i7-2637M with 4GB of RAM, and a 256GB SSD.  It has the typical USB 3.0 & display ports, and that’s really it, other than headset & power barrel connectors.

The screen is almost edge to edge, has ambient light sensor, web cam, and stereo mics up top.  The keyboard really nice, easier to type on than my E6420, and the sound is crystal clear.  It was actually impressive how well the audio is, it surprised me.  I cranked it up in my cube and realized I was probably interfering with those on the phone.  I’m still streaming pandora as I type this amazed at the quality from this tiny thing.

Like a lot of the newer laptops, it has a rubber gasket around the glass to keep dust out when closed.

The back cover is a nice aluminum, which goes well with the aluminum trim around the base.  What got me was the carbon fiber on the bottom.

It’s running Windows 7 and scored a 5.4, due to graphics for Aero (typical in a laptop).  The SSD hit 7.9, CPU hit 6.8, and RAM hit 5.9.

Overall, I really like it, despite missing a true HDMI port, or SD card reader (things I use more often than not).

Pretty sweet, imo, too bad I have to give it back :-(

Please excuse the quality of my cell phone pics, the don’t do it justice.

Feel free to shoot me an email, luke at thephuck.com, or on twitter @thephuck.  I’d like to gather everyone’s ideas and responses to build another collaborative post.  I was going to build a survey, but I like discussions a lot better than a form to fill out.  This is geared more towards the IT/IS shop with a decent investment in virtualization, but not a hosting company.  My production environment alone is roughly 100 hosts spread across about 14 clusters in four different geophysical locations.  I don’t really expect the smaller shops with ~50 hosts in one or two DCs to expand how we did.

I personally feel the virtualization stack as it has been known is going to be less visible in the future, due to internal clouds.  It’s not really viewed as having an ESXi host to put VMs on, rather than a cluster where VMs live and move around freely.  We’ll be less concerned with building hosts as we did traditionally, and will do a lot more stateless builds where a rip & replace is done very easily.  That’s pretty much done today.

Some of my concerns are the underlying hardware, fewer larger boxes (16-32 cores & 512GB of RAM) versus more smaller boxes.  I currently deploy with 256GB of RAM and that gets me near 50:1 with RAM being my limitation in a 2 pCPU box.  We’re a VMware shop, so I don’t see a shift to Hyper-V for me, but maybe others?  Nothing wrong with it, just this is the path we chose.  That being said, I haven’t really had a chance to get into VCD, and I believe that’s a route we need to go down as well if you want a more fluid/automated cloud.

I find myself doing a lot of day to day maintenance, or focusing on short-term goals, and often lose sight of the road that’s way ahead.  I can see what’s down the road in front of me, but what about down the road, around the bend, and to the left?

TIA!

I tried to find the wireless profiles in the control panel with no success, so I decided to manually connect to a network, which told me one already exists with that name.

If you click “Use existing network”, nothing happens, in fact, I’m still waiting :D Since my laptop would no longer connect, and it was past my bed time, I felt the need to work harder at this to figure it out instead of just enabling SSID broadcast on my AP. That’s too easy and would admit failure, which I will never give in to “The Man” (aka Microsoft), plus, I’d have to peel myself off the couch to find another device to connect. The ‘netsh’ command popped into my head, and sure enough, what I wanted can be done that way. I prefer CLI, so I rejoiced for about 0.5s, then moved on. From a simple ‘netsh wlan’ command, I was able to find out I could do all sorts of nifty things, including add, export, and delete. Sure, I could simply delete the profile I wanted and then manually add it through the GUI, but that’s entirely too simple, so I exported the one I wanted to edit. To list your profiles, runnetsh wlan show profilesThen to export the one you want to edit, runnetsh wlan export profile ThepHuckNo, my SSID is not named that, created the profile for this post via netsh!! No war driving through my neighborhood! That command exports an xml file to the pwd, open it and you’ll see this:
I changed nonBroadcast to true, and tried to import it, but got an error that the xml file was corrupt. I’m assuming it had to do with the passphrase, so I changed protected to false and typed in the password like this:
Then, I rannetsh wlan add profile filename="ThepHuck.xml" and not more than 30s later, I started writing this post from my Win8 dev laptop that was now connected to my wifis!  Hope this helps someone out there.

• You’ll need an openssl.cnf file in that directory
• Folder structure for Root CA
• Serials for certs
• I think that’s it

First thing’s first, the openssl.cnf file: openssl.cnf. Most of these files you find on the web have the demoCA folder, so I left it and just changed the path to that. I also added the v3_ca extension at the bottom.

Next is the folder structure, you need to create the ‘demoCA’ directory under the bin folder, and a ‘newcerts’ folder under that:mkdir d:\openssl-win32\bin\demoCA\newcertsThat creates both for us.

Now we need to copy the serial file over, for certificate serial numbers:copy d:\openssl-win32\bin\pem\democa\serial d:\openssl-win32\bin\democa

Lastly, we need an empty index.txt file. You can do this however you wish, but an easy way is via notepad & cli:notepad d:\openssl-win32\bin\demoCA\index.txtIt will prompt you that it doesn’t exist and needs to create it. That’s what we want, save and close it once opened.

Now the fun part of actually creating your root CA, simply run this from wherever you want:openssl req -new -x509 -extensions v3_ca -keyout rootca.key -out rootca.crt -days 3653 -config openssl.cnf

Can you guess why I did 3653? I ran it from the d:\openssl-win32 directory, which is where my openssl.cnf file is located. Now, this command created our rootca.key and rootca.crt files. If you do a dir rootca*, you should see them.
Some things to note:
Enter PEM pass phrase: <--- this should be a $tr0n6 P@s$w0rd that you can keep track of, you'll have to use it when signing certs, same with these:Country Name (2 letter code) []:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) []:San Antonio
Organization Name (eg, company) []:ThepHuck
Organizational Unit Name (eg, section) []:Luke
Common Name (eg, your websiteÆs domain name) []:thephuck.com
Email Address []:EMAIL HIDDENWhen creating CSRs, some fields are required to match what the root CA has, some just need not be blank, and others are optional. This is governed by the opennssl.cnf file and needs to be set BEFORE creating the root CA. My supplied openssl.cnf file has the following:# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Moving on...we're going to overlap a little from yesterday's post regarding Certificate Signing Requests (CSRs), but I'm not going in to detail on that. Let's say we already have our csr file and need to sign it.

Now we need to sign that csr file. I ran this command from my p:\vclab folder, which requires us to supply the path to rootca.key, rootca.crt, and root CA's openssl.cnf file:openssl ca -cert d:\OpenSSL-Win32\rootca.crt -keyfile d:\OpenSSL-Win32\rootca.key -out rui.crt -config d:\OpenSSL-Win32\openssl.cnf -infiles rui.csrThis will have a few prompts, like the $tr0n6 P@s$w0rd pass phrase we entered earlier, then it checks the supplied attributes. If you look in my output below, that was for SRM (it contains Extended Key Usage). You have to type Y to sign the cert, then commit it, then you're done:

Any additional certificate-related steps for vCenter or SRM are covered in yesterday's post. If you use this cert we just signed, you'll still get a warning that it is untrusted. Can you guess why? Yup, dragons around every corner, I know. Your local machine doesn't trust the certificate authority. You have to import the rootca.crt file into your Trusted Root Certificate Authority. You can also blast that out via GPO.

This can be done from any machine, as long as openssl is installed. If you’re creating/requesting multiple certs, create folders for each request and work from within there so you don’t mix them up. I use d:\cert\vcenter and d:\cert\srm. I added “D:\OpenSSL-Win32\bin\” to may path variable so it’ll work in any folder I’m in.

Make sure you’ve installed OpenSSL, which can be downloaded here. Next, open a command prompt (not a PowerShell window). I have a tendency to do the latter, since I do everything in PowerShell, but PS sometimes does not like what we’re typing.

If you have an internal PKI root CA, like RSA or Microsoft CA, you can proceed like normal, otherwise, you’ll need to create a root CA via OpenSSL, which I’ cover in another post HERE.

First thing is to generate the Certificate Signing Request, aka csr. To do this, we’ll need to create our config file. It can be named anything, I chose openssl.cnf, and it should be in your working folder (SRM, vCenter, etc) to keep track of what config file was used to generate which key & csr. There are a few differences in the openssl.cnf, depending on if it’s for SRM or vCenter.

This one’s for vCenter:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
#Don't encrypt the key
encrypt_key = no
prompt = no
string_mask = nombstr
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = IS
emailAddress = email@address
commonName = fqdn.of.srm.server

This one’s for SRM:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
#Don't encrypt the key
encrypt_key = no
prompt = no
string_mask = nombstr
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = IS
emailAddress = email@address
commonName = SRM
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: fqdn.of.srm.server

The main differences in the SRM config file are extendedKeyUsage = serverAuth, clientAuth and commonName = SRMSince you will have two SRM servers, the commonName (or CN) will need to be “SRM”, then the subjectAltName (or SAN) will need to be the actual FQDN of each server. You will need two certs. I aliased my vCenter to vcprod, so my vCenter csr also has the SAN of vcprod, while CN is the actual fqdn of the vCenter server itself. Fwiw, if you use RSA, the SAN can be added when the cert is signed, thus not needed in the config file. Notice rui.key? It will generate the .key file needed for vCenter. This is not needed for SRM, but nice to have.

Now, let’s run the first command to create the .key & .csr files:openssl req -newkey rsa:2048 -nodes -out rui.csr -config openssl.cnfFrom here, you can do one of two things: 1) submit the CSR to your internal PKI; or 2) sign the cert yourself via OpenSSL.

The preferred method is to use an internal PKI, like RSA or Microsoft. When you submit your request, you can either upload the .csr file, or copy the contents of it and paste it in the web form, then make a PKCS#10 request. Once the request is approved, you’ll receive notification to the email in the config file. You’ll need to create rui.crt and copy everything in the approved/signed cert request (—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and everything in between!). Save that to the current working directory.

Now we have two different commands, depending on use: SRM or vCenter. SRM requires a .p12 file, while vCenter requires a .pfx file. They’re essentially the same, you just use either rui.pfx or rui.p12 in the -out switch of the command:openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.p12This is where you either do rui.pfx or rui.p12. vCenter requires the pfx file. Yes, I’m redundant here, but I best most viewers of this post will only see the code blocks and do a c&p without actually reading the content. I’ve been guilty of that on occasion, I bet most probably are.

Next, rename rui.crt to rui.crt.old, then we need to convert it with openssl:openssl x509 -text -in rui.crt.old > rui.crt

With that, we should have three files for vCenter (rui.key, rui.crt, and rui.pfx), or our single rui.p12 for SRM.

And now the video: