Tag Archives: VMware

Deploying vCenter Server Appliance 5.1 with AD auth

In theory using the vCenter Server Appliance (hereafter vCSA) offers a number of big advantages over using vCenter. Firstly you don’t need to commit a Windows Server OS licence, secondly to manage your VMs you can use a Flash-enabled browser on any operating system (including on Surface RT!), and thirdly it should be a lot quicker to deploy.

On that last point, a number of configuration steps in the setup of the vCSA are counter-intuitive and can waste a substantial amount of time. This is because the vCSA defaults to a hostname of localhost.yourdomain.com. The various web services that the appliance runs (SSO, Lookup Service, Inventory Service, vSphere Web Client) interact with each other using SSL sessions and, although there’s a built-in method to make vCSA regenerate its self-signed certificates at boot time, at the time of writing this does not work once these web services have been configured.

If you do not edit the hostname, you will not be able to enable AD authentication, and will likely encounter “Failed to connect to VMware Lookup Service https://yourhostname:7444/lookupservice/sdk – SSL certificate verification failed” when attempting to use the vSphere Web Client. However if after completing the initial setup wizard you configure the hostname to something meaningful and try to regenerate the SSL certificates, the vCSA will hang at boot time, displaying:

Waiting for network to come up (attempt 1 of 10)... Appliance Name - VMware_vCenter_Server_Appliance Configuration for eth0 found The network for interface eth0 is managed internally, network properties ignored DNS : x.x.x.x Hostname or IP has changed. Regenerating the self-signed certificates. Starting VMware vPostgres: ok Waiting for the embedded database to start up: .[OK]

Furthermore, most of the potentially useful VMware KB articles assume a dedicated vCenter, rather than a vCSA. There seems to be no way out of this boot hang, and you will have to start deploying the vCSA all over again. The trick is to cancel out of the Setup wizard and change the hostname at the very start, before the various web services have been initialized at all.

I have outlined the successful setup process here as a reminder for future deployments:

When downloading the vCSA, download the .ova file. Ignore the other .vmdk and .ovf downloads, the .ova one will allow you to set up the IP address details at the time of deployment rather than having to change them later.
It is recommended to use Thick Provisioning for the disk, despite 120GB being overkill for typical small deployments.
Enter the chosen static IP address, network and DNS settings. Sadly they left out a hostname field here which would have saved a lot of grief.
Do not start the VM on completion of the wizard, then reduce the vCSA virtual machine RAM from 8GB down to 4GB – the supported minimum configuration for small deployments of less than 10 hosts.
As per the instructions displayed on the vCSA VM console, connect a web browser to port 5480 (the default credentials are root and vmware), and accept the EULA.
At this point quit the Setup wizard. Failure to do this will cause SSL certificate issues later.
In the Network tab change the hostname, in the Admin tab change the root password and enable SSL certificate regeneration, and finally in the System tab set the correct time zone then reboot.
Create a DNS A record for your vCSA.
After the reboot when you connect back to the admin console, the hostname in the certificate will remain as localhost.yourdomain.com – this is apparently normal.
Disable SSL certificate regeneration.
Start the Setup wizard again from the main vCenter Server tab Summary screen.
Select “Configure with default settings”.
Enable AD authentication (an Active Directory Computer account object will be created for your vCSA).
Despite having enabled Active Directory authentication, this will not work until the AD domain SSO Identity Source has been configured – you’ll see the error “A general system error occurred: Authorize Exception”. The VMware documentation mentions using the SSO Admin account to do this (admin@System-Domain) but this password is not defined by the user when deploying a vCSA. By default the root account is also an SSO admin, so log in to vSphere Web Client on port 9443 as root. Navigate to Administration > Sign-On and Discovery > Configuration > Add Identity Source:
Enter the server URLs in the format ldap://dc1.mydomain.com
The DNs will probably both be cn=Users,dc=yourdomain,dc=com since you are only likely to need the Domain Admin user or Domain Admins group.
You need to set the Domain Alias to the NETBIOS domain name or else the vSphere Web Client plugin’s “use windows credentials” option will not work.
Set Authentication Type to Password and use a basic AD user account that you might use for photocopier scan-to-email directory lookups. Test the settings and save once working ok.
vCSA does not implicitly trust Domain Admins like a standard vCenter installation would, and the permissions are somewhat difficult to find in the vSphere Web Client. Navigate Home > vCenter > vCenter Servers > your vCSA > Manage tab > Permissions:
Add your required AD groups to the role Administrator.
I had a further issue after all this, where connecting using vSphere Client with the “use windows credentials” option would result in the error “A General System error occured: Cannot get user info”. This is due to an omission in the vCSA which has been fixed in the latest download version (currently 5.1.0.10100-1123965). You can get around this by editing a config file on the vCSA.
One final reboot of the appliance is necessary to avoid permissions errors from the Inventory Service when logging into the vSphere Web Client with Windows session authentication. Be aware that the port 9443 web service can take several minutes to start, even after the console of the appliance has apparently finished booting.
In environments where you can’t afford the 120GB of disk space for the vCSA, you could use VMware Converter to V2V the appliance, resizing to say 40GB in the process.

Shortcut to testing VMware Auto-Deploy

Upgrading to vSphere 5.0 with Dell EqualLogic

17 Replies

UPDATE – Ignore the Broadcom driver stuff. It seemed to be ok all afternoon, but I have rebooted the ESXi host and it’s gone completely unstable again, with pretty much continuous iSCSI disconnects. Clearly this TOE/iSCSI offload support is absolutely terrible. I’m going to have to use the software initiator. What is the point of Dell marketing this?

UPDATE 2 – Dell decided to get to the bottom of this and, following an extended troubleshooting session in which I reverted one of the hypervisors, they were able to replicate the fault in their lab. It’s now being escalated with VMware and Broadcom. More news as I get it…

I’m doing this upgrade at the moment from vSphere 4.1U1 so I wanted to make notes, particularly on the hypervisor rebuild part, so I don’t have to keep looking stuff up when I do each one. Since 4.1 I have used the hardware iSCSI offload features of the Broadcom bnx2 chips in the servers, using them as HBAs in their own right. As per the Dell MEM driver 1.1 release notes they still don’t support using jumbo frames with this configuration. However, I had big problems with getting this working at all with 5.0. According to Dell support I’m in a minority of customers that use TOE so their inclination was to suggest I fall back to software iSCSI. I purposely delayed adopting vSphere 5.0 until it had been out for a few months to hopefully avoid being among the first to hit major issues, but I still ran into this. The problem manifests itself as regular errors (every few seconds) in the array logs like this:

iSCSI login to target ‘192.168.100.12:3260, iqn.2001-05.com.equallogic:0-8a0906-c541d5105-94c0000000a4adc3-vsphere’ from initiator ‘192.168.100.25:2076, iqn.1998-01.com.vmware:server.domain.com:1454019294:34’ failed for the following reason: Initiator disconnected from target during login.

These errors are generated by all HBAs that are configured for storage. Furthermore only one path is established, and the volume will occasionally go offline altogether. The ESXi host’s /var/log/vmkernel.log shows bnx2 disconnection events like this:

2012-01-16T16:35:11.248Z cpu14:4802)bnx2i::0x410013204890: bnx2i_conn_stop::vmnic1 - sess 0x41000de04fc8 conn 0x41000de05350, icid 11, cmd stats={p=0,a=0,ts=0,tc=0}, ofld_conns 2
2012-01-16T16:35:11.248Z cpu14:4802)bnx2i::0x410013204890: bnx2i_ep_disconnect: vmnic1: disconnecting ep 0x410012a18f20 {11, 120c00}, conn 0x41000de05350, sess 0x41000de04fc8, hba-state 1, num active conns 2
2012-01-16T16:35:25.554Z cpu12:4802)bnx2i::0x410013204890: bnx2i_conn_stop::vmnic1 - sess 0x41000de04fc8 conn 0x41000de05350, icid 13, cmd stats={p=0,a=0,ts=0,tc=0}, ofld_conns 2
2012-01-16T16:35:25.554Z cpu12:4802)bnx2i::0x410013204890: bnx2i_ep_disconnect: vmnic1: disconnecting ep 0x410012a192f0 {13, 125400}, conn 0x41000de05350, sess 0x41000de04fc8, hba-state 1, num active conns 2

Dell support’s first suggestion is to edit the iSCSI login timeout value from 5 seconds to 60 seconds, and you need to use build 515841 to be able to edit this. However, this did not fix the issue using TOE. It turned out to be a Broadcom driver issue.

The vanilla install of ESXi 5.0.0 (build 469512), the Hypervisor Driver Rollup 1, and the update to build 515841 all include these same driver vib packages which seem to be broken. You can audit these by running esxcli --server=servername software vib list

net-bnx2     2.0.15g.v50.11-5vmw.500.0.0.469512   VMware VMwareCertified
net-bnx2x    1.61.15.v50.1-1vmw.500.0.0.469512    VMware VMwareCertified
net-cnic     1.10.2j.v50.7-2vmw.500.0.0.469512    VMware VMwareCertified
scsi-bnx2i   1.9.1d.v50.1-3vmw.500.0.0.469512     VMware VMwareCertified

The Broadcom NetXtreme II Network/iSCSI/FCoE Driver Set does contain newer versions:

net-bnx2     2.1.12b.v50.3-1OEM.500.0.0.472560    Broadcom VMwareCertified
net-bnx2x    1.70.34.v50.1-1OEM.500.0.0.472560    Broadcom VMwareCertified
net-cnic     1.11.18.v50.1-1OEM.500.0.0.472560    Broadcom VMwareCertified
scsi-bnx2fc  1.0.1v.v50.1-1OEM.500.0.0.406165     Broadcom VMwareCertified
scsi-bnx2i   2.70.1k.v50.2-1OEM.500.0.0.472560    Broadcom VMwareCertified

However, there is a further complication. These drivers have to be loaded on after the VMware updates. When the Broadcom drivers are installed the VMware-supplied drivers for these devices are removed. Confusingly, the VMware updater to build 515841 will see that they are missing, will ignore the OEM Broadcom replacements, and will re-install the older versions! If the host reboots at that point it will crash to a magenta screen of death as the kernel inits, possibly because two different driver versions are trying to access the same hardware. Take note, the Broadcom installer removes the following bootbank packages from the host:

VMware_bootbank_misc-cnic-register_1.1-1vmw.500.0.0.469512
VMware_bootbank_net-bnx2_2.0.15g.v50.11-5vmw.500.0.0.469512
VMware_bootbank_net-bnx2x_1.61.15.v50.1-1vmw.500.0.0.469512
VMware_bootbank_net-cnic_1.10.2j.v50.7-2vmw.500.0.0.469512
VMware_bootbank_scsi-bnx2i_1.9.1d.v50.1-3vmw.500.0.0.469512

So my recommendation would be to cross check this list whenever you install any further roll-ups to your ESXi hosts. If these or future non-OEM versions are reinstated, remove them before you restart the host, or it may not boot at all.

vCenter Server migration

Migrate vCenter server – for 4.1 -> 5.0 the wizard does it all automatically (big improvement!)
After upgrade you’ll get HA failing to find a master agent, and probaby some vCenter cert warnings about the hosts
Enable SSL certificate checking (disabled by default for some reason if migrating from 4.1): http://kb.vmware.com/kb/2006729

EqualLogic SAN update

This apparently provides better vStorage integration with vSphere 5

Keep a physical PC with the v4 infrastructure client on
Install the v5 infrastructure client on a physical PC
Shutdown all guests, put both hosts into maintenance mode and shutdown
Use WebUI to update the EqualLogic firmware to 5.1.2
Restart the SAN
Use iDRAC to power on ESXi hosts
If vCenter is a VM you need to use the v4 infrastructure client to connect directly its ESXi host
Power up a DC first, then vCenter
Quit the v4 client
Load the v5 infrastructure client and connect to vCenter
Start other DCs, Exchange, and SQL servers
Start web, app, and file servers

ESXi host update

From your iSCSI vSwitch make a note of the current iSCSI kernel port IP addresses
vMotion guests off ESXi host, maintenance mode, shutdown
Remove host from vCenter
For Dell servers use iDRAC, boot into System Services mode and try connecting to the net for updates
vmnic0 was in the management vSwitch and it was port channelled on the network switch
Telnet to switch, use the descriptions to find the correct port channel. If you don’t have descriptions in your switch config you could as a fallback find the MAC addresses in the server BIOS and look up the switch MAC address table, or use CDP show neighbors while VMware is running
Disable each of the ports in turn, checking in iDRAC to see if that fixes the access to the Dell firmware repo
Apply all firmware updates
Use iDRAC’s Virtual Media feature to present the VMVisor ISO image to the server
Reboot selecting the boot menu, then boot from the virtual CD
Select new install for ESXi host and install to SD card
This way there is no legacy partition table, and the upgrade would still require you to install the Dell MEM driver in any case
Use iDRAC to set management IP
Start v5 infrastructure client and connect to vCenter
Add ESXi host back into vCenter
Add vmnic4 back to the management vSwitch
Remove VM Network port group
Configure NIC teaming as Route based on IP hash (for each vmkernel and port group!)
Enable vMotion on the Management vmkernel port
Commit changes and re-enable the disabled switchport on your switch
Configure NTP service and hostname
Configure ESXi licence key
Compare the MAC addresses with of the vmbha initiators in Storage Adapters with the NICs listed in Network Adapters. You may notice that the numbering is different from the vmbha initiators that your ESXi 4.1 host was using
Download the Dell MEM 1.1 Early Production Access, since there are bug fixes over v 1.0.1 and it is certified for vSphere 5.0
Download VMware ESXi 5.0 Patch Release ESXi500-201112001 (build 515841 – the advised minimum for using the Dell MEM)
Download the Broadcom NetXtreme II Network/iSCSI/FCoE Driver Set
Some of these archives need extracting to expose the actual vib zipfile, some don’t
Install VMware vSphere CLI
Use the infrastructure client’s Datastore browser to upload the MEM, the 515841 patch release, and the Broadcom vib files to a local volume on the ESXi host (mine all have a single SATA hard disk for scratch)
Put the host in Maintenance Mode
Use RCLI to install the patch release:

esxcli --server=servername software vib install --depot /vmfs/volumes/SATA-LOCAL-C/ESXi500-201112001.zip

Reboot the host
Install the Broadcom drivers:

esxcli --server=servername software vib install --depot /vmfs/volumes/SATA-LOCAL-C/BCM-NetXtremeII-1.0-offline_bundle-553511.zip

Reboot the host
Install the MEM driver:

esxcli --server=servername software vib install --depot /vmfs/volumes/SATA-LOCAL-C/dell-eql-mem-1.0.9.205559.zip

Reboot the host
For each HBA, check the iqn name and amend to use the hostname instead of localhost, and check the numbering. On my servers the vmbha designations shifted during one of the reboots, leaving the iqns with misleading names which caused additional confusion while setting up the array volume access. e.g. vmbha34 showed up as iqn.1998-01.com.vmware:localhost.domain.com:2062235227:36
Run the MEM configuration script, selecting vmnic1 and vmnic3, and using the IP addresses you noted from the old ESXi instance. Dell support also advised creating the heartbeat vmkernel port, though it’s described as optional

setup.pl --configure --server=servername

Update these new iqns on the SAN’s ACLs for the vSphere storage volume(s)
After that has finished take the CHAP passwords for each vmbha from the EqualLogic Web UI and add those to the Storage Adapter configs in the infrastructure client. Remember to use the username as you see it in the EqualLogic UI not the initiator iqn
For each of your active HBAs use the advanced settings to edit the iSCSI login timeout from 5 to 15 seconds (to match what ESXi 4.1 had)
Configure a scratch disk path and enable scratch – use the real drive UID in the path, rather than the volume name in case you change it later. To retrieve that, use

vmkfstools.pl --server=servername -P /vmfs/volumes/yourvolumenamehere

Upgrading to vCenter 4.1 with bundled SQL Express Edition – database migration fails

5 Replies

My infrastructure uses a bundled SQL Express Edition database because it isn’t hugely complex, and I didn’t want too much dependency on other servers (themselves VMs). I encountered problems upgrading the vCenter database while moving from Windows Server 2003 R2 SP2 x86 to Windows 2008 R2. I was migrating from vSphere 4.0U1 to 4.1. Perhaps this precise combination of versions was the problem, or perhaps it was that my database started life as VirtualCenter 3.5.

The process seems simple enough – unzip and run the Data Migration Tool from the installation media on the source vCenter server, move this folder (now with \data added) to the destination server and launch the install.bat script. However, there seem to be two major snags. The first is that the backup process will fail:

DB logs: HResult 0x2, Level 16, State 1 Named Pipes Provider: Could not open a connection to SQL Server

VMware has a knowledgbase article about this. They claim it’s caused by a misconfiguration of the SQL 2005 Express Edition instance which is pretty rich considering it was set up by their own installer. Make the named pipe change they suggest and it will work. Now unplug this machine from the LAN or disconnect its network adapter in vSphere if it’s a VM – remember you can connect the VI Client directly to the hypervisor which is hosting it.

The destination server needs to be configured with the same hostname as the source. I had then assumed that the restore tool would need to be run after a new install of vCenter 4.1 was placed on the destination server, so I installed vCenter. Then I discovered that the install.bat script in the datamigration folder refuses to run if it detects the product is already present. So naturally I uninstalled it and tried again. Perhaps this is what messed things up, or perhaps it’s because I’m using Windows 2008 R2.

Anyway, the datamigration\install.bat script kicks off the main product installer, supposedly importing all your backed up settings.

According to the vCenter 4.1 Upgrade Guide page 40 item 10 you are supposed to:

Select Install SQL Server 2005 Express instance (for small-scale deployments) and click Next.

Item 16 on the same page states that:

When the vCenter Server installation finishes, click Finish. The data migration tool restores the backed up configuration data.

If you do this you may, like me, discover that it actually doesn’t work and you end up with a completely blank database instance. Consulting datamigration\logs\restore.log I found no reference at all to any database restore.

My workaround

Go to your original vCenter server. Open the Data Sources MMC snap-in. In System DSN you should see an entry like so:

Note down the details, then create the same entry on your destination server (this will create a 64bit DSN). Notice how on page 38 of the Upgrade Guide it specifically states that:

If you use the data migration tool to migrate a SQL Server Express database located on the vCenter Server system to a new system, you do not need to create the 64-bit DSN. The data migration tool creates the DSN as part of the installation process

Apparently sometimes you do need to create the DSN.

On the destination server, copy the file \datamigration\data\vc\vc_upgraded_db and paste it in C:\temp. Rename it to vc_upgraded_db.bak.

Still on the destination server download, install and run the 64bit SQL Management Studio Express. Even if you’ve uninstalled vCenter, the SQL Express Edition instance will be left behind. If there’s not already one from a failed install, create a local database called VIM_VCDB. Restore the backup in C:\temp\vc_upgraded_db.bak over the top, paying attention to select Options -> Overwrite Existing Database and browsing to the target file locations of both the mdf and ldf files – the old database was found in C:\Program Files\Microsoft SQL Server\MSSQL.1\Data but on the 64bit system it’s C:\Program Files (x86)\…

Right-click your database, and select Properties. In Options, make sure your database recovery model is set to Simple. If you don’t do this your transaction log will fill up in a couple of days and the vCenter services will stop. In my case it seemed to have defaulted to Bulk-Logged.

Once that’s done you’ll need to update your newly created DSN to set the default database to VIM_VCDB. Now run datamigration\install.bat once again but this time opt to use an existing database as shown below:

Strangely, you will find that the you cannot use the SYSTEM account for the vCenter services however this can easily be changed in the Services MMC snap-in later.

And that’s it. You should end up with a working install with your data intact. One final tweak is to delay launch of the vCenter services so they don’t fail to start up at boot time.

UPDATE – after wasting a number of hours today with this, I’ve done some more searching and found this VMware KB article which basically just admits that the Data Migration Tool sometimes doesn’t work, and won’t even report errors in the log! When I download something as important as this, I sort of take it for granted that I won’t have to Google “vcenter data management tool does not migrate database” the moment I try using it (can’t believe I didn’t try that).

PC LOAD LETTER

and other brilliant error messages