Lockdown Mode in vSphere 6.0 and 6.5

Understanding Lockdown Mode vSphere 6.0 and 6.5

 

Lockdown mode is a security feature for vSphere Host connected to vCenter Server.

  • ESXi 5.x and earlier versions:

When Lockdown mode is enabled, only the vpxuser (vCenter Server User) has all the authentication permissions. Other users cannot perform any operations directly on the ESXi host. Lockdown mode forces all operations to be performed through vCenter Server.

When the ESXi host is in lockdown mode, we cannot use vCLI commands, script, or vSphere Management Assistant on the host directly bypassing vCenter Server. External software’s or tools like backup agents also might not be able to retrieve or modify information from the ESXi host directly.

  • ESXi 6.x

With vSphere 6, Vmware has introduced couple of new concepts in lockdown mode to make it more flexible in nature as compared to previous versions

  1. Normal Lockdown Mode
  2. Strict Lockdown Mode
  3. Exception Users

1.Normal Lockdown Mode

 

In normal lockdown mode all the direct connections to ESXi servers are blocked.

You can manage ESXi Servers via vCenter Server or through direct console user interface (DCUI). DCUI service keeps running normal lockdown mode.

If the connection to the vCenter Server is lost, privileged user accounts can log in to the ESXi host’s Direct Console User Interface (DCUI) and exit from lockdown mode.

Only the following accounts can access the Direct Console User Interface:

  • User accounts in the Exception User list for lockdown mode who have administrative privileges on the host – VMware vSphere 6.0 introduced the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. We can use the Exception User list to add the accounts of third-party solutions and external applications like backup agents that need to have access to ESXi host directly when the host is in lockdown mode.
  • Users defined in the DCUI.Access advanced option for the host – This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.

2. Strict Lockdown Mode

 

Strict lockdown mode has been newly introduced in vSphere 6.0. The DCUI service is also stopped in strict lockdown mode.

If connection to vCenter server is lost and the connection to the vCenter Server cannot be restored, we will have to reinstall ESXi on the host.

If the connection to vCenter Server is lost, the ESXi host becomes unavailable unless the ESXi Shell and SSH services were previously enabled and Exception Users list is populated.

ESXi Shell and SSH services are independent of lockdown mode. However these services are disabled by default.

When a host is in lockdown mode, users on the Exception Users list can access the ESXi host from the ESXi Shell or through SSH.

How to Enable Lockdown Mode:

 

While adding ESXi Host vCenter Server system through add host wizard.

 

From vSphere Web Client – We can enable Normal and Strict Lockdown Mode from ESXi server Manage Tab -> Security Profile ->click Edit as highlighted below.

 

Select the mode you want to set on below screen.

 

From Direct Console User Interface (DCUI)

 

Please Note:

  1. Privileged users can disable lockdown mode from the vSphere Web Client.
  1. Privileged users can disable normal lockdown mode from the Direct Console Interface (DCUI). However these users cannot disable strict lockdown mode from the Direct Console Interface (DCUI).
  1. DCUI doesn’t have the option of Normal or Strict lockdown mode. When you enable lockdown mode from the DCUI you will get Normal mode by default. If you enable or disable lockdown mode using the DCUI, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.
  1. If you upgrade a host that is in lockdown mode to ESXi 6.0 without exiting lockdown mode on you previous install, and if you exit lockdown mode after performing the upgrade, all the permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible. To avoid this issue, disable lockdown mode for the host from the vSphere Web Client before the upgrade.

***For more information you can refer to Vmware Knowledgebase article 1008077 (kb.vmware.com/kb/1008077)***

Use DSET to Clear the ESM (Hardware) Logs

Use DSET to Clear the ESM (Hardware) Logs:

Download and open the DSET 2.2. utility for Windows or Linux .

Link: https://downloads.dell.com/diags/Dell_DSET_2.2.0.118_A01.msi

Please refer to below screenshots.

Run the DSet Utility

Accept and click next

Click next again

Select Gather and clear Dell Hardware logs only

**You can also clear the logs from OMSA or through BIOS. You can use this method if others are not working for you.**

How to fix a RAID array that has a puncture

How to fix a RAID array that has a puncture.

Solution:

You can follow these steps to resolve the issue.

Warning: Following these steps will result in the loss of all data on the array. Please ensure you are prepared to restore from backup or other means prior to following these steps. Use caution so that following these steps does not impact any other arrays

1. Discard Preserved Cache (if it exists)

2. Clear foreign configurations (if any)

  1. Delete the array
  2. Shift the position of the drives by one (Move Disk 0 to slot 1, Disk 1 to slot 2, and Disk 2 to slot 0)
  3. Recreate the array as desired
  4. Perform a Full Initialization of the array (not a Fast Initialization)
  5. Perform a Check Consistency on the array


If the check consistency completes without errors, you can safely assume that the array is now healthy and the puncture is removed.

How to inject USB 3.0 drivers in Windows Server 2008R2

How to inject USB 3.0 drivers into Windows Server 2008 R2SP1 for use on Dell R230, R330, T130, T330

Download the USB 3.0 drivers from here

In this method we have to inject the USB 3.0 drivers manually. In order to achieve the same we need to inject the drivers into “Boot.wim” which has 2 indexes (1 & 2).

Boot.wim” has 2 indexes (1 & 2). The Intel USB 3.0 drivers need to be injected into both.

  • Index 1 = Microsoft Windows PE
  • Index 2 = Microsoft Windows Setup

“Install.wim” has 8 indexes. Depending on the edition of media being used, the Intel USB 3.0 drivers needs to be injected into that index. The list below is from the Dell OEM Media and the MSDN media and may differ on customer media.

  • Index 1 = Windows Server 2008 R2 Server Standard
  • Index 2 = Windows Server 2008 R2 Server Standard Core
  • Index 3 = Windows Server 2008 R2 Server Enterprise
  • Index 4 = Windows Server 2008 R2 Server Enterprise Core
  • Index 5 = Windows Server 2008 R2 Server Datacenter
  • Index 6 = Windows Server 2008 R2 Server Datacenter Core
  • Index 7 = Windows Server 2008 R2 Server Web
  • Index 8 = Windows Server 2008 R2 Server Web Core

Before the Intel USB 3.0 drivers are injected into the operating system image, a servicing environment needs to be created. If the Windows Server 2008 R2 w/SP1 is being serviced from a Windows 7 OS then the Windows Automated Installation Kit (WAIK) needs to be installed on the client OS; if Windows 8 / Windows Server 2012 and newer operating system is used then Windows ADK needs to installed.

  1. Create the following folders:
    1. C:\temp\WindowsISO (Unpack the windows 2008R2 ISO to this folder)
    2. C:\temp\drivers (Add all driver folders in this folder… steps 2-6 below)
    3. C:\temp\wim (Is a temp folder for the WIM file)
  2. Extract USB3 driver files to C:\temp\drivers

Download and install Deployment Tools from the ADK 8.1 installer. (Required for oscdimg.exe tool in either process outlined below)

Use CMD prompt with Admistrator privileges Commands or Deployment and Imaging Tools Environment Command Prompt (Any Windows OS with ADK 8.1) to integrate drivers via following processes:

Administrator: Command Prompt Commands: List Index Files:

CD \temp
Dism /Get-WimInfo /WimFile:C:\temp\WindowsISO\sources\boot.wim

List Index Files:

Dism /Get-WimInfo /WimFile:C:\temp\WindowsISO\sources\Install.wim

Mount index 1 of wim file:

Dism /Mount-Wim /WimFile:C:\temp\WindowsISO\sources\boot.wim /Index:1 /MountDir:C:\temp\Wim

 

Inject drivers into mounted wim

Dism /Image:C:\temp\wim /Add-Driver /Driver:C:\temp\drivers /Recurse

 

Unmount index of wim file and commit changes

Dism /Unmount-Wim /MountDir:C:\temp\wim /Commit

Note: Repeat above steps for both indexes of boot.wim and any install.wim indexes for desired installation media

Mount index 2 of wim file:

Dism /Mount-Wim /WimFile:C:\temp\WindowsISO\sources\boot.wim /Index:2 /MountDir:C:\temp\Wim

 

Inject drivers into mounted wim

Dism /Image:C:\temp\wim /Add-Driver /Driver:C:\temp\drivers /Recurse

 

Unmount index of wim file and commit changes:

Dism /Unmount-Wim /MountDir:C:\temp\wim /Commit

 

Mount index of wim file according to the OS edition you wish to install.
For this example, we used Index 3 for Windows Server 2008 R2

Dism /Mount-Wim /WimFile:C:\temp\WindowsISO\sources\Install.wim /Index:3 /MountDir:C:\temp\Wim

Inject drivers into mounted wim

Dism /Image:C:\temp\wim /Add-Driver /Driver:C:\temp\drivers /Recurse

Unmount index of wim file and commit changes

Dism /Unmount-Wim /MountDir:C:\temp\wim /Commit

Create new ISO image with modified files

CD ‘C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg

Creates new ISO image with modified files:

oscdimg -n -m -bc:\temp\WindowsISO\boot\etfsboot.com C:\temp\WindowsISO C:\temp\WindowsISO\Mynew_Windows_Server2008_Ent_USB3.0.iso

Finally we have created the new Windows ISO image with USB 3.0 drivers injected, which can now be used to install Windows Server 2008 R2 with USB3.0 is enabled in Bios.

If you don’t want to spend time creating ISO, you can download it from here

Windows Server: How to Repair the Boot Files in Windows Server 2008 or 2008 R2

Description:

There are a number of possible causes for the failure of a server to boot into Windows. This article deals

with a problem in the boot files and demonstrates how to repair them.

When booting to the Windows Recovery Environment (WinRE), the drive letters are assigned on a firstcome, firstserve basis.

For example, the C: drive in Windows will often have a different letter in WinRE.

The DiskPart utility can be used to keep track of the drives and what is stored on them.

Note: If there is no System Reserved partition. It is okay to select the drive containing the

Windows folder.

First Partition: 100 MB System Reserved (No drive letter)

Second Partition: 60 GB (C:) OS

Third Partition: 1.5 TB (D:) Data

DVD Drive: E:

Illustration of Drive lettering in Windows and WinRE

Note: If there is no System Reserved partition. It is okay to select the drive containing the

Windows folder .

Restoring Boot Files

1. Boot to the Windows Server DVD.

2. Open the command prompt.

  1. Server 2008 R2:
  • If no driver is needed, press ShiftF10 to open the command prompt.
  • Continue with step 3.
  1. Server 2008 (or 2008 R2 if a driver is required)
  • Click Next at the first screen.
  • Click Repair your computer.
  • If no driver is needed, click Next and proceed to step vii below.
  • If a driver is needed, click Load Drivers.
  • Insert the media containing the needed driver.

Note: The media can be a CD, DVD, or USB storage device

  • 6. Navigate to the folder containing the driver, select it, and click Open.
  • 7. Click Command Prompt.

3. The command prompt appears.

4. Type DiskPart at the command prompt.

5. Type List vol at the DiskPart prompt.

6. Write down the drive letter of the DVD drive. In this example, it is F.

7. Write down the drive letter of the system reserved drive. In this example, it is C.

8. Type Select vol 1 (assuming volume 1 is the System Reserved volume, as it is here).

9. Type active. This sets the selected volume as active.

10. Type exit to return to the command line.

11. Type Copy f:\BootMgr c:\ at the command prompt. One of two things will happen:

  • If the file Bootmgr already exists on C:, type N to avoid overwriting it.
  • If the file Bootmgr doesn’t already exist on C:, it will automatically be copied.

12. Type Bootrec /Fixmbr at the command prompt.

13. Type Bootrec /Fixboot at the command prompt.

14. Type Bootrec /rebuildBCD at the command prompt.

  • If no OS is found, the following appears: 6. Write down the drive letter of the DVD drive. In this example, it is F.

Result when no OS is found

This means that one of the following is true:

  1. The boot configuration database (BCD) already exists.
  2. The OS is not there.
  3. The OS is damaged beyond the ability of BootRec to recognize it.
  • If BootRec /RebuildBCD succeeds, it will list any installations of Windows that it found.

Press Y to accept and add them to the BCD.

15. The server is now configured to boot from the proper partition. Close the command prompt and

reboot the system into normal mode.

Installing an OEM branded Windows OS in VMware

Installing an OEM branded Windows OS in VMware

If you try to install an OEM branded Windows operating system you will likely have issues activating or installing because it cannot check the BIOS/hardware make. This is pretty common with Dell, HP, or IBM branded media. To resolve this issue you will need to add “smbios.reflecthost=”TRUE“.” to your .vmx config file. I’ve heard a number of people saying adding it to the .vmx file did not work. Often it’s because it was added incorrectly so here is a way to do it via the vSphere client.

1) Edit your VM and go to the Options tab

2) Click General under Advanced, and then click Configuration Parameters

3) Add a row, and paste smbios.reflecthost as the name, and true as the value.

4) Reboot your VM and install your operating system

Certainly volume licensing is easier, but sometimes you can get OEM for pretty cheap. If you’re hosting VMs for a company and being provided the media, or maybe being forced to spend as little possible and ended up with an OEM installation disk this will allow you to virtualize it. Keep in mind however if its Dell branded, it must reside on an Dell server. Same for HP, IBM, etc. If that isn’t possible then you either have to get a server of that type or new media.

How to Configure NIC Teaming in Windows Server 2016

NIC Teaming a built-in feature in Windows Server 2016

How to Configure NIC Teaming in Windows Server 2016?

The NIC Teaming feature is now the built-in feature to Configure NIC Teaming in Windows Servers. NIC Teaming is provide network availability and network performance. It act as a bonding network adapters to form one logical network adapter. It provides useful features such as load balancing across individual links and failover for network connections.

NIC Teaming Features and Modes

Currently Windows Server support two modes of NIC Teaming configurations. The firs once is Switch dependent mode and the second one is Switch independent mode.

Switch dependent mode is connecting all network adapters to the same switch. It requires to configure on the physical switch with Generic teaming mode and LACP for Dynamic mode. These two Generic 802.3ad and Dynamic 802.1ax are the features of Switch dependent mode.

Switch Independent mode is connecting network adapters to different switches and configuration is not required on physical switches.

Configure NIC Teaming in Windows Server

NIC Teaming in Windows Server 2016 using a Hyper-V lab. All network adapters are logical and just created for testing the functionality of NIC teaming in Windows Server 2016.

To configure NIC Teaming, at least you need to have two Network adapters. Before configuring NIC teaming, create some virtual network card for your virtual Hyper-V servers.

1. On Windows server open Server Manager and select Local Server. It shows all network adapters with their IP configurations. The screenshot shows the network adapters configured with static IP address.

2. Just click Disabled in front of NIC Teaming to open NIC Teaming configuration window.

3. From TEAMS section click TASKS and select New Team to create and new NIC Team from existing network adapters.

4. Select the adapters you want to team with each other’s and type a name. Then select the appropriate settings from Additional properties. and click OK to create the first NIC team.

5. Finally you see the created NIC Teams on TEAMS section of NIC Teaming window. If you want to change the settings of NIC Teams, select and right click a NIC team then select Properties.

Yes, you have successfully created and configured NIC Teaming in Windows Server. To see the NIC Teaming is enabled, refresh the Server Manager and check.

6. Now, once check the Network Connections to see the NIC Teams connections created after NIC Teaming configuration.

How to gather TTY logs using PercCLI tool

Steps to extract the TTY logs using the PercCLI tool.

  1. Download the PERC CLI utility from HERE
  1. Run the downloaded and file and extract it.

3. Extracted Files

4. Open Command Prompt as an Admin

5. To view installed PERC Cards, Type “perccli show all”.

6. Make a note of index number of your controller. In this example, it is 0.

7. Type “perccli /cX show termlog” where X stands for the controller index number.

8. Command to extract the logs to a txt file “perccli /c0 show termlog > termlog.txt”

9. The logs will be saved to the working directory. In this example C:\Users\Administrator

10. Browse the folder to open logs.

11. Extracted logs

 

How to gather DELL DSET report on an ESXi Host Server

How to gather DELL DSET report on an ESXi Host Server

Step by Step process :
1. Install Dell OpenManage agent on ESXi host
2. Install DSET collector on a remote system which can ping the ESXi Host.
3. Run DSET Collector from the remote System.

Install Dell OpenManage agent on ESXi host:

ESXi 5.0
This method shows you how to install this using the vSphere CLI. You will need to have this installed on your PC/Server.
You can download it here.
You can also install this using PowerCLI, via the VMA or using Virtual Centre.
• You will need to migrate/shutdown all VMs and put the host in maintenance mode.
• Using the datastore browser, copy the latest Dell Openmanage offline bundle file to the datastore (currently OM-SrvAdmin-Dell-Web-6.5.0-         542907.VIB-ESX50i_A02.zip).
Ps: You can find the latest version by going to the Dell Support site and entering the service tag of your dell server.

upload-dellopman.jpg

Then via either putty (you will need to have remote tech support mode enabled) or via the console, copy this file to /var/log/vmware

cp-var1.jpg

Shutdown all VMs and put the host in maintenance mode.
Then open the VI Client and run the command
esxcli –server <ESXi hostname or IP> software vib install -d /var/log/vmware/<Dell OpenManage file>

dellopman-install.jpg

You will need to reboot the server.

ESXi 4.1
In the below example we are installing Dell Openmanage 6.3 onto ESXi 4.1.
OpenManage 6.4 has been released. I would recommend logging onto Dell.com and downloading the latest version.

In the below example we are installing Dell Openmanage 6.3 onto ESXi 4.1.
OpenManage 6.4 has been released. I would recommend logging onto Dell.com and downloading the latest version.
Step 1 – Downloads
You will need to download and install the vSphere CLI
http://www.vmware.com/support/developer/vcli/
You will also need to download the Dell OpenManage package for ESXi.
I would recommend checking each time you install this as Dell regularly update this.
Go to the Dell Website, Enter your Tag and get the downloads for ESXi.
Note – there are different packages for ESXi 4.0 and ESXi 4.1

dellopman-esxi-install-download.jpg

You should also check that the OEM CIM provider setting is enabled (i.e. set to 1). You can do this in the vi client by going to the below setting in the vi client. If you have changed this value then you need to either reboot the host or restart the management agents for this change to apply.
You can restart the management agents from the ESXi console.

cimoemproviders.jpg

Step 2 – Install
Note – you will need to have the ESXi server in maintenance mode.
This means all VMs must be shut down or migrated to another host.

maintenance-mode.jpg

Launch the vSphere CLI and enter the following command:
Vihostupdate.pl –server <your ESXI servers IP> -i -b <directory and filename of download>
(note the double — before server)
For example:

vsphere-client-install-OM-ESXi.jpg

Step 3 – Download OpenManage Server Administrator (optional)
Again from the Dell website download the latest version of OpenManage Server Administrator. You will want to install this on the (windows) PC or Server you want to administer the ESXi server from.
Once installed (e.g. on your PC) open server administrator and logon to the ESXi server as shown below.

dellopman-server-administrator-logon.jpg

At the bottom should be a “manage remote node” option. Select this to connect to the ESXi host.

Install DSET collector

Source:
http://support.dell.com/support/edocs/SOFTWARE/dset/3.2/EN/ug/pdf/ug.pdf

Permanently Installing DSET and Generating Report on Windows Operating System

Before installing DSET, make sure that the installation prerequisites are met.
For more information, see “Installation Prerequisite For Windows Operating System”.

Using GUI For Windows Operating System
To permanently install DSET on Windows operating system:
1. Run the Dell_DSET_(Version Number).exe file.
The Welcome to the Dell System E-Support Tool (3.2) Installation Wizard window is displayed.
2. Click Next.
The License Agreement is displayed.
3. Select I accept the license agreement and click Next.
The Readme Information is displayed.
4. Click Next.
The Installation Type window is displayed.
5. Select Install DSET Components and click Next.
The Select Installation Type window is displayed.
6. Select one of the following options and click Next:
• DSET Collector and DSET CIM Provider (default)
• DSET Collector
• DSET CIM Provider

The Destination Folder window is displayed.
7. Click Browse and select the folder to install DSET or use the default location and click Next.
The User Information window is displayed.
NOTE: The default location for Windows (x86) systems is C:\Program Files\Dell and for Windows (x86_64) systems is C:\Program Files (x86)\Dell.
8. Enter the following:
• Full Name — Enter your full name.
• Organization — Enter your organization information.
9. Click Next.
The Ready to Install the Application window is displayed.
10. Click Next.
The Updating System window is displayed indicating the installation status. After installation, the Dell System E-Support Tool (3.2) has been successfully installed window is displayed.
11. To generate the report and/or upload (optional step):
• Run and Collect DSET Report — Select this option to generate the report.
• At request upload the report to Dell Technical Support — Select this option to upload the report to the Dell Technical Support when requested.
12. Click Finish to close the installer.
DSET is now installed in the local system and if you have performed step 11, the report is also generated and/or uploaded.

Permanently Installing DSET and Generating Report on Linux OS

To permanently install DSET Collector :
NOTE: You must be logged in as root to install DSET Collector.
1. At the Linux shell prompt, run the ./dell-dset-lx(bit)-(Version Number).bin file.
The License Agreement is displayed along with the following message:
Do you agree to the above license terms? (‘y’ for yes | ‘Enter’ to exit).
2. Enter y.
The installation types are displayed.
3. Enter 4 to select Install DSET Collector option.
4. Wait for the installation to complete. The DSET Collector installation completed successfully message is displayed.
DSET collector is installed at opt/dell/ location by default.

Run DSET Collector from the remote System

On Remote System
To run the report on a remote system, provide the Fully Qualified Domain Name (FQDN) or IP address of the remote system and administrator credentials.
To collect hardware and software information and save it in the specified folder, run the following command:

For Windows
C:\Program Files\Dell\AdvDiags\DSET\bin>
DellSystemInfo.exe -s <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> -d hw,sw -r C:\temp\dset.zip
For Linux
dellsysteminfo -s <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> -d hw,sw –r /opt/dell/myreports/dset.zip
NOTE: The data collected from ESX/ESXi namespace is lesser compared to the data collected from Windows or Linux systems on which DSET Provider is installed.

How-To: Install & Assign RDS CALs on Windows 2012 R1/R2

How-To: Install & Assign RDS CALs on Windows 2012 R1/R2

1. Launch Remote Desktop Licensing Manager

2. Right-click the RDS server, click Activate Server

3. From “Welcome to the Activate Server Wizard”, click Next

4. Select the connection method, click Next

5. Enter company information, click Next

6. Enter company information cont., click Next

7. From “Completing the Activate Server Wizard”, check “Start Install Licenses Wizard now”, click Next

8. From “Welcome to the Install Licenses Wizard”, click Next

*Select the license program; there are instructions for both Open Licenses and Retail License Packs.
a. *For Open Licenses (a.k.a Volume Licenses), customer will receive an Email from Microsoft that includes the Authorization and License numbers.
b. *For Retail License Packs, customer will receive a card that has a 5×5 product key.

1a. Select “Open License”, click Next

2a. Enter Authorization and License numbers

3a. Select Product version, license type, and populate quantity, click Next

1b. Select “License Pack (Retail Purchase)”, click Next

2b. Enter the 5×5 license code, click Add, click Next

9. From “Completing the Install Licenses Wizard”, click Finish

10. RDS CALs should now be installed

11. Launch Server Manager, click “Remote Desktop Services”

12. Click the “Add” button for RD Licensing

13. Add the RDS server, click Next

14. Click Add

15. Click Close

16. From “Deployment Overview”, select Tasks, click “Edit Deployment Properties”

17. Select “RD Licensing”, select “Per User” or “Per Device”, click OK
*Per User if the customer purchased User CALs
*Per Device if the customer purchased Device CALs

18. Launch RD Licensing Diagnoser