vdcrepadmin to find the replication status and design the Platform Services Controller 6.0

After attending the VMworld PSC session , I was thinking about to test the VDCREPADMIN tool which helps to find the replication status and to re-desgin the PSC.

Currently we have three PSCs which connects to each other in an in-line fashion, with each PSC installed against the previous PSC, rather than a hub-and-spoke fashion where all of the PSCs would terminate to a central PSC or mesh topology.

 

psc

VDCREPADMIN Showservers is to displays all of the PSCs in a vSphere domain.

Login to the appliance and go to the below path

cd /usr/lib/vmware-vmdir/bin

Run this command to show all PSCs in the vSphere domain:

vdcrepadmin -f showservers -h PSC_FQDN -u administrator -w Administrator_Password

psc1

From the output we can see the PSC Names , Site and Domain.

VDCREPADMIN showpartners is to display the partner PSC.

vdcrepadmin -f showpartners -h PSC_FQDN -u administrator -w Administrator_Password

 

psc2_censored

from the out put we can find the partnership between the PSCs which was installed in an in-line fashion, with each PSC installed against the previous PSC

  • PSC35.* has a replication partnership with PSC236
  • PSC36.* has a replication partnership with both PSC35.* and PSC37.*
  • PSC37.* has a replication partnership with both PSC236

VDCREPADMIN showpartnerstatus is to display the current replication partner of the PSC and also the current replication status between the two nodes.

psc3

Pls note you have to run the showpartnerstatus from each PSC to list the exact partner list and status.

Also from the output we can find the current sync with all the replication partner with the curren update sequence number ( USN ) value and in case of any failure check the log /var/log/vmware/vmdird/vmdird-syslog.log

VDCREPADMIN Createagreement is to create the replication agreements between the PSC with the same vSphere domains and not  between disparate (separate) vSphere domains.

So in our example we are creating the agreement between PSC37 and PSC35 so that in case of PSC36 failure still we have the replication with other partner in the domain.

psc6

Before running the agreement check the current partner.

vdcrepadmin -f showpartners -h PSC_FQDN -u administrator -w Administrator_Password

psc4

Use the following command to create a new replication agreement between PSCs .

vdcrepadmin -f createagreement -2 -h Source_PSC_FQDN -H New_PSC_FQDN_to_Replicate -u administrator -w Administrator_Password

psc5

If we have more number of PSC then plan to have the mesh topology and by using the createagreement we can plan the same. Due to replication time, it may take a few seconds to minutes for a complete mesh topology to be configured.

VDCREPADMIN Removeagreement is to remove the agreement from the replication partner.

First check the current partnership from the specified PSC:

vdcrepadmin -f showpartners -h PSC_FQDN -u administrator -w Administrator_Password 

Use the following command to remove an existing replication agreement between PSCs:

vdcrepadmin -f removeagreement -2 -h Source_PSC_FQDN -H PSC_FQDN_to_Remove_from_Replication -u administrator -w Administrator_Password

psc7

Reference :

KB 2127057

INF8225  – VMworld

 

Posted in Install and Configure VMware vCSA 6.0, Platform Services Controller (PSC ), VC6.0 Appliance Installation Issue, Vcenter Appliance, vCSA 6.0, VMware | Tagged , , , , , | Leave a comment

MLAG issue on CISCO UCS Servers with Arista switch

We were trying to configure the MLAG on the Arista switch on each uplink group of the CISCO UCS ( UCSC-C240-M3s) server . Initially ESXi 6.0 was installed and when we trying to enable the LACP on the dVswitch , host got disconnected and also stooped pinging and once we disabled the LACP option it came online. VMware support was involved and asked to install all the firmwares but still we had the same issue.

As a trouble-shooting step we installed the windows OS and once we enable the LACP option in the windows NIC Teaming it started same issue as server got disconnected and also stopped pinging.

Another set of ESX servers with same MLAG configuration on the HP Blade Enclosure on Arista was working fine without any issue .

We involved Cisco for the server and Arista from the switch end for the support , from the Cisco we didnt get any proper respond , finally the issue got escalated to the Tier-1 support in Arista and they found the issue is when the Cisco server is configured for trunk mode, the server is sending LACP frames tagged with a vlan id of 0. Currently, in the version of code we are running on this arista switch platform, it’s dropping these frames as it’s not accepting tagged LACPBPDUs. In addition, when the server is configured as an access port, it is sending the LACP frames tagged with the access vlan specified. Even if there is no default vlan specified, the server is still sending the LACP frames tagged with vlan 0. It seems there is no way to have the Cisco server to send the LACP frames un-tagged like HP blade chassis, tintris which are already on mlag.

Requested the Cisco engineer to see the reason for the server is tagging the LACP frames but didnt get the answer so as per the Arista recommendation we upgraded the  latest code on the switch to Version4.16.7M which fixed the issue.

Reference :

https://eos.arista.com/vmware-esx-5-arista-lacp-guide/

Posted in Arista MLAG, CISCO UCS Servers, ESXi issue, Windows | Tagged , | 1 Comment

Powershell Script to check the DNS Server IPs for the windows 2012 servers in AD.

I was asked to get the details in one of our old environment to get the DNS settings for a list of Server 2012 R2 servers in the AD and If the third octet on the primary DNS server setting does not match to the PRD then have to send an email to the operation team.

So I wrote the small script which three below parts to achieve the same.

1. Getting the windows 2012 details from the AD and exporting it to the CSV
2. From the CSV we need to get the DNS settings from the Nic
3. Searching it whether DNS server setting which does not match ‘14’ in third octet then send an email.

Pls download the script from the below link.

Dropbox

 

 

Posted in Powershell, Uncategorized, Windows | Tagged , , , | Leave a comment

Active Director user denied to ESXi SSH login – ESXi 6.0 ( 3620759)

After configuring the AD authentication on the ESXi 6.0 as per the KB 2075361 , we were not able to login to the ESX shell using the AD Authentication .

From the /var/log/ auth.log , we have noticed the below error.

pam_access(sshd:auth): access denied for user 

sshd[123225]: [module:pam_lsass]pam_sm_authenticate: failed [error code:40286

As per the KB 2145400 it is mentioned as the known issue and also mentioned the  workaround  but it didnt help so we contacted the VMware support and they fixed the issue by doing the changes below.

1. Run the command
cp /etc/likewise/openldap/ldap.conf /tmp <—- Copy the file ldap.conf to /tmp directory

2. give write permission to /tmp/ldap.conf
chmod +w /tmp/ldap.conf

3. Modify the file /tmp/ldap.conf to set buffer size to 15KB

Replace the line ‘SASL_SECPROPS maxbufsize=40960’ with ‘SASL_SECPROPS maxbufsize=5242880‘ –> 5 MB

buffer

4. Save the file

5. Copy /tmp/ldap.conf to /etc/likewise/openldap/ldap.conf

6. Verify the contents of /etc/likewise/openldap/ldap.conf is modified.

7. restart the likewise daemon lwsmd

/etc/init.d/lwsmd restart

 

 

Posted in ESXi issue, VMware | Tagged | Leave a comment

Trend Micro Deep Security Manager 9.6 ( service pack 1 upgrade ) – Part 5

Check my previous blog on DSM database schema changes which have to be done before upgrading the Trend DSM 9.6 to SP1 and also other blogs about DSM 9.5 and 9.6 installation and its functionality.

Download the Trend DSM SP1.

d

Click on the download SP1 file.

led

Accept the Agreement.

2

It will search for the previous version

Select the option to upgrade the existing installation.

3dd

Click next to the installation path.

2led

It will extract the files in the background and start proceeding the installation .

09d

Click finish

Untitlfd

check by login in to the DSM Manager

Untitd

We can check the version of the SP1

Untitlesd

If we have another node, pls do the same steps to upgrade it to the SP1.

Posted in Trend Micro Deep Security | Tagged , , , | 1 Comment

Manually updating the Deep Security Manager (DSM) database before upgrading to 9.6 SP1 – Part -4

Check my other blog on Trend DSM 9.5 and 9.6 and in this blog we can see how to manually  perform  DSM database schema changes which required to upgrade the Trend DSM 9.6 SP1 or with the latest patch. These changes are required only for Microsoft SQL Server databases.

Trend has provided the tool to do this DB change but when i tried it in my lab it failed and also in our PRD there are lot of process to get approval to install any tool on the DB server so by using the manual method we completed the DSM DB schema changes.

Pls note it is very imp to take the DB backup before the activity .

Download the script from the Trendlink.

trend1

trend

Database Integrity Check.

Before proceeding with the steps mentioned in the sections below, it is important to check first the database integrity for Deep Security Manager:

Log in to SQL Server and select Deep Security Database.

DeepSecurityDatabaseBigintMigrationScriptTableRecoveryCommand.sql script using Notepad and copy its contents to the New Query area.

tre

 

Change the database name right at the top of the script with your DSM database.

Click Parse on the SQL Server.

Click Execute on the SQL Server.

1d

2d

12d

Running the Migration script.

Make sure to take the DB backup and stop the Trend DSM Service on all the nodes.

Check the table usage and free disk space of SQL server.

Use the script DeepSecurityDatabaseBigintMigrationScriptTableSpaceUsageSummary.sql to get the summary of table space usage. Below is an example:

Un

Go to the unzipped folder then locate the DeepSecurityDatabaseBigintMigrationScript.sql script.

Open the script and modify the database name for each tenants. For example, if your database name is DSM95, change the script to [DSM95] similar to the following:

use [DSM95]

We need to run the the same on each tenant database in themulti-tenant environment

Migration script is completed, Next blog we can see the steps on DSM installer SP1 upgrade.

Reference :

https://esupport.trendmicro.com/solution/en-us/1112218.aspx

 

Posted in Trend Micro Deep Security | Tagged , , , | Leave a comment

Various options to enable the Telnet client and other methods to check the port.

In recent version of windows, Telnet Client is not enabled by default and in this blog we can see various method to install the client and to check the port connectivity.

Option 1 :

we can install it from the Add Roles and Feature.

Telnet

Option 2:

Apart from this tradition way, we can install it using the below Power shell method.

Import-Module ServerManager
Add-WindowsFeature -Name Telnet-Client

Option 3:

dism /online /Enable-Feature /FeatureName:TelnetClient

Telnet1

Option 4:

Download the below Powershell script and run it on the server.

Dropbox

Option 5:

We can install telnet client using the package manager.

Pls note it will support only Windows Vista & higher.

c:>pkgmgr /iu:”TelnetClient”

Next we can see options to test the port from the source system to destination without using telnet.

Option 1:

On windows to test the port from the source system to destination we can use alternate method without installing the Telnet client is by Windows Sockets using the System.Net.Sockets provided in .NET framework.

New-object System.Net.Sockets.TcpClient(“IP”,”PORT”)

telnetd

Option 2:

Use the below powershell script which can do the same operations.

Dropbox

Option 3:

To make it easy we can import this function as cmdlet or module and then use it as the easy powershell cmdlet to test port.

Import-module Test-port.psm1

Type get-help Test-port
syntax Test-port [[-computername] <Object>] [[-port] <Object>]

Test-port -computername 1.1.1.1 -port 80

Download it from the Dropbox and get more info from the readme.

Option 4:

In VMware Vcenter appliance we have to use the CURL to test the  port connectivity.

KB2097039 will give more info on the same.

curl -v telnet://127.0.0.1:22

Option 5:

Telnet is available only on ESX hosts. For ESXi 3.5, 4.x and 5.x, you will need to use the netcat (nc).

KB 2020669 will give more info on the same.

nc -z <destination-ip> <destination-port>

Reference :

http://powershell.com/cs/blogs/tips/archive/2016/01/26/enabling-telnet-client-and-watching-star-wars.aspx?utm_content=buffer46e94&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2097039

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020669

http://www.travisgan.com/2014/03/use-powershell-to-test-port.html

 

Posted in ESX command, ESXi Tools, Powershell, VMware, Windows | Tagged , , , , , | Leave a comment