TheAngel.net

VM Zombies

Installing the vSphere Command-Line Interface tool

The vSphere Command-Line Interface (vCLI) is used for the parts of this article. Ensure that it is installed before you proceed.

For ESXi 3.5 hosts, see Remote CLI Installation and Execution in the Remote Command-Line Interface Installation and Reference Guide.
For ESXi 4.0 hosts, see vSphere CLI Installation, Execution, and Command Overviews in the vSphere Command-Line Interface Installation and Reference Guide.
For ESXi 4.1 hosts, see the vSphere Command-Line Interface Installation and Scripting Guide.
For ESXi 5.0 hosts, see http://www.vmware.com/support/developer/vcli/.
Note: The Remote Command-Line Interface can be accessed from the vSphere Management Assistant (vMA) for ESXi 4.x and ESX 5.0. If it is your preference to use this tool, see Installing vMA and Running Commands from vMA in the vSphere Command-Line Interface Installation and Reference Guide.

Determining the virtual machine’s location

Determine the host on which the virtual machine is running. This information is available in the virtual machine’s Summary tab in VI Client. Subsequent commands will be performed on, or remotely reference, the ESXi host where the virtual machine is running.

Using the ESXi 5.0 esxcli command to power off a virtual machine

The esxcli command can be used locally or remotely to power off a virtual machine running on ESXi 5.0. For more information, see the esxcli vm Commands section of the vSphere Command-Line Interface Reference.

Open a console session where the esxcli tool is available, either in the ESXi Shell, the vSphere Management Assistant (vMA), or the location where the vSphere Command-Line Interface (vCLI) is installed.

Get a list of running virtual machines, identified by World ID, UUID, Display Name and path to the .vmx configuration file, using this command:

esxcli vm process list

Power off one of the virtual machines from the list using this command:

esxcli vm process kill –type=[soft,hard,force] –world-id=WorldNumber

Note: Three power-off methods are available. Soft is the most graceful, hard performs an immediate shutdown, and force should be used as a last resort.

Repeat step 2 and validate that the virtual machine is no longer running.

Using the ESXi command-line utility vim-cmd to power off the virtual machine

On the ESXi console, enter Tech Support mode and log in as root. For more information, see Tech Support mode for Emergency Support (1003677).
Get a list of all registered virtual machines, identified by their VMID, Display Name, and path to the .vmx configuration file, using this command:

vim-cmd vmsvc/getallvms

To get the current state of a virtual machine

vim-cmd vmsvc/power.getstate VMID

Power off the virtual machine using the VMID found in Step 2 and run:

vim-cmd vmsvc/power.off VMID

Note: If the virtual machine fails to power off, use the following command:

vim-cmd vmsvc/power.shutdownVMID
Sending signals on ESXi to power off the virtual machine

A virtual machine can be halted from the command line by sending signals to the process.

Warning: This procedure is potentially hazardous to the ESXi host. If you do not identify the appropriate process id (PID), and kill the wrong process, it may have unanticipated results. If you are not comfortable with the following procedure, contact VMware Technical Support and open a Service Request. Please refer to this article when you create the SR.

In ESXi 3.5-5.0, you can use the kill command to send a signal to, and terminate, a running virtual machine process.

On the ESXi console, enter Tech Support mode and log in as root. For more information, see Tech Support mode for Emergency Support (1003677).
To determine if the virtual machine process is running on the ESXi host, run this command:

ps | grep vmx

The output appears similar to:

7662 7662 vmx /bin/vmx
7667 7662 vmx /bin/vmx
7668 7662 mks:VirtualMachineName /bin/vmx
7669 7662 vcpu-0:VirtualMachineName /bin/vmx

Several rows are returned, one for each vmx process. Identify the parent vmx process for the target virtual machine. The first column contains the PID, and the second contains the parent’s PID. Ensure you terminate only the parent process. The parent Process ID (PID) for each process is listed in the second column, identified in this example in bold. Take note of this number for use in the following steps.

Caution: Ensure that you identify the line specific only to the virtual machine you are attempting to repair. If you continue this process for another virtual machine the one in question, you can cause downtime for the other virtual machine.

If the vmx process is listed, terminate the process using this command:

kill ProcessID

Wait 30 seconds and repeat step 1 to check for the process again.
If it is not terminated, run this command:

kill -9 ProcessID

Wait 30 seconds and check for the process again.

In ESXi 4.1-ESXi 5.0, you can use the k command in esxtop to send a signal to, and kill, a running virtual machine process.

On the ESXi console, enter Tech Support mode and log in as root. For more information, see Tech Support mode for Emergency Support (1003677).
Run the esxtop utility using this command:

esxtop

Press c to switch to the CPU resource utilization screen.
Press f to display the list of fields.
Press c to add the column for the Leader World ID.
Identify the target virtual machine by its Name and Leader World ID (LWID).
Press k.
At the World to kill prompt, type in the Leader World ID from step 6 and press Enter.
Wait 30 seconds and validate that the process is not longer listed.

Windows 2008 Core

Implementing Windows Server Core 2008 R2 Domain Controllers

Implementing a Windows Server 2008 R2 Core Domain Controller into an existing Active Directory Forest is not a daunting task in itself but requires changes in the way many Administrators approach the installation and configuration of the base Windows installation.

Here will go through common configuration steps for integrating Windows Server 2008 R2 Core into an existing corporate Active Directory.

Domain Controllers are prime candidates for Server Core, they provide a smaller OS surface area that in theory at least should ensure there are less vulnerabilities exposed to possible malicious attacks. This means fewer critical hotfixes released by Microsoft are required to be installed on Server Core and can reduce the frequency of maintenance cycles and accompanying reboots, Microsoft estimate if there had been a Server Core edition of Windows Server 2003 it would have required 40% fewer patches than the Gui edition.

As this is a large post it has been split into sections – Click below to jump to a specific section.

Section 1 – Prepare Existing Windows 2000/2003 AD
Section 2 – Configure Windows Server 2008 R2 Core
Section 3 – DCPromo and post DCPromo tasks
Pre-Requisites

Many organisations today still run Windows XP as the standard desktop OS, this is an issue for administrators who support existing AD environments using the Adminpak supplied in Windows 2003. The tools in the Windows Server 2003 Adminpak do not work seamlessly with Windows Server 2008 and the RSAT (Remote Server Administration Tools, the Adminpak replacement for Windows Server 2008) will not run on XP. The RSAT delivered with Windows Server 2008 R1 will run only on Windows Vista Desktops whilst the RSAT delivered with R2 only runs on Windows 7. The RSAT can be installed on a Gui based Windows 2008 server by installing the RSAT feature.

ADPrep needs to be run for both the forest and the individual domain where the Windows Server 2008 R2 Domain Controller will be installed.

Section 1 – Prepare Existing Windows 2000/2003 AD

The ADPrep in Windows Server 2008 adds the RODC (Read Only Domain Controller) ADPrep to the traditional forest and domain ADPreps. In short a RODC contains read-only partitions of the Active Directory Database. Common deployments of RODCs are in branch offices where physical security cannot be guaranteed, benefits offered include improved security, user credential caching meaning faster logon times and make more efficient access to resources on the network. More information on RODCs can be found here. The RODC ADPrep is run once at the forest level.

ADPrep is located on the Windows Server 2008 R2 DVD in the Supportadprep directory, adprep.exe is the 64 bit version and adprep32.exe is the 32 bit version of the tool. Ensure the command prompt has been started using the “Run As Administrator” if running on a Windows Vista, Windows 7 or Windows Server 2008.

Forest ADPrep

The forest ADPrep requires that the logged in user is a member of the Enterprise Admins and Schema Admins groups as well as being a Domain Admin for the Domain containing the forests Schema Master. The forest ADPrep must be run on the Domain Controller holding the AD forests Schema Master FSMO role, to identify the FSMO roles at a command prompt (on any Domain Controller in the forest) enter, netdom query fsmo To run the forest ADPrep enter the following from the /support/adprep DVD directory.

adprep /forestprep
once completed allow time for the changes to replicate across the entire AD forest before ADPrep’ing any domains in the forest.

Domain ADPrep

The domain ADPrep requires that the logged in user is a member of the Domains Domain Admins group. The Domain ADPrep must be run on the Domain Controller holding the Domains Infrastructure Master FSMO role (see Forest ADPrep on how to identify FSMO roles). To run the Domain ADPrep enter:

adprep /domainprep /gpprep
once completed allow time for the changes to replicate across the entire AD forest before installing any new Domain Controllers in the Domain.

RODC ADPrep

The RODC ADPrep can be run on any computer in the Active Directory Forest and must be able to access all Infrastructure to run successfully. In firewalled/isolated environments it is important to choose a suitable computer on which to run the RODC ADPrep. The user performing the RODC ADPrep must be a member of the Enterprise Admins group. From the /support/adprep directory on the Windows Server 2008 R2 DVD enter:

adprep /rodcprep
once completed allow time for the changes to replicate across the entire AD before installing a RODC.
Section 2 – Configure Windows Server 2008 R2 Core

We will now go through the steps to introduce a first Windows Server 2008 R2 Core Domain Controller into an existing Active Directory forest (for information, into a Windows 2003 R2 forest and domain functional level directory). Ordinarily most of the steps detailed for configuring the Windows Server 2008 R2 Core are included in the server provisioning process. Interactively the sconfig utility is available in R2 which is a text based menu system that can be run from the console command prompt and allow a number of system settings such as TCP/IP network configuration to be made.

Detailed below are the command lines that can be included in an automated provisioning environment, a post installation script or typed directly from the console command prompt.

To identify the features that are enabled (and disabled) on Windows Server Core, enter

dism /online /get-features
Install Powershell 2.0

I advocate using PowerShell as the tool of choice for managing Windows (and VMware) environments. To enable PowerShell the dotNet Framework version 2 and version 3/3.5 must first be enabled. (note: dotNet 3.0 and 3.5 are contained within a single feature). In addition on a Windows Server 2008 R2 DC the Active Directory PowerShell cmdlets module can be enabled allowing a more straightforward approach to AD Powershell similar to the Quest PowerShell Commands for Active Directory used by many Administrators.

dism /online /enable-feature /featurename=NetFx2-ServerCore
dism /online /enable-feature /featurename=NetFx3-ServerCore
dism /online /enable-feature /featurename=MicrosoftWindowsPowerShell dism /online /enable-feature /featurename=ActiveDirectory-PowerShell
Powershell 2.0 WOW64 Support (Optional)

If WOW64 (32bit) support is required additional features need to be enabled.

dism /online /enable-feature /featurename=NetFx2-ServerCore-Wow64
dism /online /enable-feature /featurename=MicrosoftWindowsPowershell-Wow64
Install DNS Server

If the Domain Controller will also be configured as a DNS Server as they often are, the DNS-Server-Core-Role can be added using, (DNS Server can also be installed as a part of the DCPromo):

dism /online /enable-feature /featurename=DNS-Server-Core-Role
Network Configuration

Assuming the Windows Server Core instance has a single interface and is using the logical name “Local Area Connection”, first disable any other network cards, run the following command for each disconnected network connection.

netsh interface set interface “Local Area Connection 2″ DISABLE
configure the IP address, subnet mask and default gateway.
netsh interface ipv4 set address name=”Local Area Connection” static 172.24.32.10 255.255.255.0 172.24.32.1
configure the dns servers for the network connection, in this instance 3 dns servers are specified, of course ensure that the server is configured to point at existing DNS servers that have access to the AD SRV records.
netsh interface ipv4 set dns name=”Local Area Connection” static 172.24.32.4
netsh interface ipv4 add dns name=”Local Area Connection” 172.24.32.5 index=2
netsh interface ipv4 add dns name=”Local Area Connection” 172.24.22.8 index=3
to disable NetBIOS over TCP/IP first identify the adapters index number using
wmic nicconfig get caption,index,TcpipNetbiosOptions
then using one of the following values:
0 – Use NetBios setting from DHCP

1 – Enable NetBios over TCP/IP

2 – Disable NetBios over TCP/IP

set the required NetBIOS over TCP/IP value to each Nic.

wmic nicconfig where index=1 call SetTcpipNetbios 2
In the above example, index=1 is the index number returned for “Local Area Connection” from the earlier command. configure the primary DNS suffix, whether the suffix should change if domain membership changes and set the DNS suffix search list
reg add HKLMSystemCurrentControlSetServicesTcpipParameters /v Domain /t REG_SZ /d “ad.mydomain.com”
reg add HKLMSystemCurrentControlSetServicesTcpipParameters /v “NV Domain” /t REG_SZ /d “ad.mydomain.com”

reg add HKLMSystemCurrentControlSetServicesTcpipParameters /v “SyncDomainWithMembership” /t REG_DWORD /d 1

reg add HKLMSystemCurrentControlSetServicesTcpipParameters /v “SearchList” /t REG_SZ /d “ad.mydomain.com,mydomain.com,os.mydomain.com”

optionally a nic config can be backed up and restored using netsh, the following commands perform a backup and then a restore, this is useful if you wish to import a config instead of running many individual netsh commands.
netsh -c interface dump > c:backup.txt
netsh -f c:backup.txt
Configure Time Zone

to list the time zone names used by the time zone configuration utility run:

tzutil /l
then configure the time zone using one of the zone names. “_dstoff” can be appended to a zone name to have Daylight Savings Time disabled; the default enables Daylight Savings Time. To configure for GMT with DST switched off:
tzutil /s “GMT Standard Time_dstoff”
Rename Computer

if the server has a temporary name provisioning, it can be renamed using:

netdom renamecomputer /newname:
Diskpart to Create the NTDS/SYSVOL and Log Partitons

To create on Disk 0 a d: drive 50GB in size, a e: drive of 16GB and a f: drive using the remaining free space:

diskpart
select disk 0
list partition
create partition
primary size=50000
list partition
select partion 3
assign letter=D
format FS=NTFS LABEL=”DDrive” QUICK
create partition extended
list partition
select partition 0
create partition logical size=16000
assign letter=E
format FS=NTFS LABEL=”EDrive” QUICK
create partition logical
assign letter=F
format FS=NTFS LABEL=”FDrive” QUICK
list part
exit
The above can be saved as a text file and run using :
diskpart /s
Once created view the partitions using:
diskpart
list part
exit
something similar to the following should be displayed:diskpart
diskpart
list part

Partition ### Type Size Offset
————- —————- ——- ——-
Partition 1 Primary 8144 KB 16 KB
Partition 2 Primary 124 GB 8160 KB
Partition 3 Primary 48 GB 125 GB
Partition 0 Extended 105 GB 173 GB
Partition 4 Logical 15 GB 173 GB
* Partition 5 Logical 89 GB 189 GB
Be sure to have rebooted to make all the above settings stick before proceeding further.

Section 3 – DCPromo and Post Promotion Configuration

Promoting a Windows Server Core instance to a Domain Controller must be done using an unattend answer file, this is because Windows Server Core does not support the DCPromo Gui wizard. If a problem is encountered running DCPromo be aware that DCPromo removes all passwords from the unattend answer file including where ”prompt for password” has been set by setting the password value to “*”. Before re-running DCPromo the unattend file must be edited to reset the values in the password password fields. In the following templates the affected fields are:

DNSDelegationPassword=*
Password=*
SafeModeAdminPassword=Password1
AdministratorPassword=Password1
All DC configuration scenarios available running DCPromo in Gui mode are supported using an unattend answer file, (creating a new forest, creating a new domain, removing the last Domain Controller in a domain etc.). As this posting is targeted at introducing a Server Core DC into an already running Active Directory Forest only adding a new DC to an existing domain and removing (in the event a fallback is required!) a DC from a domain.

DC Promote Unattend Template

This template contains the parameters for adding a DC to an existing domain. Details of parameters used in DCPromo unattend files can be found in MS KB947034. A DCPromo unattend file can be created by running and completing the DCPromo wizard on an existing Gui Windows server. In the final step of the wizard an export button is displayed, use this to export the unattend file and simply cancel the wizard so the DCPromo is not run. The saved unattend file can be edited in a text editor and used for running DCPromo in unattend mode.

; S Coney 01/2010 DC Promote
[DCInstall]
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=ad.mydomain.com
SiteName=ADSite1
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=Yes
DNSDelegationUserName=admydomainstuartconey
DNSDelegationPassword=*
UserDomain=ad.mydomain.com
UserName=admydomainstuartconey
Password=*
ReplicationSourceDC=dc2.ad.mydomain.com
DatabasePath=”D:NTDS”
LogPath=”E:NTDS”
SYSVOLPath=”D:SYSVOL”
SafeModeAdminPassword=Password1
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
; RebootOnCompletion=Yes
* substitute Password1 to your standard Safe Mode Password
In the above example, the InstallDNS=yes line will install the DNS Server service. The default for installing DNS is dependent on the environment detected when DCPromo is run. MS KB947034 describes in detail all DCPromo Unattend parameters.

DC Demote Unattend Template

This template demotes a running DC back to member server.

; S Coney 01/2010 DC Demote
[DCInstall]
UserName=admydomainstuartconey
password=*
administratorpassword=Password1
removeapplicationpartitions=yes
removeDNSDelegation=yes
DNSDelegationUserName=admydomainstuartconey
DNSDelegationPassword=*
* substitute Password1 to your standard local Adminstrator Password

For Domain Controllers Located Behind Firewalls

In environments where domain controllers are separated from other domain controllers or member servers by firewalls it is possible to configure FRS and RPC traffic to use specific ports. Microsoft has the following document and KBs covering this issue.

MS Active Directory in Networks Segmented By Firewalls (Word Document)
MS KB224196, Restricting Active Directory replication traffic to a specific port
MS KB319553, How to restrict FRS traffic o a specific static port
MS KB154596, How to configure RPC dynamic port allocation to work with firewalls
In summary the following registry settings are used to set the ports used by the Active Directory FRS and RPC services.

Port used by FRS for Active Directory Replication:

HKLMCurrentControlSetServicesNTDSParametersRegistry value: TCP/IPValue type: REG_DWORDValue data: (available port)
Port used for client RPC traffic to a specific port:

HKLMCurrentControlSetServicesNetlogonParametersRegistry value: DCTcpipPortValue type: REG_DWORDValue data: (available port)
Port used by FRS:

HKLMCurrentControlSetServicesNTFRSParametersRegistry value: RPC TCP/IP Port AssignmentValue type: REG_DWORDValue data: (available port)
RPC Dynamic Port Range:
HKLMSoftwareMicrosoftRpcInternetPorts: REG_MULTI_SZ: 5000-5100PortsInternetAvailable: REG_SZ: YUseInternetPorts: REG_SZ: Y
the above registry settings can be applied on Server Core using regedit /s filename, here is an example regedit file:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters] “TCP/IP Port”=dword:0000422a
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters] “DCTcpipPort”=dword:0000422b

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTFRSParameters] “RPC TCP/IP Port Assignment”=dword:0000411c

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcInternet] “Ports”=hex(7):35,00,32,00,30,00,30,00,2d,00,35,00,33,00,30,00,30,00,00,00,00,00
“PortsInternetAvailable”=”Y”
“UseInternetPorts”=”Y”

DNS Server Final Configuration

If the Windows Server Core Domain Controller is running DNS Server all AD integrated zones that are configured to “replicate to all DNS servers in the Domain” or “replicate to all DNS servers in the forest” will be synchronized to the DC. The DNS Server can be configured further, (for example configuring forwarding rules) using DNS Server Management MMC snap-in on either a Windows Server 2008 or Windows 7 (RSAT). One time saving new feature in Windows Server 2008 DNS Server is to set the Conditional Forwarding rules for a DNS server and request that they are replicated to all DNS servers in the Domain.

The dnscmd command line utility also offers comprehensive management of the DNS Server on Windows Server Core.

…and finally, if the new Windows Server Core DC is a replacement for an existing DC that will be decommissioned, remember to update GPOs containing DNS Server IP address assignments to Member Workstations and Servers in the forest.

VMWare 1714 Error

1) Delete the subkey similar from the registry as follows and Search for vmware tools.msi in the registry.
[HKEY_CURRENT_USERSoftwareMicrosoftInstallerProducts8E24D35BB278E034284D0860A513CF1E that appears in the search with the vmware tools.msi info inside.
Please replace the last key with the one you have in your environment. The folder name may be different.
2) Try running setup.exe from the D: which is having vmware tools installation setup files.
3) Finish the installation and restart the virtual machine
4) If the above doesn’t work then try installing the tools through following commandmsiexec.exe /i “VMware Tools.msi” /qf REINSTALLMODE=vamus REINSTALL=ALL REBOOT=”ReallySuppress”

SAMBA AD

http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/

http://www.theangel.net/notes/docs/samba.pdf

Windows 2008 R2 PDC Time Role

W32tm /config /syncfromflags:manual /manualpeerlist:””
W32tm /config /reliable:yes
W32tm /config /update
W32tm /resync
Net stop w32time
Net start w32time