vami_config_net To Change VCSA Hostname

After reading the title of this article I’m sure you’re saying, ‘You can’t change VCSA hostname.  You have to redeploy.’  That is what I was told and all the documentation I have read says you have to redeploy.  Well it is not true.  With that said here is your warning about mucking with the VCSA configuration.  Don’t do it!  Unless you are working in your test environment and you came across a ‘workaround’ that you wanted to try.  I still wouldn’t recommend using this ‘workaround’ in your production environment without extensive testing and upon recommendation from VMware Support.

Why did I need to change the hostname in my test lab?  I applied 6.5 U1 to the VCSA in my test lab.  I then checked the VCSA and saw that the hostname was changed to ‘localhost’ and AD authentication was broken.  It also broke ssl certificates.  I was getting ready to redeploy the VCSA when I came across this ‘workaround’ and I gave it a try.  It worked great.

Change VCSA 6.5 U1 Hostname with vami_config_net

The ‘workaround’ is  really a built in utility called vami_config_net. The full name of this utility is configure-network command-line utility. Here is what the utility looks like in use with relevant configuration names blacked out.  

Shows vami_config_net command
vami_config_net
shows Main Menu for vami_config_net
vami_config_net Main Menu
show Current Configuration in vami_config_net
vami_config_net Current Configuration
shows Hostname vami_config_net
vami_config_net Hostname

Option # 3 will prompt with ‘New hostname’ and show the current hostname.  I made this change in my test lab and it did not require a reboot to start working.  However, I made this change after the VCSA had lost domain trust.  I had to take the VCSA completely out of the domain, delete the computer object, and join it to the domain again.  The VCSA is working wonderfully once more.

If I had tried to change the ip address it would have failed without changing the dns to reflect this before making the change.  In this very limited use case vami_config_net worked because I changed the hostname back to the original name. I would not have faith in using this utility to just to change from one hostname to a completely different hostname until I have tested further.

More info on vami_config_net

Allocate a static IP address to the VMware vCenter Server Appliance (VCSA)

How to “fix” VCSA IP settings from command line.

Automating VCSA Network Configurations For Greenfield Deployments

Let me know if this article helps you.  Please share your experiences with vami_config_net.  I look forward to hearing from you!

shows silhouette with working gears for a brain

 

Changing vCenter Default Domain

One of the less annoying things I encounter on a daily basis is the wrong default domain on my vCenter appliance. Changing the vCenter default domain is necessary in my environment because the empty-root domain is default. Our main domain where all of our user accounts reside is a sub-domain of the empty-root domain. That means that you can’t just login with your normal credentials without using the domain\username or username@domain.com formats. This isn’t a large problem but anything that speeds up my day is always appreciated.

It turns out that this is a known problem for users in a child domain where the vCenter has been upgraded from version 5.5.0 to 5.5.0b or later.  In my case the users can login still if they put the domain prefix as part of their login.  I just don’t want to have to worry about that especially for those in our enterprise that can’t figure out how to login by using a domain prefix.

Resolution

To change the behavior of the identity source, the default domain can be changed on the Single Sign-On (SSO) server from the domain that was created during the upgrade.

Windows-based Single Sign-On (SSO)

Connect to the machine that is running the SSO instance.
Create the defaultdomain.ldif file containing this information using a plain text editor:

dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: example.com

Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with “-” .

As an Administrator, click Start > Run, type cmd and then click OK.
Run C:\>ldifde command to confirm that the ldifde tool is available. This list returns a list of available commands.
If the tool is not present, install it by running this command:

C:\>ServerManagerCmd -i RSAT-ADDS-Tools

For Windows 2012 run this powershell command:

Install-WindowsFeature RSAT-ADDS

Run this command to update the default domain:

C:\>ldifde -i -f filepath\defaultdomain.ldif -s localhost -t 11711 -a “cn=Administrator,cn=Users,dc=vsphere,dc=local” *

 

When prompted, enter the Administrator@vsphere.local Single Sign-On (SSO) password.
The command should complete successfully.

VMware vCenter Server Appliance with local Single Sign-On (SSO)

Connect to the machine that is running the SSO instance.
Create the defaultdomain.ldif file containing this information using a plain text editor:

dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: example.com

Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with “-” .

Open a console to the vCenter Server Appliance.
Run this command to update the default domain:

/opt/likewise/bin/ldapmodify -f filepath/defaultdomain.ldif -h localhost -p 11711 -D “cn=Administrator,cn=Users,dc=vsphere,dc=local” -W

 

Enter the Administrator@vsphere.local SSO password.
The command should complete successfully.

 

Here is the link to kb2070433  if you would like to read the full article for yourself. It is a trivial change to fix a trivial problem but I am glad to say it works like a charm.

Killing SSLv3 Tip

This week brought another unusual problem. We have a multi-domain environment that includes 2 different active directory forests with a trust. Like most of the world we have disabled SSLv3 on desktops as well as servers to prevent SSLv3 connections but this was only done completely in our main active directory domain. Everything has been working fine until this week.   Over the weekend a new change was introduced to the environment in the form of a new sha2 certificate for domain controllers in the other active directory domain. Once this change was implemented user accounts from the other domain would no longer authenticate for our Horizon View vCenter.

Settings were checked and the LDAPs identity source was identical on both our vCenters in our main domain but one did not work. Certificate stores were checked and they both had the relevant certificates.  After digging further there was one difference between the 2 vcenter servers concerning SSL.

Look under vCenter Server Settings.

SSLv3-SS1

There is a setting located under Advanced Settings called SSL.Version.

SSLv3-SS2

Choose TLSv1 to completely stop vCenter from trying to communicate over SSLv3.

SSLv3-SS3