Milestone 4.1 - AD LDAPS SSO Provider
This milestone details the configuration of LDAPS as an SSO provider for vCenter, provided by AD on our Domain Controller.
Install AD Certificate Authority
On the Domain Controller, the following PowerShell commands can be entered to install the AD certification authority and configure it as an EnterpriseRootCA (ref):
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCAOnce the installation is complete, restart the Domain Controller to allow certificates to propagate (and later be accessible via openssl client).
The installation can be verified by ensuring TCP port 636 (LDAPS) is listening:
PS C:\Users\reed-adm> netstat -ano | findstr 636
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 648
TCP [::]:636 [::]:0 LISTENING 648Add vCenter to Domain
Once LDAPS is running on the DC, open vCenter and navigate to the top-left corner hamburger menu → Administration. In the menu that appears after selecting Administration, select Single Sign On → Configuration.
Within the resultant Identity Provider tab, select Active Directory Domain, then “JOIN AD”. Specify the domain (e.g. REED.LOCAL), and a domain administrator username and password.
Once complete, restart the vCenter node. This can be done as follows:
- Access the vCenter Server Management Interface at
https://<IP>:5480.- Log in as the vCenter
rootuser 5480is the management port, ref
- Log in as the vCenter
- Select the Summary tab.
- Select Actions → Reboot.
Active Directory Preparation
Create AD Service OU
A service user can then be created in AD for vCenter. Firstly, an OU structure is created for this user and any subsequent users:
New-ADOrganizationalUnit -Name "480"
New-ADOrganizationalUnit -Name "Accounts" -Path "OU=480,DC=REED,DC=LOCAL"
New-ADOrganizationalUnit -Name "ServiceAccounts" -Path "OU=Accounts,OU=480,DC=REED,DC=LOCAL"Create vCenter Service Account
A new user is then created within this OU:
New-AdUser -Name "vcenterldap" -AccountPassword (Read-Host -AsSecureString "Password") -Path "OU=ServiceAccounts,OU=Accounts,OU=480,DC=REED,DC=LOCAL" -Enabled $trueMove Named Administrator
The previously created named administrator account is moved into this new OU accounts structure:
Get-ADUser -Identity "reed-adm" | Move-ADObject -TargetPath "OU=Accounts,OU=480,DC=REED,DC=LOCAL"Create vCenter Admins Security Group
A Security Group can then be created for vCenter administrators, and the named administrator account can be added as a member of this group:
New-ADGroup -Name "vcenter-admins" -GroupCategory Security -GroupScope Global -Path "OU=Accounts,OU=480,DC=REED,DC=LOCAL"
Add-ADGroupMember -Identity vcenter-admins -Members reed-admvCenter LDAPS Provider Addition
Access Domain Controller Certificate
The SSL certificate used for LDAPS must be obtained prior to the addition of LDAPS authentication to vCenter, as it is required during that process.
The DC’s SSL certificate can be easily viewed from Xubuntu using the openssl client:
openssl s_client -connect dc1:636 -showcertsIf no certificates are displayed, reboot the Domain Controller and run openssl again.
Copy the certificate displayed in this command output to a file, e.g. ca-crt.pem, on the local mgmt VM. Alternatively, use the following nifty one-liner to automatically save the cert to a file:
openssl s_client -connect dc1:636 -showcerts </dev/null 2>/dev/null | openssl x509 > cert.pemvCenter LDAPS Addition
As vCenter has already been added to AD, navigate back to hamburger menu → Administration → Single Sign On → Configuration. Here, select Identity Sources → ADD. Select Active Directory over LDAP, and use the following options:
- Identity Source Type: Active Directory over LDAP
- Identity source name:
reed-ad - Base distinguished name for (users & groups):
OU=Accounts,OU=480,DC=reed,DC=local - Domain name:
reed.local - Username:
vcenterldap@reed - Password: password set for service account
vcenterldap - Connect to: Specific domain controllers
- Primary server URL:
ldaps://dc1.reed.local - Certificates (for LDAPS): Browse → certificate downloaded previously
Security Group Permissions
Once the LDAPS provider has been added to vCenter, navigate to Administration → Single Sign On → Users and Groups, and select the Groups tab. Select the Administrators group → “ADD MEMBERS”. Select the AD domain in the resultant dialogs dropdown, then search for & add vcenter-admins.
At this point, log out of vCenter, and login should be possible with the AD named admin account, e.g. reed-adm@reed.local.
Setting Default Provider
If logging in as an account on the AD domain works without issue, the reed-ad Identity Source can be “SET AS DEFAULT” in Administration → Single Sign On → Configuration. After this, @reed.local is not necessary when authenticating as an AD user.
Milestone 4.2 - PowerShell, PowerCLI, Clones
This milestone details the installation of PowerShell and PowerCLI on xubuntu-wan, in addition to the creation of our first clone in vCenter.
Xubuntu Dependency Installation
On xubuntu-wan, a number of dependencies must be installed for PowerShell, PowerCLI, and Ansible, as follows.
Ansible
sudo apt install sshpass python3-paramiko git
sudo apt-add-repository ppa:ansible/ansible
sudo apt update
sudo apt install ansibleHost key checking should also be disabled by adding the following to ~/.ansible.cfg:
[defaults]
host_key_checking = falsePowerShell Core
PowerShell Core can be installed via a snap package:
sudo snap install powershell --classicPowerCLI
Within PowerShell Core (accessible via pwsh), install the PowerCLI dependencies:
Install-Module VMware.PowerCLI -Scope CurrentUser
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $falseTesting
Once all of the above is complete, connectivity to a vCenter server can be tested with e.g.:
Get-Module VMware.PowerCLI -ListAvailable # Verify module installation
Connect-VIServer -Server <IP>
Get-VM
exit # exit pwsh to disconnect from vCenter serverPowerCLI Usage
Start pwsh, wherein we will connect to the vCenter server and perform configuration tasks. Variables for common values will be created in PowerShell as well for ease of use.
Connecting to Server
Connect to the server as follows:
$vcenter = "vcenter.reed.local"
Connect-VIServer -Server $vcenterEnter the username reed-adm and associated password when prompted.
Creating VM From Snapshot
Trough the use of variables to reference vSphere objects, we can create a new linked clone:
$vm = Get-VM -Name dc1
$snapshot = Get-Snapshot -VM $vm -Name "Base"
$vmhost = Get-VMHost -Name "192.168.7.44"
$ds = Get-Datastore -Name "datastore1-super31"
$linkedClone = "{0}.linked" -f $vm.name
$linkedvm = New-VM -LinkedClone -Name $linkedClone -VM $vm -ReferenceSnapshot $snapshot -VMHost $vmhost -Datastore $dsOnce this linked clone has been created from a given snapshot, a full VM can be created from the clone:
$newvm = New-VM -Name "server.2019.gui.base" -VM $linkedvm -VMHost $vmhost -Datastore $dsThe name should be replaced with the desired name for the new VM.
Creating Snapshot
A snapshot of a VM can be created as follows, with the name set to the desired snapshot name:
$newvm | New-Snapshot -Name "Base"Remove VM
Now that the full cloned VM has been created, the original linked clone used to create it can be removed as follows:
$linkedvm | Remove-VM
# OR
Remove-VM -VM $linkedvm -Confirm:$falseVM Clone Script
The following script was created to automated the processed of creating a clone from a snapshot, as described above.
# Given a VM name, clone a snapshot of the VM, with optional configuration.
# Reed Simon, Jan 31, 2023
# Required parameters: source VM name, destination clone name.
# Optional parameters (defaults set): datastore name, snapshot name (Base), VM host, network.
# If network is set, the cloned VM's network adapter will be set to the specified network.
param (
[Parameter(Mandatory = $true,
ValueFromPipeline = $true,
ParameterSetName = "CloneVM")]
[string]$VMName,
[Parameter(Mandatory = $true,
ParameterSetName = "CloneVM")]
[string]$CloneName,
[Parameter(Mandatory = $true,
ParameterSetName = "ListVM")]
[switch]$List,
[Parameter(ParameterSetName = "CloneVM")]
[string]$DatastoreName,
[Parameter(ParameterSetName = "CloneVM")]
[string]$SnapshotName = "Base",
[Parameter(ParameterSetName = "CloneVM")]
[string]$VMHost,
[Parameter(ParameterSetName = "CloneVM")]
[string]$Network
)
# Exit on any non-terminating errors for safety
$ErrorActionPreference = "Stop"
# Check if vCenter connection is established
if ($global:DefaultVIServers.count -gt 0) {
Write-Host "Connected to server $($global:DefaultVIServers[0].name)"
}
else {
Write-Host "No existing vCenter server connection, attempting to establish..."
$vserver = (Read-Host -Prompt "Enter server IP/FQDN: ")
Connect-VIServer -Server $vserver
}
if ($List) {
Write-Host "`nListing connected VMs"
Get-VM | Select-Object Name | Format-Table -AutoSize
exit
}
if (-Not $VMHost) {
Write-Host "No VM host specified, using first available"
$VMHost = (Get-VMHost)[0].name
}
if (-Not $DatastoreName) {
Write-Host "No Datastore specified, using first available"
$DatastoreName = (Get-Datastore)[0].name
}
$StartLine = "Cloning snapshot $SnapshotName of $VMName to $CloneName on $VMHost`n"
Write-Host ($StartLine + ("-" * ($StartLine.Length - 1)))
# Get the objects corresponding to given names
$vm = Get-VM -Name $VMName
$snapshot = Get-Snapshot -VM $vm -Name $SnapshotName
$vchost = Get-VMHost -Name $VMHost
$ds = Get-Datastore -Name $DatastoreName
# Create linked clone
Write-Host "Creating linked clone $('{0}.linked' -f $vm.name)"
$lc = New-VM -LinkedClone -Name ("{0}.linked" -f $vm.name) -VM $vm -ReferenceSnapshot $snapshot -VMHost $vchost -Datastore $ds
# Create full VM from linked clone
Write-Host "Creating full clone $CloneName from linked clone $($lc.name)"
$newvm = New-VM -Name $CloneName -VM $lc -VMHost $vchost -Datastore $ds
# Snapshot new VM
Write-Host "Creating snapshot $SnapshotName for new VM $($newvm.name)"
New-Snapshot -VM $newvm -Name $SnapshotName
# Remove linked clone
Write-Host "Removing linked clone $($lc.name)"
Remove-VM -VM $lc -Confirm:$false -DeletePermanently
# Check if network change was specified
if ($Network) {
$NetworkAdapter = Get-NetworkAdapter -VM $newvm
# Check that only one network adapter is present
if ($NetworkAdapter.count -ne 1) {
Write-Host "VM $CloneName has $($NetworkAdapter.count) network adapters, skipping adapter change."
}
else {
# Set the VM's network adapter to the specified network
Write-Host "Setting $CloneName network adapter to $Network"
Set-NetworkAdapter -NetworkAdapter $NetworkAdapter -NetworkName $Network -Confirm:$false
}
}
else {
Write-Host "No new network specified, skipping network adapter change."
}Milestone 4.3 - Ubuntu Server
This milestone details some housekeeping and the creation of an Ubuntu Server VM.
VM Organization
Within vCenter, folders can be created by right clicking the Datacenter → New Folder → New VM and Template Folder…
Two folders can be created, BASEVM and PROD. The existing VMs created up to this point can be moved into PROD (e.g. 480-fw, dc1), and any VMs cloned from Base snapshots can be moved into BASEVM.
Ubuntu Server Creation
VM Creation
A new VM can be created with the following settings:
- Name:
ubuntu.22.04.base - Guest OS:
Linux / Ubuntu Linux (64-bit) - CPU:
2 - RAM:
2 GB - Hard Disk:
20 GB- Thin provisioned
- Network:
VM Network - CD/DVD Drive: Ubuntu 22.04 Server ISO
- Connect At Power On
Ubuntu Server Installation
Boot the VM and proceed with the installation steps in the ISO. Other than the defaults, be sure the following occurs:
- Update to new installer
- Username:
reed/ named sudo user - Hostname:
ubuntu - Install OpenSSH server
Ubuntu Server Configuration
After installation, log in and perform the following post-configuration tasks.
Disable IPv6
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1Run Provisioning Script
Download and run this script on the VM:
#!/bin/sh
#script to prepare ubuntu server vm for cloning
apt-get update
apt-get upgrade -y
apt-get install -y open-vm-tools openssh-server
cat /dev/null > /var/log/wtmp
cat /dev/null > /var/log/lastlog
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -f /etc/ssh/ssh_host*
rm -f /etc/udev/rules.d/70-persistent-net.rules
cat <<EOL | sudo tee /etc/rc.local
#!/bin/sh -e
test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
exit 0
EOL
apt-get clean
history -c
history -w
chmod +x /etc/rc.local
systemctl stop apt-daily-upgrade.timer
systemctl disable apt-daily-upgrade.timer
systemctl stop apt-daily.timer
systemctl disable apt-daily.timer
sudo apt autoremove -y
#truncate the machine id to avoid duplicate dhcp
echo > /etc/machine-idAfter the script has completed, poweroff the machine (also shutdown -h now).
ESXi Post Configuration
After the VM has been powered off, edit the settings and remove the Ubuntu Server ISO by switching the CD/DVD Drive back to Host Device. Take a snapshot called Base.
Ubuntu VM Cloning
After the Base snapshot has been created for the ubuntu.22.04.base VM, use the script or manual steps detailed above to create a linked clone of the VM named awx. Set the clone’s Network Adapter to 480-WAN.
Setting the network adapter via PowerCLI can be done as follows:
$vm | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName "<network name>"Reflection
vCenter Default Authentication Provider
The Milestone 4.2 video takes place in an environment where the AD LDAPS provider is set as the default SSO provider in vCenter. This was not mentioned in the previous Milestone 4.1 video from what I remember, so I did some research to locate and enable this setting when my PowerCLI login w/o domain failed (though it was successful in the demonstration video).