WilliamLam.com

Using PowerCLI to automate the retrieval of VCSA Password Policies

by // Leave a Comment

I hope that every vSphere administrator or operator by now is familiar with the extremely powerful vSphere Guest Operations API functionality (details here and here), which can easily be consumed using PowerCLI's Invoke-VMScript cmdlet. If not, highly recommend you check out the links referenced. I know the GuestOps API is certainly my top favorite with sending VM keystrokes capability a very close second!

Not only does the GuestOps API unlock functionality that simply may not be possible (e.g. there's no API or automation interface) but it also enables automation within a VM without requiring any type of remote management services enabled (e.g. SSH or WinRM) or even networking to the VM for that matter!

The reason I am bringing all this up is that although there is not an API for managing and retrieving vCenter Single Sign-On (SSO) configurations which includes password policies, there is a way in which customers can still automate and retrieve this and other information by leveraging the GuestOps API. In fact, back in 2015 I demonstrated on how you can retrieve VCSA SSO password policy and configurations and we can simply apply the GuestOps API to help us automate this task. In addition, most customers do not enable SSH by default and we can still apply the GuestOps API technique and perform automation tasks to VSCSA without requiring SSH as described in this blog post back in 2016.

[Read more...]

Deploying a vCenter Server Appliance (VCSA) in VMC-A?

by // 2 Comments

During the VMware Cloud on AWS (VMC-A) Customer Summit last week, I received an interesting question from one of our field folks on whether it was possible to deploy a vCenter Server Appliance (VCSA) to VMC-A for testing purposes? This was not a use case I had heard of before but it would enable the team to quickly prototype a solution to demonstrate to their customer.

I figured this should work and you should be able to just point the VCSA Installer to an existing VMC-A environment for deployment. It was mentioned that they had attempted to run the installer but ran into a permission issue where it required a full administrator role, which in VMC-A, customers do not have.

In taking a look for myself in one of my VMC-A environment using the VCSA UI Installer, I did indeed run into the same permission issue as shown in the screenshot below.

User has no administrative privileges


This surprised me as the VCSA Installer does not actually require administrative privileges to deploy a VCSA, just the privileges for deploying a regular VM. I captured the logs and screenshots and have shared this with the VCSA PM for further investigation.

UPDATE (01/01/2023) - The workaround shared here is also officially documented in this VMware KB 90922 and deploying VCSA within VMC-A vCenter Server to manage external ESXi hosts such as those residing in an external datacenter or edge location is fully supported by VMware. At the end of the day, VCSA is just another workload running in VMC-A

[Read more...]

Is a DNS server still required when using a Static IP for VCSA?

by // 7 Comments

When deploying a vCenter Server Appliance (VCSA), customers have two options for setting up a static network address: using either a hostname (Fully Qualified Domain Name) or just a static IP Address (e.g. no DNS). In the first option when using an FQDN, it should be no surprise that you need to also specify a valid DNS Server which the VCSA UI/CLI Installer will automatically validate both the forward and reverse address. This is the most common deployment model for customers in both production as well as for development environments such as a vSphere home lab.

In the second scenario, where a static IP Address is used, a DNS server is not required because we are NOT using an FQDN for the hostname but rather an IP Address. Having said that, if you have ever used the VCSA UI or CLI, you will find that the DNS Server entry is actually a required field and you can not proceed without providing an address.

VCSA UI Installer:

VCSA CLI Installer:

"network": {
    "ip_family": "ipv4",
    "mode": "static",
    "ip": "192.168.30.151",
    "dns_servers": [
        "192.168.30.1"
    ],
    "prefix": "24",
    "gateway": "192.168.30.1",
    "system_name": "192.168.30.151"
}

As mentioned earlier, we know that it should not be required but currently the VCSA Installer is a bit overly cautious in its pre-checks and does require a value today. This is something that has already been shared internally and the team will be relaxing this requirement in the future.

With that said, this leads us back to the original question posed in the blog title, do we need a valid DNS server when using a static IP for the VCSA?

[Read more...]