Friday, August 17, 2012

How to get the Firmware Version of your hardware

If you are looking to see if the Firmware on your ESXi 5.0 host is upto date, you need to find out what it is right now, so try these commands for the basic items.

  1. In ESXi 5.0, run this command:

    # esxcli network nic list
  2. or this still works
# esxcfg-nics -l
  1. You will get something like this:
Name    PCI         Driver Link Speed    Duplex MAC Address
vmnic0  00:02:04.00 ACME   Up   1000Mbps Full   01:23:45:67:89:AB
vmnic1  00:02:05.00 ACME   Up   1000Mbps Full   01:23:45:67:78:AC

Now use the ethtool command to get the info:

# ethtool -i vmnic0

driver: ACME
version: 1.2.3a-1vmw
firmware-version: 7.8.9
bus-info: 0000:02:04.00

For HBAs: Check this link out Get Firmware Version

  • To obtain the driver version of a Host Bus Adapter on an ESX/ESXi host:
    1. Obtain the driver type that the Host Bus Adapter is currently using:

      # esxcfg-scsidevs -a

      This will produce an output similar to:

      vmhba0  ata_piix          link-n/a  ide.vmhba0                              (0:7.1) Intel Corporation Virtual Machine Chipset
      vmhba1  mptspi            link-n/a  pscsi.vmhba1                            (0:16.0) LSI Logic / Symbios Logic LSI Logic Parallel SCSI Controller
      vmhba32 ata_piix          link-n/a  ide.vmhba32                             (0:7.1) Intel Corporation Virtual Machine Chipset

      Note: The second column shows the driver that is configured for the HBA.
    2. Use the following command to see what driver version is being used:

      # vmkload_mod -s HBADriver |grep Version
      Taking the the mptspi driver as an example:

      # vmkload_mod -s mptspi |grep Version
      Version: Version, Build: 721907, Interface: 9.0, Built on: May 18 2012

      From the above output you can see the driver version is
    3. To check to see what driver is recommended for that card we need to get the VID (Vendor Id), DID (Device Id), SVID (Sub-Vendor Id) and SDID (Sub-Device Id)

      # vmkchdev -l |grep vmhba1
      000:16.0 1000:0030 15ad:1976 vmkernel vmhba1

      In the above cases the VID=1000, DID=0030, SVID=15ad, SDID=1976
    4. You can now search the VMware Compatibility Guide for VID (Vendor Id), DID (Device Id), SVID (Sub-Vendor Id) and SDID (Sub-Device Id) or in some cases you may need to do a text search here to narrow down the particular card. You can check the version of the ESX/ESXi with following command

    5. # vmware -v

    Thursday, August 9, 2012

    Prevent Admins from Doing Stuipd Things in vCenter

    Role Based Access Controls, or RBAC is very useful in vCenter. I know many of you simply have your own vCenter server, it's only you and you aren't good at sharing. We all have kindergarten issues.
    But it the real world you try and fork off as much of your own work on other people in your organization as you can. In this vein, you now have to realize that not everyoen is as smart or careful as you.
    RBAC provides a granular role for each set of users. Think of the roles you may have:
    - Close Support (Help Desk)
    - System Admins
    - Application Admins
    - SuperUsers
    - Root Admins
    Close support is your "on the ground" people that have great proceedures that you have written up so that they can fix 75% of the basic problems without escalating to 2nd level tech support. (You did make proceedure guides for all your basic processes, right?) You may want close support to:
     - View server status
     - View server performance
     - Reboot a server
     - Power on/off a server
    But you probably don't want them changing the number of vCPUs, changing memory, mounting other vmdk file to the server, deleteing the server, or creating a WoW server on your network.
    System Admins may be assigned to all VMs at a hardware level. But for data security reasons, you may not want them adding existing disks to a server. They can create new VMs, but maybe only from a template. Creating from a template keep them from allocating too much space, or connecting a VM to the wrong network (Port group/VLAN). Using Templates and Customization Specifications, you can require them to provision new VMs only from templates and ask only for a few items when deploying the template. The rest would be hard coded into the template and the specification.
    Edit Role_2011-12-06_16-31-12.jpg

    To do this you need a couple of roles created. We'll call them:
    • CustomizationAccess
    • DeployTemplate
    For Deploy template we need several permissions.
    • Datastore
      • Browse Datastore
      • Allocate Space (for vSphere 4.0)
    • Virtual Machine
      • Configuration
        • Add new disk
      • Interaction
        • Select ALL options
      • Inventory

    • Create
  • Provisioning

    • Customize
    • Deploy Template
  • Resource
    • Assign Virtual Machine to Resource Pool
  • For CustomizationAccess you will need
    • Virtual machine
      • Provisioning
        • Modify customization specification
        • Read customization specification
    That is IT. Now you will assign the CustomizationAccess role at the vCenter level. That's top of the top. So go to Host and Clusters and right click on Your vCenter server name it will have the icon below next to it.

    Choose Add Permission and select the CustomizationAccess role. Choose the group or groups that you want to have access and add the permission.
    Now we have to give that group access to their resources. We will assume the group is called Tech. Assign the role DeployTemplate at the following locations.
    • Hosts and Clusters
      • Datacenter
        • Resource Pool - Tech
    • VMs and Templates
      • Datacenter
        • Folder - Tech
    • Datastores
      • Datacenter
        • Folder - Tech
    This will give them access to the resources that they need to deploy the VMs.

    Pro Tip:

    If you have DRS enabled on the cluster, but you have it set to MANUAL, then the VM will NOT be able to be powered up by the Tech Group. It will NOT show an error, it will just silently fail and stay off.

    Thursday, June 7, 2012

    Adding a program to All Users Start Menu in Vista or Server 2008

    OK, this is annoying. In 2008, they have moved the All Users Start menu deep into the directory structure.

    Look in:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\

    There you will find the various folders that are common to all users. You can create new folders and organized them however you'd like. For things Like Putty or TCPView, simply hold shift and control down to drag a shortcut into the folder of choice. Please, Clean up your descriptions before you leave the folder. Leaving the ".exe - shortcut" after the file name is so Level 1 tech support.

    Remember "Only YOU can prevent PEBKAC Errors"

    Friday, April 20, 2012

    NetApp Commands Quick Reference

    So I'm going to compile some commands for the NetApp ONTAP 8 controllers. These will be commonly used commands that can help you get online fast, do common tasks, or get some useful information.

    disk show
    1. this has some options that are handy
      1. -a show only the assigned disks
      2. -v show all the disks (yea doesn't make sense, a != all)
      3. you can use wild cards to get only the disks you want like 4d.10.*
      4. ex. disk show -v 4d.10*
    disk assign
    1. This assigns disks to the controller. The good and bad part is that you basically just use -n <number> and it assigns a number of disks to the controller, you don't choose it chooses for you. I'm old school, I like control. But you have to learn to let go.
    2. Now the options for this are not to bad but there are some to be careful of.
      1. assign -n <number> -- This will assign a number of disks to the controller.
      2. assign <diskID> -s unowned -- This will UNASSIGN the disk from the controller.
        1. Checking for wild card capabilities for this.

    more to come. - Updating over the next few weeks.

    NetApp Gotchas

    OK, so I think I screwed up this morning. Turns out that when you want to reassign drives on a NetApp FAS3270 running ONTAP 8.0.2. You do NOT use the "drive remove" command. you use
    drive assign 4d.10* -s unowned
    Using drive remove puts the drive in a failed status. I can't figure out how to get it OUT of failed status. There is no unfail in ONTAP 8.

    Looking for answers, posting here when I find them.

    Friday, April 6, 2012

    Simply put:

    Items further down the tree (closer to the computers and users) will get over written by items at the domain level. (top of tree)
    OULevel-GPO wins out over subOULevel-GPO.
    Ex. If subOULevel-GPO set the password length to 6 characters and OULevel-GPO sets it to 8 characters, the result will be 8 Characters.

    Unless!! You set ENFORCE on subOULevel-GPO. (in 2003 it is no-override, same diff). However, this only applies to items that are SPECIFICALLY SET at the subOULevel-GPO level. So if you set 6 characters at teh subOULevel-GPO and you set 8 Characters and 45 day limit on passwords a the OULevel-GPO level, then you get....wait for it....6 characters and a 45 day limit. TA DA!!!

    I'm sure there are more combinations and permutations of this, so ask a question and I'll make a milkshake while you figure it out. :-) Nah, Nah, Nah, I'll figure it out for you.

    XenDesktop Services needed for VDA

    OK, so I'm creating a desktop and the thing gets stuck at Pending. If you look in vCenter, it has reconfigured the deployed machines three 3 times. But now it is sitting at Pending.

    One of the things to look for is services required for Virtual Desktop Agent to run.
    - HTTP SSL   - Startup Mode should be at least Manual.
    - RPC Locator Service   - Startup Automatic(?) Manual should work.

    If these are disabled, it may cause this problem.

    Look in your group policy, it may be blocked by group policy. If it is, it will be in:
    Computer Configuration
    Windows Settings
    Security Settings
    System Services

    GPO Setting can be fun, check my other post for GPO enforce, block-inheritance, and no-override.