Friday, October 30, 2020

Reset GRUB/root Password for vCenter/PSC Appliance

In Redhat/Fedora/Cent, GRUB can be protected by running the grub-md5-crypt command and pasting the outputted password hash into the grub.conf file. vSphere 6.0 password protects grub by default. If you change the root password in the VAMI, the GRUB password is changed to match. If you do not change the root password, the GRUB password is "vmware".

To reset the GRUB password, we need to boot into a Cent or Redhat live CD. The ISO can be obtained here: https://www.centos.org/download/. Its best to upload the ISO to a datastore that the appliance has access to.

Stop the appliance and attach the ISO:



Be sure to select the "Connect at Power On" option. Boot the VM into the ISO and select the "Troubleshooting" option. 



Next, choose "Rescure a Red hat (or CentOS depending on your ISO) Enterprise Linux System"


Select “Continue” to mount the VCSA 6.0’s  root filesystem in Read/write mode under /mnt/sysimage.  RHEL 7.2 is capable to detect the VCSA’s root volume and mounts it.






The VCSA root filesystem is mounted under /mnt/sysimage and you can now access (and modify) it using the shell. Navigate to /mnt/sysimage/boot and list the contents. You'll see we now have access to the grub directory:




cd to the grub directory and list the contents. Look for a file called "menu.lst". This file holds the grub boot loader password. Open this file with vi by typing "vi menu.lst". Navigate to the line beginning with "password" using the arrow keys, and then type "dd" to remove the line. 




You can then save the file by pressing ":wq" (without quotes). You can now cat the file and see that the password has been removed. 





Exit the shell (this will reboot the server). Detach the ISO and boot the appliance. Once the system is booted, stop the VCSA in the GRUB menu (by pressing the escape key during boot) to break the OS root password. 



Press "e" to edit the boot commands for the kernel. 


Append "init=/bin/bash" to the line in this step and press enter.



Press "b" to boot the system. 


You will now boot into a bash shell where you can set the root password.


Once this is done, exit the shell by typing "exit". You can now boot the appliance and login with your new root password. 


By at No comments:
Labels: ,

Deploy a New ADDS Forest on Server 2019 Core

 

Prerequisites:

1)      Change server name and IP address

2)      Configure time settings and NTP

 

In this post we will be reviewing the basic installation of the Active Directory Domain Services role and setup of a new forest on Windows Server Core 2019.

To get started, login to your server with administrator privileges. You will first need to type in “powershell” in the cmd prompt to start powershell. Once you do that, type in the following command to install the Active Directory Domain Services role:



After installing the role, we’ll continue by creating a new ADDS Forest and promoting this server to the primary domain controller.

First, we’ll need to gather a password. This password will not be used for a domain user account. The local administrator on this server will become the domain administrator account for the domain. The password we’re gathering in the next step will be used for Directory Services Restore Mode (DSRM). DSRM is a recovery mode used to recover domain controllers that won’t boot up.  We technically only need a password, not a username for this account. Type in the following:

$cred = Get-Credential

 In the username field for the credentials prompt below, just type in anything you want, as the value will not be used. This prompt will store our username/password in a variable object. We can then access the password within the credential object by typing

$cred.password

We can see that this password is stored as a secure string object. Let’s continue on with the Directory Services installation.



Once we have our credential variable, we can install a new forest and domain controller using the command below. Let us break down what this cmd is doing:

 



Install-ADDSForest: The powershell cmdlet to create a new forest and domain controller

-DomainName: The domain name to be used for the forest

-DomainNetBiosName: The domain “Short name” to be used for the forest. This is the value used when you type in a username in the domain\username format. Example “myDomain\bgates”.

-SafeModeAdministratorPassword: The value we captured in our credential prompt above. This is used for Directory Services Restore Mode. This mode can be accessed by pressing F8 while the server is booting. It is commonly used for recovering a failed domain controller.

-DatabasePath: The path for the Active Directory database. It’s a best practice to put this database on its own disk.

-LogPath: The directory for ADDS log files

-DomainMode: The domain functional level. The domain functional level specifies the attributes and capabilities available to objects within the domain. The higher the level you choose, the more features will be available to you.

-ForestMode: The forest functional level. Similar to the domain functional level but applies to the entire forest.

-InstallDNS: Install the DNS role alongside the ADDS role.

-WhatIf: This is a powershell “thing”. Most cmdlets have the “whatif” parameter. It basically allows you to run the cmdlet in “test” mode without actually making any changes to your environment. Once you’re happy with the output, you can remove the “whatif” parameter and run the command to install ADDS and promote this server to a domain controller.

By at No comments:
Labels: ,

Wednesday, October 28, 2020

Could not connect to VMware Directory Service via LDAP when Deploying New vCenter Appliance

 

Problem:

Deploying a brand new vCSA 6.7 appliance results in the following error during the second stage of the deployment.


 

 

Solution:

This problem is almost always caused by DNS resolution. Once you create the appropriate A and PTR record for your appliance on a LOCAL DNS server, you should be to successfully complete the deployment. Local DNS resolution is required, you cannot use a public DNS server while installing vCenter. For example, 8.8.8.8 will not work.

Since you have already completed Stage 1 of the deployment, you can login to the appliance via SSH and update the DNS settings. This will only work if you chose to enable SSH during Stage 2 of the deployment. 

SSH to the appliance and run "/opt/vmware/share/vami/vami_config_net" (without quotes). Choose option 4 to update DNS settings and option 3 to update the hostname (if necessary). The deployment wizard states that a hostname is optional, but it is actually required. I have never had a successful deployment without specifying the hostname.  

 

You can then verify the DNS settings have been updated in the resolve.conf:

 






By at No comments:
Labels:

Wednesday, October 7, 2020

Cisco AnyConnect - VPN Establishment Capability from a Remote Desktop is Disabled

I ran into this issue this morning when attempting to setup a VPN on a Hyper-V virtual machine. After an hour of searching the Google machine and troubleshooting, I came upon this solution. 




Upon installation, AnyConnect pulls down a profile from the ASA containing several settings. This profile is in xml format and is located (on a Windows machine) at %programdata%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\AnyConnectProfile.xsd. 

To resolve this issue and connect to your VPN, open this file with notepad (or any text editor, run as admin), search for the "WindowsVPNEstablishment" tag, and modify the value. The default value is "LocalUsersOnly", you will need to change it to "AllowRemoteUsers". Save and close the file, then restart the machine. 

 


BEFORE:


AFTER:




By at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)