Let’s Encrypt!

I was accepted into the Let’s Encrypt beta. If you are not familiar, Let’s Encrypt is a new free certificate authority recognized by all major browsers. They have a client to automate the process of requesting certs and configuring web servers to use them. As of today, drakefire.com has been configured for SSL using a Let’s Encrypt certificate. It was a really simple process and is well worth a look. Cool stuff!

Posted in Information Security | Leave a comment

Automating AD cleanup with PowerShell – Updated

So, a while back I put together a script to automate the cleanup of inactive computer accounts. Since then, I’ve had a need to take that automation to the next level and target multiple OUs, as well add some additional criteria. I’m a big fan of the Quest/Dell AD cmdlets and continue to use them here.

Continue reading

Posted in Microsoft, PowerShell | Leave a comment

Deploying the SCCM Client with a VMware Customization Spec

Since SCCM is our configuration management tool of choice, the SCCM client needs to get installed on all of our newly provisioned VMs. For this exercise I created a service account that only has read permission to the \\sccmserver\sms_sitecode\client share on the SCCM server. The client is installed from this location to ensure that we are always using the latest version and get rid of any need to manually copy files or put it in the template. I am using this in conjunction with vCAC, but it will also work just fine standalone.

1. Make sure that you have your customization spec configured to log in once as administrator:


2. Add the following lines to you customization spec. This maps a drive to your SCCM share using the service account, installs the client, and then reboots the virtual machine. I put a timeout (sleep) for 60 seconds in there to make sure the install has time to do what it needs to do and it is working well at this point.

cmd.exe /c net use s: \\sccmserver\SMS_sitecode\Client /user:username password
cmd.exe /c s:\ccmsetup.exe <options>
timeout 60
cmd.exe /c shutdown -r -t 00

As always, if you know of another way to do this feel free to leave a comment, I’d love to hear about it.

Posted in Microsoft, VMware | 1 Comment

Update the ISO Path on multiple VMs using PowerCLI

I have several special use case VMs that boot from an ISO file stored on a datastore. During a recent storage refresh, I found that we had the need to update the ISO path on all of these VMs from the old datastore to the new. PowerCLI came to the rescue once again and tackled it with just a few lines of code:

$vms = get-vm -location "cluster name"
$oldPath = "[Old_ISO_Datastore] boot.iso"
$newPath = "[New_ISO_Datastore] boot.iso"

foreach($vm in $vms){
	$cd = get-cddrive -VM $vm
	if($cd.IsoPath -eq $oldPath){
		set-cddrive -CD $cd -IsoPath $newPath -Confirm:$false
Posted in PowerShell, VMware | Tagged , , , | Leave a comment

My VCAP5-DCD Exam Experience

Well, for anyone who has been following my past few posts, you will know that it has been a VMware certification exam packed month for me. It started with the VCAP5-DCA, then I took the new VCA-DCV exam in my hotel room one night during VMworld, and two days later, I took the VCAP5-DCD since the VMworld price of $100, in my opinion, was worth an unstudied and unprepared try. I purchased the VMware Press VCAP5-DCD Official Cert Guide and took all of the beginning of chapter “do I know this” quizzes. I did surprisingly well (compared to my expectations) and then loaded up the practice exam from the included DVD. I went through the practice exam 4 or 5 times and passed every time so this gave me a little more confidence. It was about 10pm so I went ahead and scheduled the exam for 10am the next morning.

I’ll be honest, while I did pass the DCD, it was not a slam dunk, I passed it by 26 points. The exam was a grueling 3.75 hours. It is 100 questions and I think 6 of them were Visio style. As the time went on my confidence quickly diminished. I feel like my technical and design skills are quite good, but having a firm grip on good design methodology, the related terms, and how to apply them is equally, if not more important. If I had more time to prepare, I have no doubt that the content of the cert guide would have pushed my score much higher and I will defiantly be reading it cover to cover as preparation for my VCDX attempt.

This exam is much different than any I have taken previously and really forces you to think. Experience will be the best preparation you can have since the scope is so broad. As always, the blueprint lays out what you need to know. This is certainly one of the more rewarding certifications for me, I feel like VMware has done a great job with the VCAP program and the exams do a good job of knowledge measurement.

Now its time to take this experience and use it to start preparing for the VCDX!

If you have any feedback or are planning to take the test soon, I’d love to hear about it. Leave a comment below.

Posted in VMware | Leave a comment

My VCA-DCV Exam Experience

After a long day of VMworld activity I didn’t have the energy for any more downtown SF, so I decided to come back to my hotel room for the night and check out the details of the new VMware VCA certifications. After taking a quick look at the blueprint for the VCA-DCV, I signed up for the free 2.5 hour course: VMware Data Center Virtualization Fundamentals. The course goes over basic virtualization concepts and how the vSphere product line fits in. For anyone who has been working with VMware for a while, there will not be much new territory covered in the course.

After completing the course, I headed back to the VMware site to request authorization for the exam, it took about 30 minutes and I got an email stating I could register. The exam is administered by PearsonVUE and the registration process is the same as any other VMware exam. There is a 50% off discount code (VCA501) available right now taking the fee down to $60. The major difference between this exam and the higher level exams is that this one is administered via your browser and does not require a trip to the testing center. The exam is 50 multiple choice questions and has a time limit of 75 minutes. The format is just like that of the VCP, very intuitive.

I finished the exam in about 30 minutes or so and scored a 460/500. As someone who works with VMware products every day, I think I could have done just as well without the course, but it was a nice way to end the day.


Posted in VMware | Tagged , | 4 Comments

Generating SSL Certificates for ESXi Hosts using PowerShell

If you have ever had to generate SSL certificates for all of your hosts, you know that this is no trivial task, especially if you have a large environment. I wrote a script that generates the CSR, converts the key to RSA, and requests the certificate from the CA. It puts everything neatly into c:\certs\hosts\hostname so you can keep it with the certs from the rest of VMware’s recommended SSL path. I am making the assumption that if you are reading this you are somewhat familiar with the process for the other components and these concepts are not foreign.

The first step is to create the OpenSSL cfg files, one for each host. These are in the same format that is used for all of the other components. I have not yet created a script to generate these, but if I do I’ll add it here. I created a folder at c:\certs\hosts\opensslcfg to store the cfg files with the naming convention of hostname.cfg.

My script makes the following assumptions:

  1. You have created an openssl cfg files for each host
  2. You have the proper version of openssl installed to c:\openssl (if not, just change the path in the script)
  3. You are using a Microsoft CA
  4. You know what certificate template you want to use (same as used for other components)
  5. You have access to request the certificates

There are plenty of ways you could feed hostnames into the script, I just used a CSV exported from an Excel spreadsheet that I use to keep track of my environment. The CSV looks something like this:

Hostname,Management IP,vMotion IP,Cluster

Once you have all of the prerequisites intact, all that is left is to run the script:

Here is the code:

#Set Variables
$vmhosts = import-csv c:\certs\hosts\hostnames.csv
$ca = """yourCA.domain.com\CAname"""
$template = "CertificateTemplate:VMware-SSL"

foreach($vmhost in $vmhosts){
	$name = $vmhost.Hostname
	$dirpath = "c:\certs\hosts\" + $name
	new-item -ItemType directory -path $dirpath
	$path = "c:\certs\hosts\" + $name + "\"
	$csr = "c:\openssl\bin\openssl.exe req -new -nodes -out " + $path + "rui.csr -keyout " + $path + "rui-orig.key -config c:\certs\hosts\opensslcfg\" + $name + ".cfg"
	$key = "c:\openssl\bin\openssl.exe rsa -in " + $path + "rui-orig.key " + "-out " + $path + "rui.key"
	$reqcert = "C:\windows\system32\certreq.exe -config " + $ca + " -attrib " + $template + " " + $path + "rui.csr " + $path + "rui.crt"
	IEX $csr | out-null
	IEX $key | out-null
	IEX $reqcert | out-null

After the certificates have been generated, all that is left is to install them. This requires putting the host in maintenance mode, copying the appropriate rui.crt and rui.key to /etc/vmware/ssl on each host, and then restarting the management agents. Here is the official VMware KB article on the subject.


Posted in PowerShell, VMware | Tagged , , | Leave a comment

Cleaning up inactive computer accounts in AD with PowerShell

Have you ever had a need to clean a large number of unused computer accounts out of AD? This can be done quickly and easily with PowerShell. For AD work I personally prefer to use the Dell/Quest ActiveRoles Management Shell of Active Directory cmdlets, they are available free here. Since removing a massive amount of computer accounts can be career limiting if done wrong, this is the method I prefer:

  1. Identify computer accounts that have been inactive for 90 days.
  2. Move the accounts to a temporary OU
  3. Disable the computer accounts
  4. Delete the computer accounts once it has been determined they are no longer needed

Moving the accounts to an “inactive computer” OU and disabling them gives you a safety net should the computers just be laying around powered off somewhere and keeps tools like SCCM from discovering the unused computers accounts. From that point, I like to keep the disabled accounts around for a while since it is much easier to just re-enable an account than to re-join the domain, especially if the machine is in a remote location. Once I feel confident that the accounts are no longer needed, the accounts can be deleted.

Below is an example script that perform these actions:

#Add Snap-ins
Add-PSSnapin "Quest.ActiveRoles.ADManagement"

#Set OUs in Variables - You can use the root of the domain for the searchRoot if desired.
$searchRoot = "yourdomain.com/OU"
$inactiveOU = "yourdomain.com/inactiveOU"

#Get computer accounts that have inactive for 90 days
$InactiveComp = Get-QADComputer -InactiveFor 90 -SizeLimit 0 -SearchRoot $searchRoot

#Move inactive computer accounts to your inactive OU
$InactiveComp | move-QADObject -NewParentContainer $inactiveOU

#Disable computer accounts in inactive OU
Get-QADComputer -SizeLimit 0 -SearchRoot $inactiveOU | Disable-QADComputer
Posted in Microsoft, PowerShell | Tagged , | 1 Comment

My VCAP5-DCA Exam Experience

Well, I took the VCAP5-DCA exam on Monday 8/19, and it was everything the blueprint said it would be.

This was by far the most challenging certification exam I have taken to date. Like many others before me have said, I think the content was fair and a good representation of the product.  The testing center setup does leave a little to be desired because you are working from a jump box on a single monitor, so navigating is a little cumbersome. Others have complained of slowness, but my testing center had a pretty good performing rig and I didn’t feel like it was dragging too much. I started at question 1 and made it all the way to 26. There was one question and a few tasks in multi-part questions that I did not complete because I could not remember the exact method at the moment while under pressure and there were other questions that had plenty of low hanging fruit. I ran the clock out trying to finish those few things, but some did not get done. I used every bit of the 3.5 hours with no breaks. Fortunately, partial credit is possible.

For study material I used the following:

  • Trainsignal VMware vSphere Optimize and Scale class by presented by Jason Nash
    • I can’t say enough good things about this training. You can get a Trainsignal subscription to ALL of their content for $49/mo. This class is well worth a one month subscription and they have many other courses of interest that are on my to-do list.
  • The vBrownBag sessions presented by ProfessionalVMware.com
    • I was not aware of vBrownBag until I started to prepare for this exam, but it is something I will follow going forward. There is a whole series available for free covering the VCAP5-DCA topics and they are packed with great information. Do yourself a favor and check them out.
  • Chris Whal’s VCAP5-DCA study checklist
    • This well put together checklist covers the whole blueprint and is what kept me organized when going through all of the topics.
  • My own lab
    • This is probably the most important study tool. Go through the whole blueprint and make sure you do everything in lab. I work with VMware every day at work, but there are plenty of things that I have just simply never had a need to do or don’t do often and these are what can get you in the exam.

Overall, I think I did pretty well on the exam, but I don’t feel nearly as confident as I’d like. It will be a long 15 days waiting for the results, fortunately, I’ll have VMworld and a vacation with my family to keep me occupied. I’ll update here when I get the results.

Time to start studying for the VCAP5-DCD!

On the 29th I got an email from VMware showing that I passed the exam. Woohoo!

Posted in VMware | Tagged , , | 1 Comment