This page journals content related to SYS-350 milestone 2.

Table of contents:

• Getting ISOs

• Windows Server 2019 setup

  • ad350-oliver setup

  • Windows 2019 reflection

• vCenter installation

  • vCenter updates

  • vCenter setup

  • vCenter and AD SSO setup

  • vCenter reflection

• Sources

Getting ISOs

First I enabled SSH in the "Actions" menu on my ESXI host:

Then I SSH'd in in my ESXI box from my main PC, navigated to vmfs/volumes/datastore2-super10 and used wget to get the windows server ISO:

And the vCenter server ISO:

All of the isos loaded:

I would THEN DISABLE SSH.

Windows Server 2019 setup

I made the following VM for windows server:

I would then power the VM on and access its console, in the boot manager selected to "boot normally" > when prompted pressed a button to get into the windows setup (as prompted):

I would press "Next" > selected the desktop experience of the standard evaluation:

Then I accepted the license agreement and then did a windows install only:

Pressed next on the unallocated space:

This would start the windows installation:

After awhile the VM restarted and I was asked for a password:

On this screen I would press the keyboard combo of CTRL+SHIFT+F3 to bypass the screen which would load me as the administrator:

I would exit out of the System Preparation Tool > open powershell and enter Server Configuration with the sconfig command in an administrative powershell session:

(NOTE: When I say "option" below I am referring to the options on the above screen (1-15))

Then in option 9 I set the timezone to eastern standard:

Then in option 6 I installed the updates > A for all of the updates:

Then A again for all updates:

This process would install the updates and I would then have to restart the box. After restarting I would check for updates again where there would be more I would need to do (NOTE: I needed to press Enter button in the cmd session for downloading updates as it occasionally did not prompt to restart itself).

This process of restart > opening powershell then sconfig > 6 for updates and A for all updates (and A again if need be) would continue until I got this screen:

Then in 5th option I set updates to manual:

(NOTE: Image was taken on ad350 after setup, but it was set originally before sysprepping)

Then I would use powershell to wget the instructors script and edited it accordingly (NOTE: Closed the opened System Preparation tool):

wget https://raw.githubusercontent.com/gmcyber/480share/master/ssh-prep.ps1 -Outfile prep.ps1

Edited script slightly as seen below:

Then back in ESXi I loaded vmware tools:

And inside the VM in its powershell I ran the following commands to start the installer:

D:\setup64.exe

Then I followed through the installation with default settings:

(NOTE: SET TO RESTART LATER)

Then I ran my prep.ps1 script (WHERE I MADE A DEPLOYER USER WHICH PASSWORD I SAVED). After running the script the first time I did have to restart the box once, and below shows the second run after reboot:

Once the VM shutoff, I changed Network Adapter and CD/DVD:

And I took a snapshot named "Base":

ad350-oliver setup

Then I rebooted the box > set a new admin password > setup the following IP settings:

And this hostname:

Then once it rebooted and I logged in I made sure to make the computer discoverable.

(NOTE: Did make pc discoverable and did have to go into GW-01 online management portal > "System" > "DNS Server Settings" and I unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN or remote OpenVPN server":)

Checking everything is working:

Then I SSH'd into the ad350 box from my xubuntu-lan as the deployer user and ran the following powershell commands:

First I installed AD:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName "oliver.local"

After a reboot I created an admin user for myself named "olivermustoe.adm":

$ps = Read-Host "Please enter a password for the olivermustoe.adm user" -AsSecureString
New-ADUser -Name olivermustoe.adm -AccountPassword $ps -Passwordneverexpires $true -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members olivermustoe.adm
Add-ADGroupMember -Identity "Enterprise Admins" -Members olivermustoe.adm

Then I setup DNS:

Install-WindowsFeature DNS -IncludeManagementTools
Add-DnsServerPrimaryZone -NetworkID 10.0.17.0/24 -ReplicationScope "Domain"
Get-DnsServerZone
Add-DnsServerResourceRecordA -CreatePtr -Name "vcenter" -ZoneName "oliver.local" -AllowUpdateAny -IPv4Address "10.0.17.3"
Add-DnsServerResourceRecordA -CreatePtr -Name "pf" -ZoneName "oliver.local" -AllowUpdateAny -IPv4Address "10.0.17.2"
Add-DnsServerResourceRecordA -CreatePtr -Name "mgmt1" -ZoneName "oliver.local" -AllowUpdateAny -IPv4Address "10.0.17.100"
Add-DnsServerResourceRecordPtr -Name "4" -ZoneName "17.0.10.in-addr.arpa" -AllowUpdateAny -AgeRecord -PtrDomainName "ad350-oliver"
# I would after setting up mgmt1’s new networking add a DNS record for super10
Add-DnsServerResourceRecordA -Name "super10" -ZoneName "oliver.local" -AllowUpdateAny -IPv4Address "192.168.7.20"

And I updated my network settings on mgmt1 after running the above commands:

Windows 2019 reflection

This process was overall quite familiar and not to difficult. I have previously done this process in 480 which meant I could generously use my previous documentation to help with the install. The biggest problem I had was with my pfSense gateway for some reason not properly handling DNS. Until I switched off "Allow DNS server list to be overridden by DHCP/PPP on WAN or remote OpenVPN server" my ad350 was unable to reach the internet via DNS. This was a weird issue but I am glad I solved it.

vCenter installation

I edited mgmt1's settings to have the vCenter installer in the CD/DVD Drive:

This would mount it inside of my VM:

I would then start the install with:

/media/genuser/VMware\ VCSA/vcsa-ui-installer/lin64/installer

I would then press "Install" > "Next" to deploy vCenter > accepted license agreement > entered the following deployment target and I trusted the certificate when prompted by pressing "Next":

I named the vcenter and set the root password:

I then selected a "Tiny" deployment:

Selected to store it on datastore2 THIN PROVISIONED:

Setup vCenters network settings:

Overall:

After finishing the installer (using button where "Next" was) would run:

Stage 1 Installation finished:

I then continued the installation with "CONTINUE" > reviewed the overview and pressed "Next" > setup the NTP settings with "pool.ntp.org":

Then I setup my SSO settings:

Didn't join the program:

Ready to install:

I would then press "Finish" and let stage 2 of the installer run:

After awhile the vCenter Server Setup would complete and I could access my vcenter:

Then I logged in:

vCenter updates

(NOTE: Believe you can skip to the management interface section as I tried to update in vCenter but needed to go to the management interface.)

In vCenter I selected my "vcenter.oliver.local" > went to the "Updates" tab:

In step 1 I chose to select a version with "SELECT VERSION" and chose the newest target version:

Passed pre-checks, after I pressed "NEXT":

I then agreed that I have backed up the vCenter (I havent but since nothing is on it yet a reinstall would be fairly painless) and pressed "NEXT":

vCenter then told me for this target version I needed to use the "vCenter Server Management Interface" for this update so I logged into my vcenter management interface at "https://vcenter.oliver.local:5480":

And on the sidebar I went to "Update" > waited for the Available updates to show up > selected my wanted version:

Then I pressed "STAGE AND INSTALL":

In the first step I would agree to the terms of the license agreement > in the second step I would not join the CEIP > and in the third step I would agree that I have done a backup (even though I had not):

And I pressed "FINISH" and started the update:

Partway through the upgrade I was logged out of the management interface and was met with the following when trying to log back in:

I was told by this guide this was normal expected behavior during the update.

Then after awhile I logged back in and the update was finished:

vCenter setup

After logging back into normal vCenter ("https://vcenter.oliver.local"), I right clicked my vCenter instance > "New Datacenter...":

Created a datacenter called "SYS350":

Then I right clicked my new datacenter > "Add Host...":

First I added the host IP:

(NOTE: Did re-add my ESXi host later using the DNS name "super10" instead of the IP using the exact same process lined out below and I assigned it the vSphere license as I had it.)

Then I gave its login on step 2 > accepted the certificate > got the host summary:

Left the Host lifecycle and image with default settings and clicked next > assigned the temporary license (here is where I assigned the vSphere license when re-adding the host with DNS):

Left lockdown mode, VM location screen on default settings and continued:

When it was finished I could access all of my VMs in vcenter:

Organized the VMs:

Then I used the popout sidebar (3 horizontal lines on the right) and went to "Administration" > then I looked for the section called "Licenses" on the left:

Then I clicked on the "ADD" and entered my License keys in step 1 > in step 2 named them appropriately > added the licenses:

Then for vCenter I assigned its license using the "ASSIGN LICENSE" button while in the "Assets" tab:

And I would do the same with ESXI:

(NOTE: Again I re-add my ESXi host later using the DNS name "super10" using the exact same process I mention before EXCEPT I assigned it the vSphere license:)

Licenses assigned to vCenter and ESXI:

vCenter and AD SSO setup

Back on ad350, I setup my time to sync with pool.ntp.org:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration

(NOTE: Did take a second to sync)

Then I installed Certification Authority features and configured the Active Directory Certificate Services with an Enterprise Root CA (added a root CA) using the following commands:

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CACommonName "ad350-CA" -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -credential (get-credential) -HashAlgorithmName SHA512

(NOTE: Credential I had to use was my named domain admin user)

After that I would reboot ad350 to finish the CA setup!!!

I would then test to see if the CA was up on mgmt1:

openssl s_client -connect ad350-oliver:636 -showcerts

And I would save its certificate inside a file on mgmt1 named "ldap.cert":

Then from my vcenter instance at "vcenter.oliver.local", I used the dropdown on the left (3 horizontal bars) > "Administration" > "Single Sign on" area > "Configuration":

Then I went to "Active Directory Domain" section and pressed "JOIN AD":

Filled out the required fields (domain name and a domain admin to join vCenter to AD):

I would then press "JOIN":

Then I navigated to the "Deployment" section > "System Configuration" > selected my vCenter and pressed "REBOOT NODE" while accepting the reboot popup:

Gave "SSOS" as the reason for the restart (a reason is needed):

Once vcenter had rebooted I from my ad350 SSH session ran the following to create a OU structure/ldap user:

New-ADOrganizationalUnit -Name "350" -Path "DC=oliver,DC=local"
New-ADOrganizationalUnit -Name "Accounts" -Path "OU=350,DC=oliver,DC=local"
New-ADOrganizationalUnit -Name "ServiceAccounts" -Path "OU=Accounts,OU=350,DC=oliver,DC=local"
$password = Read-Host "Please enter a password for the vcenterldap user" -AsSecureString
New-ADUser -Name vcenterldap -GivenName vcenterldap -AccountPassword $password -description "ldap binding for vcenter active directory sso" -DisplayName vcenterldap -Passwordneverexpires $true -Enabled $true -path "OU=ServiceAccounts,OU=Accounts,OU=350,DC=oliver,DC=local"

And then I moved my admin user into the Accounts OU, created a security group named "vcenter-admins", and added my admin user to the security group:

Get-ADUser -Identity olivermustoe.adm | Move-ADObject -TargetPath "OU=Accounts,OU=350,DC=oliver,DC=local"
New-ADGroup -Name "vcenter-admins" -SamAccountName vcenter-admins -GroupCategory Security -GroupScope Global -DisplayName "vcenter-admins" -Path "OU=Accounts,OU=350,DC=oliver,DC=local" -Description "Members of this group are vcenter admins"
Add-ADGroupMember -Identity "vcenter-admins" -Members olivermustoe.adm

Overall result of commands:

Back on vCenter, I navigated back to the "Administration" area > "Single Sign On" section > "Configuration" > "Identity Sources" where I chose to "ADD" an identity source (following shows the pop-up form filled out) then pressed "ADD":

(NOTE: "ldap.cert" is the file previously made with openssl s_client -connect ad350-oliver:636 -showcerts)

Identity source being set:

Then I navigated to "Users and Groups" in "Single Sign On" > "Groups tab" (left of Users tab, under heading):

And selected "Administrators" > "ADD MEMBER" > filled in the following (enter "vcenter-admins" in the search and click it, then it will be added to the other groups) and pressed "SAVE":

I would also go back into the dropdown > "Administration" > "Single Sign On" > "Configuration" > "Identity Sources" and set my AD as the default one with "SET AS DEFAULT" (screenshot taken after setting as default):

Then I restarted the vCenter node like I did before and once this was completed I could login as my AD admin user:

vCenter reflection

All of the vCenter steps were similar to the Windows setup in that I had documentation already in place for how to go about installing vCenter. The only things that I had to do during this differently was I updated my vCenter and learned about the maintence console (something I had not used before.) It wasn't hard to use but it was something different I needed to use. I also re-add my ESXI host from using IP to using DNS which required me to put it into maintenance mode and then remove it from the vCenter. Ultimately that was painless. Overall my documentation I already had in place served me well during this and this new documentation provides even more detail for future vCenter shenanigans.

Sources

https://www.ntppool.org/en/use.html

https://virtualg.uk/how-to-upgrade-to-vmware-vcenter-server-vcsa-7-0-update-2/

https://4it.com.au/kb/article/configure-windows-server-for-the-ntp-pool-org-external-time-service/