Milestone 4: vCenter AD, PowerCLI, and Linked Clones - squatchulator/Tech-Journal GitHub Wiki

Milestone 4: vCenter AD, PowerCLI, and Linked Clones

4.1: Active Directory LDAPs SSO Provider

Install AD Certificate Authority + Tools

First, open up dc1 and open a new administrator powershell window. Enter the following commands (they can all be entered on one line):

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -Credential (Get-Credential)
  -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
  -KeyLength 2048 -HashAlgorithmName SHA512
  -ValidityPeriod Years -ValidityPeriodUnits 5
  -CACommonName "miles-local-CA"

Assuming this all works, you should be able to see a new tab on the left in Server Manager for ADCS.

SSO in vCenter

Open up xUbuntu-wan and navigate to your vCenter homepage. Hit the burger menu and go to administration, and head to Single Sign On -> Configuration. Hit Join AD, and enter your domain name (firstname.local) and -adm creds. To reboot, go to Deployment -> System Configuration -> Select the node and click Reboot Node.

OU Creation

While vCenter reboots, open dc1 up again and go to ADDS (Users and Computers), select firstname.local, and right-click New -> Organizational Unit - name it 480. Within 480, create another OU called Accounts. Under this OU, create ANOTHER OU called ServiceAccounts. Finally, create a new user in here named vcenterldap. Create a good password and set it to never expire. Should look something like the following:

Open up a terminal in xubuntu-wan and run the following command, rebooting dc1 when it finishes running:

openssl s_client -connect dc1-miles:636 -showcerts

Once the reboot completes, enter the following command to see the cert:

openssl s_client -connect dc1-miles.miles.local:636 -showcerts

Copy the cert file to a new file called ca.crt and save it on xubuntu-wan somewhere.
Now that dc1 has rebooted, open ADUC again and move your named OU admin (-adm account) into the Accounts OU. Create a new group under Accounts as well named vcenter-firstname, and make your -adm account a member of it.

Secondary SSO Provider

Head back into vCenter. Go to Administration -> Single Sign On -> Configuration again, and add a new identity provider in Identity Sources. Set it to AD over LDAP, and fill it out similarly to the following (SET AS DEFAULT WHEN YOU'RE DONE!):
Make sure to grab your .crt file at the bottom! Save and go to Users and Groups under Single Sign On, go to Groups -> Administrators and add the vcenter-admins group:

Reboot the node again, and you should now be able to sign in as [email protected]!

4.2: Powershell, PowerCLI, and Our First Clone

Installing Ansible and PowerCLI Dependancies

Run the following on xUbuntu-Wan:

sudo apt install sshpass python3-paramiko git
sudo apt-add-repository ppa:ansible/ansible
sudo apt update
sudo apt install ansible
ansible --version
cat >> ~/.ansible.cfg << EOF                                                               
[defaults]
host_key_checking = false
EOF
sudo snap install powershell --classic
pwsh
Write-Host $PSVersionTable
Install-Module VMware.PowerCLI -Scope CurrentUser
Get-Module VMware.PowerCLI -ListAvailable
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $false

Using PowerCLI to make Linked Clones

First, assign your vcenter's hostname to a variable using $vcenter="vcenter.miles.local". Connect with Connect-VIServer -Server $vcenter. It will prompt for credentials, so enter your domain -adm account.
To see your current VMs, use the command Get-VM. Look at the list, and set a new variable with $vm = Get-VM -Name dc1. We also want a variable that will grab the snapshot of that VM, and we can use $snapshot = Get-Snapshot -VM $vm -Name "Base" (Snapshot name may be different but instructions named it Base so that's what I went with.) Also assign the variable for the VM Host with $vmhost = Get-VMHost -Name "192.168.7.15".
Now we need to grab the datastore. Your datastore1 will likely be larger so that's the one you should use. Run $ds = Get-DataStore -Name "datastore1-super5"
We need a name for our linked clone. Use $linkedClone = "{0}.linked" -f $vm.name. This essentially places the data in front of the .linked, and when you call the variable it should populate with dc1. Now run the big command:

$linkedvm = New-VM -LinkedClone -Name $linkedClone -VM $vm -ReferenceSnapshot $snapshot -VMHost $vmhost -Datastore $ds

Using Linked Clone to make Base VM

Run the following:

$newvm = New-VM -Name "server.2019.gui.base" -VM $linkedvm -VMHost $vmhost -Datastore $ds

It might take a minute, but when it's done call the variable to verify the new VM was created. Now, we can grab a snapshot of it.

$newvm | New-Snapshot -Name "Base"

Now, we can delete our linked temporary VM:

$linkedvm | Remove-VM

4.3: Ubuntu Server Base VM and Linked Clone

Open up and log into vCenter, and under your folder where the VMs are all contained create two new VM and Template folders named PROD and BASEVM. Move everything besides the server 2019 base into PROD, and move that last one to BASEVM.

Base VM for Ubuntu Server

Download the latest ISO for Ubuntu Server LTS. Upload it to your datastore2.
Create a new ESXi 7.0 VM on your datastore2 called ubuntu.22.04.3.base with the following settings:

Once finished, boot it up and go through the installer. Create the following user:
Check "Install OpenSSH Server", and avoid Server Snaps. Let the install finish - it will have you reboot.
Once logged in, open a root terminal and enter the following:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1

Then, pull the script down using this:

wget https://raw.githubusercontent.com/gmcyber/RangeControl/main/src/scripts/base-vms/ubuntu-server.sh
sudo sh ubuntu-server.sh

Turn off the server, edit settings and remove the ISO file, and take a snapshot named "Base" again.
Open up xubuntu-wan and enter powershell again. Run the following commands:

$vcenter="vcenter.miles.local"
Connect-VIServer -Server $vcenter
# Enter user and password (-adm user), and hit Y
$vm=Get-VM -Name ubuntu.22.04.3.base
$vmhost=Get-VMHost -Name "192.168.7.15"
$ds=Get-Datastore -Name "datastore1-super5"
$linkedclone="awx"
$snapshot=Get-Snapshot -VM $vm -Name "Base"
$linkedvm=New-VM -LinkedClone -Name $linkedclone -VM $vm -ReferenceSnapshot $snapshot -VMHost $vmhost -Datastore $ds
$linkedvm | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName 480-WAN
# Y when prompted

In vCenter, move the awx vm to the PROD folder and turn it on.

Script:

Write-Host "Before running this script, make sure the VM you want to clone has a "
Write-Host "snapshot saved named 'Base'."
$vcenter=Read-Host "Enter FQDN for vCenter (ex. vcenter.name.local): "
$ip=Read-Host "Enter the IPv4 address of your ESXi host: "
$target=Read-Host "Enter the name of the VM you would like to clone: "
$newname=Read-Host "Enter the name of your new VM: "
$dsname=Read-Host "Enter the name of the datastore you'd like to use: "
$adapter=Read-Host "Should this VM be placed on the 480-WAN or VM Network?: "
Connect-VIServer -Server $vcenter
$vm=Get-VM -Name $target
$snapshot=Get-Snapshot -VM $vm -Name "Base"
$vmhost=Get-VMHost -Name $ip
$ds=Get-Datastore -Name $dsname
$linkedclone="{0}.linked" -f $vm.name
$linkedvm=New-VM -LinkedClone -Name $linkedclone -VM $vm -ReferenceSnapshot $snapshot -VMHost $vmhost -Datastore $ds
$newvm=New-VM -Name $newname -VM $linkedvm -VMHost $vmhost -Datastore $ds
$newvm | New-Snapshot -Name "Base"
$linkedvm | Remove-VM
$newvm | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName $adapter
Write-Host "Done."