Certificate Authority and SSO

First I would SSH into my domain controller as my administrator account on my Xubuntu-wan / management machine:

• I would then attempt to install the CA using the following commands whilst using the GUI to configure.

(Do not use the GUI to configure, this was a critical error that cost me hours trying to correctly install / remediate)

Commands:

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CACommonName "zach-dc1-CA" -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -credential (get-credential) -HashAlgorithmName SHA512

Under the administration tab in Vsphere, select SSO → Configuration. From there, Identity Sources --> Active Directory Domain and select "Join AD":

I would then reboot the node to apply changes (Can be found under Administration --> Deployment --> System Configuration --> Reboot Node)

After the node successfully rebooted, I used the following commands to create my OU and the required user:

New-ADOrganizationalUnit -Name "480" -Path "DC=zach,DC=local"
New-ADOrganizationalUnit -Name "Accounts" -Path "OU=480,DC=zach,DC=local"
New-ADOrganizationalUnit -Name "Services" -Path "OU=Accounts,OU=480,DC=zach,DC=local"
$password = Read-Host "Enter a password for the user" -AsSecureString
New-ADUser -Name vcenterldap -GivenName vcenterldap -AccountPassword $password -description "ldap binding for vcenter active directory sso" -DisplayName vcenterldap -Passwordneverexpires $true -Enabled $true -path "OU=Services,OU=Accounts,OU=480,DC=zacn,DC=local"

Initiated a reboot (like you should after all major changes... I won't say this again)

Used the following command through my ubuntu box in order to get the SSL certificate:

openssl s_client -connect dc1:636 -showcerts

• I had a slew of issues revolving around copying the cert. When copying it, use Shift + Insert and drop it in a document with a .crt extension. To this point, make sure that once this file is on your windows box; that is is in "PEM Format" in file explorer. Even though a checksum said that my .crt files were identical, one had the PEM description and worked while the other did not.

Certs on Xubuntu Box:

After moving the cert over, I moved zach-adm to the OU visible by Vsphere and created a new group for my domain admin account. I chose to do this step using the GUI, however this could easily be done using the commands I utilized earlier.

Once this is complete, go to Administration --> Single Sign On --> Configuration --> Identity Sources --> Click "Add"

Forgot to take a screenshot, but your info should be similar to the following:

• Identity Source Type: Active Directory over LDAP

• Identity source name "zach-ad"

• Lease distinguished name for users: OU=Accounts,OU=480,DC=zach,DC=local

• Lease distinguished name for groups: OU=Accounts,OU=480,DC=zach,DC=local

• Primary server URL ldaps://dc1.zach.local

• MAKE SURE TO ADD CERTIFICATE AT THE BOTTOM (the one from before)

Should look like this when done:

After this, go to Users and Groups within the SSO menu ---> Groups

• Under the administrators group, select "Add Members"

• Use "vcenter-admins" (Create if you did not earlier <3)

After reboot, I was good to go:

Powershell, PowerCLI, cloning:

Used the provided code to install ansible on our Xubuntu box

sudo apt update
sudo apt install sshpass python3-paramiko git -y
sudo apt-add-repository ppa:ansible/ansible
sudo apt update
sudo apt install ansible -y

Installed powershell using Gmcyber's method

sudo snap install powershell --classic

Additionally installed all the dependencies for Powercli (Once again provided by Gmcyber)

Install-Module VMware.PowerCLI -Scope CurrentUser
Get-Module VMware.PowerCLI -ListAvailable
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $false

Up and running:

I'd then use the following commands to select a VM, it's most recent snapshot, its datastore, and prep for a linked clone.

$vm = Get-VM -Name AD-Zach
$snapshot = Get-Snapshot -VM $vm -Name "Base -> Milestone #4"
$vmhost=Get-VMHost -Name "192.168.7.37"
$ds = Get-DataStore -Name “datastore1-super27”
$linkedClone = “{0}.linked” -f $vm.name

I'd then use the following commands to create a new Linked Clone

$linkedvm = New-VM -LinkedClone -Name $linkedClone -VM $vm -ReferenceSnapshot $snapshot -VMHost $vmhost -Datastore $ds

I'd then make it a real VM:

$newvm = New-VM -Name “insert_name_here” -VM $linkedvm -VMHost $vmhost -Datastore $ds

I'd make a new snapshot named "Base"

$newvm | New-Snapshot -Name “Base”

I'd then send the linked clone to the dark depths of the ether:

I would then repeat these steps for my firewall, AD, and Xubuntu:

A note about cloning: Xubuntu Clone had duplicate IP to original xubuntu-wan box which caused chrome remote desktop to break. (Switched between the boxes on each connect and subsequently crashed)

Licensing

• About half-way through completing my Ubuntu Server base machine, my licenses went bad: