VMware NSX Active Directory Groups Missing

Today I was doing some micro segmentation at a customer site, and I was having an issue with new active directory groups not showing up when I wanted to add them to a Security Group.

I turned out that there were a lot of groups missing. I checked the synchronization  but there was no errors, and no pattern in what groups was missing and what groups were there. If you do have errors this article might be relevant for you: https://kb.vmware.com/s/article/2150678

I checked the release notes for recent updates, but it did not look like this was a known bug.

Solution:
I did find a workaround. I deleted the Domain from NSX, and set if up again. Now all groups was available. This is not a very good solution since all your existing setup in regards to Identity based rules in the distributed firewall, and security groups with AD Group members, needs to be redone. So be careful to document everything before you delete the domain.

Relevant NSX version: 6.3.2.5672532

Should you enable Network health check for your Distributed Virtual Switches

Network health check is a very useful feature that was introduced with vSphere 5.1 vDS.

What does it do?

The purpose is to test if the VLANs, MTU and Load Balancing settings you defined are actually working. The old way of doing this would be to disconnect all port except one, by either doing a shutdown on the switch port, or pulling out the cable, and then testing, with a VM, if every VLAN still works. This can be a very lengthy process if you have many adapters, but also a necessary step if you want a stable environment.

If you want to know more about how it check the different settings, Joseph Griffiths did a good article on this you can read here: http://blog.jgriffiths.org/?p=877

So why would you ever disable this feature?

Well the health check feature generates a lot of mac table entries as explained in VMware KB 2034795.

An example given is that you have 35 Hosts with 2 Network Adapters each, and 60 VLANs. This will generate (35 * 2 * 60) 4200 mac table entries in your physical switches. And as you can see, this quickly increases. Some switches only has room for 32.000 records or less. Continue reading Should you enable Network health check for your Distributed Virtual Switches

Enable SSL on Apache2 (Self-Signed)

Quick guide to getting a self signed certificate configured for Apache on Ubuntu 16.04.

All credits go to Justin Ellingwood. There is a link to his article at the bottom of this page. This is just a quick summery of what needs to be done to get SSL working, based on his article.

I do not recommend using self-signed certificates in production, as it does not provide any security what so ever! Deploy a signed certificate from your internal 2-Tier PKI infrastructure. If you do not have an internal PKI infrastructure, your need to get one!

Continue reading Enable SSL on Apache2 (Self-Signed)

Free IPAM solution – 1. Installing phpIPAM

Are you tired of using Excel for managing you IP addresses?

Why not use an IPAM DB to keep track of your VLANs, subnets and IP addresses?

An IPAM solution is a vital building block in an automated environment. Lets go through how you can setup a Free IPAM DB for use with vRealize Orchestrator and vRealize Automation.

Continue reading Free IPAM solution – 1. Installing phpIPAM