Cannot export ISO from vLCM cluster image

When you try to export an ISO file in VMware vCenter from a cluster using single cluster image with vLCM. You will get the following error:

A general system error occurred: Error occurred while exporting ESXi image and/or image document.

The error is accompanied with an error in the vmware-vum-server-#.log file in /var/log/vmware/vmware-updatemgr/vum-server catalog like the following:

2023-06-14T12:21:23.882Z error vmware-vum-server[09453] [Originator@6876 sub=VumVapi::Lib::Utils] [ExportTask 92] Failed to export cluster image from depot. errorCode: 99

In my case I was able to export it as a zip bundle and the corresponding json configuration file exported successfully as well.

The problem lies with vendor signatures, and vmware does not currently have a solution for this unfortunately except that it normally helps to remove the vendor packages attached to the cluster.

https://kb.vmware.com/s/article/91237

More information is available here: https://communities.vmware.com/t5/vCenter-Server-Discussions/Cannot-export-vLCM-image-if-you-use-a-custom-SSL-cert-Non/td-p/2881200/page/2

List VMs with Secure Boot enabled on Windows Server 2022

Since Microsoft released: KB5022842 a lot of customers has experienced Windows Server 2022 not being able to boot. On vSphere 7 this might be a problem if you have installed the patch at enabled secure boot for the server.

More information is available here: VMware KB90947

If you need to find VM that are running Windows Server 2022 and have enabled Secure Boot it is not that easy.

The problem is that your cannot always be sure that the OS selected for the VM is the OS actually installed in the VM. If for instance you installed Windows Server 2022 before is was officially supported in vSphere you might have chosen Windows Server 2019. So you will need to use the OS name that VMware tools are reporting.

But what is VMware tools is not running. That’s a problem.

The following script will find VMs with Secure Boot enabled that are running Windows Server 2022, but also VM’s where we are not certain because VMware Tools is not running.

Continue reading List VMs with Secure Boot enabled on Windows Server 2022

How To Make vRO Execute Python Code Blocks

vRealize Orchestrator (vRO) is a powerful automation platform that enables you to automate and orchestrate various IT processes, including the execution of Python scripts. In this article, we will show you how to set up vRO to run Python scripts and provide some tips along the way.

Prerequisites

Before you can run Python scripts in vRO, you need to have the following:

  • A working installation of vRealize Orchestrator (8.10.2+).
  • A vCloud Suite Advanced or Enterprise license. You cannot run Python scripts with the standard vCenter license for vRO

Setting up vRO to run Python scripts

To set up vRO to run Python scripts, follow these steps:

  • Open the vRealize Orchestrator client and log in with your administrator credentials. (https://<servername>/orchestration-ui)
  • In the main menu, go to the “Assets” and select “Environments” from the submenu.
  • Click the “New Environment” button to create a python3.7 environment.
  • In the “General” tab, enter a name and a description for the environment.
Continue reading How To Make vRO Execute Python Code Blocks

NSX-T Troubleshooting IDFW rules

So you have migrated to NSX-T 3.2 and you are using IDFW rules to allow users to dynamically gain access when they log in to any physical device in the domain.

Only trouble is that now it is not really working, and VMware did not yet implement a way in the gui to see the effective members of Groups that contains Active Directory members.

Well there is a way you can see who is in the group at least, but there are a couple of steps.

How to find the effective group members

Step one is to identify the rule you are troubleshooting. Make a note of the rule id.

Next find the host the destination VM is running on. You can do this manually in vCenter or use powershell. That’s up to you.

Continue reading NSX-T Troubleshooting IDFW rules

NSX-T Traffic Analysis Traceflow fails

So you are trying to do a traceflow to see where the traffic is going, but as it turns out it is not working. If this is the case, and if you are running NSX-T 3.2, and the segment that your VMs belong to is VLAN backed. Then I might have a solutions for you.

ERROR

Traceflow request failed. The request might be cancelled because it took more time than normal. Please retry.Error Message: Error: Traceflow intent /infra/traceflows/<guid> realized on enforcement point /infra/sites/default/enforcement-points/default with error Traceflow on VLAN logical port LogicalPort/<guid> requires INT (In-band Network Telemetry) to be enabled (Error code: 500060)
Continue reading NSX-T Traffic Analysis Traceflow fails

Reconnect ESXi host after reinstall

After a VMware ESXi host reinstall reconnecting your host is not as easy as changing the state of the host by using the Set-VMHost -State command in VMware PowerCLI. The reason is that your host has gotten a new certificate. So to do this scripted you need to retrieve the SSL thumbprint and specify that during the reconnect.

Continue reading Reconnect ESXi host after reinstall

Enable IPv6 using PowerCLI

This is a PowerCLI script to enable IPv6 on VMware ESXi hosts in you vCenter.

This problem is that disabling IPv6 in newer versions of ESXi can sometimes result in PSOD, so even if you are not using IPv6 in your environment, you should keep it enabled. https://kb.vmware.com/s/article/2150794

Import-Module VMware.PowerCLI

Connect-VIServer <Insert vCenter name>

$VMHost = Get-VMHost <insert hostname>

$esxcli = Get-EsxCli -VMHost $VMhost -V2
$argument = $esxcli.system.module.parameters.set.CreateArgs()
$argument.module = "tcpip4"
$argument.parameterstring = "ipv6=1"
$esxcli.system.module.parameters.set.Invoke($argument)
Write-Host "IPv6 Enabled for host: $($VMHost)"
Write-Host "You need to put the host in maintenance mode and reboot for changes to take effect."

Hope this helps you. Keep in mind that use of this script is entirely your responsibility, and you should always understand what a script does before you run it.

To detect which host that has IPv6 disabled check this post: https://vm.knutsson.it/?p=1193

Check if IPv6 is disabled

This is a PowerCLI script to list VMware ESXi host that has IPv6 disabled in you vCenter.

This problem is that disabling IPv6 in newer versions of ESXi can sometimes result in PSOD, so even if you are not using IPv6 in your environment, you should keep it enabled. https://kb.vmware.com/s/article/2150794

Import-Module VMware.PowerCLI

Connect-VIServer <Insert vCenter server FQDN>
$VMHosts = Get-VMHost | Sort-Object

foreach ($VMHost in $VMHosts) {
    if ($VMHost.ConnectionState -ne "Connected" ) { 
        $status = "Unknown. Host Status: $($VMHost.Connectionstate)"
        Write-host("$($VMHost): $($status)")
    } else {
        $value = ($VMHost | Get-VMHostModule tcpip4).Options
        if ($value -match "ipv6=1") {
            $status = "Enabled"
            #Write-host("$($VMHost): $($status)")
        } elseif ($value -match "ipv6=0") {
            $status = 'Disabled'
            Write-host("$($VMHost): $($status)")
        } else {
            $status = "Unknown"
            Write-host("$($VMHost): $($status) - $($value)")
        }
    }
}

Hope this helps you. Keep in mind that use of this script is entirely your responsibility, and you should always understand what a script does before you run it.

To enable IPv6 on hosts using PowerCLI check this post: https://vm.knutsson.it/?p=1198

PowerCLI: TPM Encryption Recovery Key Backup

From vSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661

Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.

The script will list all hosts and their keys for safe keeping.

Import-Module VMware.PowerCLI
Connect-VIServer <vCenter>

$VMHosts = get-vmhost | Sort-Object

foreach ($VMHost in $VMHosts) {
    $esxcli = Get-EsxCli -VMHost $VMHost
    try {
        $key = $esxcli.system.settings.encryption.recovery.list()
        Write-Host "$VMHost;$($key.RecoveryID);$($key.Key)"
    }

    catch {
        
    }
}

PowerCLI: Migrate DRS VM Group Members

When ever you need to migrate to from one vCenter instance to another there are lots of things you need to migrate.

This PowerCLI script will help you migrate members from one DRS VM group to another. It can easily be modified to be part of a bigger context, or migrate all groups available.

Prerequisites

The prerequisites are that you have both the new and the old vCenter running, and that you have disconnected you hosts in the old vCenter and connected them to the new one. Do NOT remove them from you old vCenter. Leave them disconnected.

Continue reading PowerCLI: Migrate DRS VM Group Members