Find upper range of AD attributes

Posted on May 25, 2012 by brian.wuchner

The other day I was working on a powershell script to copy specific Active Directory attributes to a SQL database. I wanted to see if the destination SQL fields (which were varchar 100) would be able to contain the attributes, but I didn’t know the maximum lengths of the text in Active Directory. I hacked together a quick LDAP query to get all of the ‘rangeUpper’ values for each attribute. Here is that code:


$myReport=@()

$Base = ""
$Filter = "(&(objectCategory=attributeSchema)(rangeUpper=*))"
$Attributes = "distinguishedName"
$Scope = "subtree"
$Query = "$Base;$Filter;$Attributes;$Scope"
$Connection = New-Object -ComObject "ADODB.Connection"
$Command = New-Object -ComObject "ADODB.Command"
$Connection.Open("Provider=ADsDSOObject;")
$Command.ActiveConnection = $Connection
$Command.Properties.item("Size Limit").value = 90000
$Command.Properties.item("Page Size").value = 90000
$Command.CommandText = $Query
$Recordset = $Command.Execute()
Do {
	$dn = $Recordset.Fields.item("distinguishedName") 
	$dn = $dn.value
	
	$objSchema = Get-ADObject $dn
	
	$myReport+= New-Object psobject -Property @{
		LDAPAttribute = [string]$objSchema.lDAPDisplayName
		MaxValue = [string]$objSchema.rangeUpper
	}
	
	if ($Recordset.eof -ne $true) {$Recordset.MoveNext()}
}
Until ($Recordset.eof)
$Connection.Close > $null
$myReport | Sort LDAPAttribute

Hope this can help you too!

Posted in Scripting | Leave a comment

Cisco UCS and Default Authentication Domains

Posted on May 22, 2012 by brian.wuchner

I’ve recently been working with Cisco UCS — and more specifically the UCS Powertool (the powershell management component). Initially, my scripts were using a local account in UCSM for authentication. However, after changing the “Default Authentication Realm” from Local to LDAP (see screenshot below), I could no longer authenticate using a local account in my script

Using an account from the configured default realm worked — which makes plenty of sense as this is the provider UCS uses for authentication by default.  However, I wanted to be able to specify the authentication realm in my scripts and override the default if necessary.

I had an idea on how to attempt this configuration while looking at the remotely authenticated user section.  You’ll notice in the screenshot below that I have a remotely connected LDAP user with a prefix of ucs-ldap22\ (its at the bottom of the image).

Yes, that’s right.  UCS hyphen NameOfAuthenticationDomain backslash UserName.  I created an authentication domain named local, which maps to the local authentication provider, and then attempted to Connect-UCS specifying the username in the format ucs-local\myUserID — SUCCESS!    Just thought I’d share this information in case anyone else has a similar need.

Posted in Virtualization | 5 Comments

Finding VMs that will boot into the BIOS screen

Posted on May 15, 2012 by brian.wuchner

A few months ago, after a round of Windows OS patching on development servers, a server admin notified me that their server did not come back online after the patch initiated reboot. Looking at the VM console he noted that the server was at the BIOS setup screen. After exiting the BIOS Windows booted as expected.

The only explanation I could think of was someone checked the box ‘The next time the virtual machine boots, force entry into the BIOS setup screen.’ in the virtual machine properties. I looked into the issue and came up with a simple one-liner looking for any virtual machines with this option set. Here is that script:

Get-View -ViewType VirtualMachine -Property Name,Config.BootOptions | where {$_.Config.BootOptions.EnterBIOSSetup -eq $true} | select Name

I did locate a couple of production VMs that had this option selected. I was able to remove the ‘EnterBIOSSetup’ flag from these servers before patching. I was unable to determine how/why/who this setting ended up getting changed, but thought I’d share the one liner in case anyone else encounters a similar issue.

Posted in Scripting, Virtualization | Leave a comment

VMware Certified Professional 5

Posted on May 9, 2012 by brian.wuchner

I recently completed the requirements for the VMware Certified Professional 5 certification. Achieving certifications isn’t a priority for my current employer (a VMware customer) and as such it had been over 10 years since I last attempted an IT certification. I passed the exam on the first attempt but the questions were a lot harder than I had anticipated. I wanted to point out a couple of very solid resources I used to study for the exam.

First, I watched the 7 part brownbag series on the VCP 5 exam. You can find these episodes here: http://professionalvmware.com/brownbags/. Each one is between 1 and 2 hours long, so put them on your iPad and kick back when you have a chance. This was my first experience watching the brownbags — but it won’t be my last. These are very solid technical presentations and I highly recommend subscribing to in iTunes.

Next, I read through the VCP blueprint from VMware MyLearn. It lists all of the content that could appear on the exam. It is a very short paper, but worth a look. I printed a copy and was going to use it as a check list to figure out what I needed to study…until I found something better.

Finally, I found and used the study guide created by Josh Coen and Jason Langer. It is a 130 page PDF document that is organized by objective just like the VCP blueprint. You can find it here: http://www.virtuallanger.com/vcp5/. This is better than the blueprint as it includes content about each objective and references the associated supporting document you should review.

Here is a bit of free advice. When you study for the exam, don’t discount anything you see in the blueprint. I remember thinking…Oh, nobody would ever use this feature so I don’t need to know it for the exam. That is simply not true. If the feature exists — and more specifically exists on the blueprint — you’ll want to know the material for the exam. Additionally, and this will sound fairly straight forward, be sure to study those things you do NOT know. If you only use vSphere Distributed Switches be sure and study the limitations and use cases of standard switches. If you only use NAS storage be sure to study block storage. Knowing these things will greatly help in passing the exam. Good luck!

Posted in Virtualization | 2 Comments

Power On virtual machine – Unable to access file since it is locked

Posted on April 30, 2012 by brian.wuchner

Several times in the past few weeks I have ran into virtual machines that do not power on because of locked files. Steps to troubleshoot this issue are described in KB10051: Virtual machine does not power on because of locked files. While looking into this topic, I found the following article on vi-tips.com Could not power on VM – lock was not free, which describes the same issue. My issue was encountered on several ESXi 5.0 Update 1 hosts, and according to this vi-tips.com article the issue also exists on ESXi 4.1.

The vi-tips.com post includes several screenshots of how to isolate/troubleshoot this issue. After a few steps, you can use vmkfstools -D /vmfs/volumes/sanvolname/filename-flat.vmdk to determine the MAC address of the VMKernel interface maintaining the lock. A little bit of PowerCLI goes a long way into finding which host uses this interface:


Function Get-VMHostNameByMac ([string]$macAddress) {
#The MAC address passed to this function does not need separators, we will remove them if provided
$macAddress = $macAddress.Replace(":","").Replace("-","")

#The MAC property returned by the Get-VMHostNetworkAdapter cmdlet will have a colon separator, so we will remove it for comparison purposes
Get-VMHost | Get-VMHostNetworkAdapter | where {$_.Mac.Replace(":","") -eq $macAddress} | select-Object VMHost, Name, MAC
}

Here is example usage of this command:

Get-VMHostNameByMac '001ec9123456'

Once the locking VMKernel interface is located, we can continue troubleshooting. The vi-tips.com article suggests cold migration of the VM to the locking host and powering on the virtual machine on that host — but I was unable to get that option to work. However, I found that restarting the management agents on the locking host would resolve my issues. Once the management agents were restarted I could power on the VM using any host.

Posted in Scripting, Virtualization | Leave a comment