Archives for December 2012

HP Releases vSphere 5.0 U2 Custom ISO

In case you missed my previous blog post, yesterday VMware released vSphere 5.0 Update 2, which fixes a plethora of bugs and plugs security holes. You can find my host here, with links to the release notes for all the gory details.

Right on the heels of VMware releasing 5.0 Update 2, HP was the first vendor I’m aware of to release an updated custom installation ISO for ESXi 5.0 Update 2. You can download the ISO here. When performing any new ESXi 5.0 installs on HP hardware, I would urge the use of the U2 CD, so you have the latest drivers and security fixes. Also remember to update your HP server firmware with the latest HP Service Pack for ProLiant you can find here.

VMware releases vSphere 5.0 Update 2

Yesterday VMware released vSphere 5.0 Update 2. You can find the full ESXi release notes here. vCenter 5.0 Update 2 release notes are here. Highlights of Update 2 include:

  • Full support for installing vCenter on Windows Server 2012
  • Full customization support for Windows 8 and Windows Server 2012
  • Support for Solaris 11, Solaris 11.1, Mac OSX Server Lion 10.7.5
  • Lots and lots of bug fixes

Personally I think update 2 is a huge step forward, as Windows Server 2012 and Windows 8 is now a first class citizen. Yippee! Too bad 5.1 doesn’t support it yet. For those of you still burdened with the vTax (essentials edition) update 2 removes the hard enforcement of the 192GB limit. VMs will now power on if you exceed your licensed limit.

I would suggest you review the full release notes and bug fixes to see if any problems you have with 5.0 Update 1 have been addressed. Update 2 also includes security fixes, so even if a particular non-security bug doesn’t affect you, to keep your environment secure you should upgrade to update 2.

Update: VUM cannot be installed on Windows Server 2012, since VUM requires a 32-bit OBDC/DSN. Windows Server 2012 has removed support for 16-bit and 32-bit DSNs. Unfortunately VUM in 5.1 also uses a 32-bit DSN, so VMware needs to get with the program and use 64-bit DSNs if they don’t want to be trapped in the stone age.

VMware releases vSphere 5.0 and 5.1 security patches

Yesterday VMware released security and bugfix patches for both ESXi 5.0 and ESXi 5.1. It has also updated the vCenter Server Appliance to address security issues as well. For the full security bulletin, check out this link. The new build numbers are shown below:

ESXi 5.0 Build 914586 (Update 2)
ESXi 5.1 Build 914609

As always, you can download the patches from their patch manager site here.

VMware releases vCenter Server 5.1.0b

VMware has released an updated version of vCenter Server, v5.1.0b. You can find the whole readme here. According to the readme, vCenter Server 5.1.0b is not a patch release. For more information you can find the release notes here. The release notes are particularly enlightening, as you can find all of the fixed bugs. If you have tried to install vCenter 5.1.0a and ran into problems, then give 5.1.0b a try and see how it goes.

Two important bug fixes are in 5.1.0b, which I’ve personally encountered:

vCenter Single Sign On installation fails with error 20020
vCenter Single Sign On installation fails with the following error when you select the destination folder to install the software:

Error 20020. Failed to update values in server.xml file

This issue occurs when you attempt to install vCenter Single Sign On on a folder with spaces, for which no short name exists. To verify this, run the dir /x command in the parent folder of the folder with spaces.
This issue is resolved in this release

Installation of vCenter Single Sign On fails if the database name contains a hyphen

When the Microsoft SQL Server database name contains a hyphen, (for example SSO-DB), vCenter Single Sign On installation fails with the following error:

Error 29114.Cannot connect to DB

This issue is resolved in this release.

vSphere 5.1 Install Series

If you want a full guide to installing vSphere 5.1, check out my 15-part installation guide which walks you through the whole process.

Microsoft System Center 2012 SP1 now available

For those of you eagerly awaiting Microsoft System Center 2012 SP1 RTM, you can now download it from TechNet! Dated just last week you can now download:

Configuration Manager and Endpoint Protection
Data Protection Manager
Virtual Machine Manager
App Controller
Service Manager

The biggest news for SP1 is full support for Windows Server 2012, Hyper-V 3.0, Windows 8, Azure VM management, and SQL 2012. Lots of other goodies as well, which you can check out in this MS blog about the beta here.

VMware 3PAR Best Practices Guide for InForm OS 3.1.2

HP recently released a new VMware ESX Implementation Guide that addresses changes in 3PAR InformOS 3.1.2, and VMware 3PAR best practices. One notable change is a new “host persona”, 11, which is now recommended for VMware ESX hosts. Persona 11 is VMware specific, and shows up as “VMware” in the CLI.

This change is very interesting, and I had to do a little digging to see why 3PAR made a whole new persona for VMware. Per the HP documentation, host persona 11 presents the LUNs as ALUA enabled, not “AA” or active/active. ALUA is how most mid-range storage arrays present LUNs, as they aren’t truly active/active concurrent like EMC VMAX, 3PAR, HDS USP, Compellent, and a few others. For an excellent write up on why true symmetric arrays like 3PAR could benefit from ALUA presentation, I found this article.
To summarize the outstanding article, ALUA on symmetrical arrays provides better ESX host compatibility if the host is accessing LUNs on different arrays with different LUN presentations (such as ALUA and AA). Some arrays get their own SATP policy in VMware, so there wouldn’t be any conflict anyway. But I guess HP felt the new mode did offer some value to customers, and now recommends it as the default.
The 3PAR will still tell ESX that all paths are active, so it’s not like a “real” ALUA array where half are standby and half are active. Don’t fret that Host Persona 11 will suddenly cripple your 3PAR array into a mid-range ALUA array. 🙂
This points out an excellent reason why you should always read the Implementation Guides for your operating systems when major versions of firmware for your storage array is released. What may be a best practice today, may not be after you upgrade!
When you change the Host Persona mode you will also need to modify your SATP claim rules, if you reconfigured them for automatic round robin configuration. A little nugget that I also saw in the HP guide is now round robin is configured for 100 IOs vs the previous default of 1000.
ESXi 4.x:
ESXi 5.x:
If you are wondering what the switch “tpgs_on” does, it’s fairly cool. Basically it’s a method by which the ESX host can ask the array what the characteristics of the path are (active/optimized, active/non-optimized, unavailable, in-transition, and standby). Target Port Grouping (TPG) allows the array to communicate the path status about, yes, a group of array target ports. So in this case, the 3PAR can tell ESX that all paths are active/optimized, to preserve the full and concurrent usage of all paths even in ALUA mode.
One final note about 3PAR and zoning. Recently HP has changed their recommendation on zoning from “one initiator to one target per zone” (resulting in LOTS of zones), to “one initiator to multiple targets per zone” (zoning by HBA). For example, if in Fabric A your host is zoned to two host ports on the 3PAR, you can now have the host HBA port and the two 3PAR ports in one zone, instead of needing two zones, one for each port.
Depending on how many paths you have configured, this could cut the zoning requirements in half. HP says you can include multiple HP array targets in the same zone, though. I would not, however, include different vendors in a single zone, so if your ESX server is presented storage from say a 3PAR and EMC, I would create separate zones for each vendor.

Highly Critical VMware View Security Bulletin for 4.x and 5.x

VMware has released a high priority View security bulletin that affects View 5.x users prior to 5.1.2 and View 4.x users prior to 4.6.2. This is a directory traversal security vulnerability that allows unauthenticated remote attackers to get access to any file on the affected View Servers. For externally facing View Security servers, this is particularly severe.

You can read the full VMware Security Bulletin here. If you are running a View environment, and in particular View Security Servers, I would urge you to immediately review the bulletin and take action to remediate the issue.

Snippet from the bulletin:

1. Summary

VMware View releases address a critical directory traversal vulnerability in the View Connection Server and View Security Server.

2. Relevant releases

VMware View 5.x prior to version 5.1.2
VMware View 4.x prior to version 4.6.2
3. Problem Description

a. VMware View Server directory traversal

VMware View contains a critical directory traversal vulnerability that allows an unauthenticated remote attacker to retrieve arbitrary files from affected View Servers. Exploitation of this issue may expose sensitive information stored on the server.


This vulnerability affects both the View Connection Server and the View Security Server; VMware recommends that customers immediately update both servers to a fixed version of View.
Customers who are unable to immediately update their View Servers should consider the following options:

•Disable Security Server

Disabling the Security Server will prevent exploitation of this vulnerability over untrusted remote networks. To restore functionality for remote users, allow them to connect to the Connection Server via a VPN.

•Block directory traversal attempts

It may be possible to prevent exploitation of this issue by blocking directory traversal attacks with an intrusion protection system or application layer firewall.

WMI GPO Filters for Windows Server 2012 and Windows 8

When deploying Group Policies in a Windows environment, often you may have different GPOs for different versions of the operating systems. With the recent release of Windows 8 and Windows Server 2012, it’s likely you will have new GPOs just for these operating systems. You could build out new OUs for the each OS type, but that can get messy rather quickly.

My personal preference for most cases is to use WMI filtering to limit which operating systems a GPO applies to. This way you can dump all your member servers in one OU, and filter GPOs based on OS type.

To create a WMI filter, first you need to open the GPMC and locate the WMI Filters node. Start the new WMI filter creation wizard, and enter a name of your WMI filter. I always put the OS type, so it’s clear what OS the filter is for.

Now you need to add the actual WMI filter by clicking on the Add button. Next up is the tricky part! You need to type in or paste the WMI query for your operating system type. There are several ways to do this, but I like using the OS version number, since that is independent of the OS flavor (enterprise, datacenter, professional, etc.). See the bottom of my post for all the OS WMI queries you can choose from.

After you have created the WMI filter, you now need to configure one or more GPOs to use the filter. At the bottom of the Scope tab on any GPO you will see the WMI Filtering option. From the drop down select the appropriate WMI filter.

And that’s all there is to it! You can create more complex WMI queries, that could cover multiple operating systems, or filter on almost any other computer property such as memory, particular application, etc. If you can query it with WMI, then you can probably filter a GPO with it.

You can also export/import WMI Queries from the GPMC as well, if you want to easily transport them between environments. As always, test them out before applying a GPO that may hose up an OS if they get the wrong settings.

Windows XP
select * from Win32_OperatingSystem WHERE Version LIKE “5.1%”

Windows 7
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” and ProductType = “1”

Windows 8
select * from Win32_OperatingSystem WHERE Version LIKE “6.2%” and ProductType = “1”

Windows Server 2003 R2
select * from Win32_OperatingSystem WHERE Version LIKE “5.2%”

Windows Server 2008
select * from Win32_OperatingSystem WHERE Version LIKE “6.0%” AND ( ProductType = “2” or ProductType = “3” )

Windows Server 2008 R2
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” AND ( ProductType = “2” or ProductType = “3” )

Windows Server  2012
select * from Win32_OperatingSystem WHERE Version LIKE “6.2%” AND ( ProductType = “2” or ProductType = “3” )

HP releases Introduction to 3PAR for EVA Administrators

As you may or may not have heard, last week HP announced their new mid-range 3PAR arrays, the 7000 series which I covered here. HP is clearly targeting existing EVA users with the aggressively priced 7000s, with a simple and online method to migrate active LUNs to 3PAR. Since the 3PAR architecture is so different from the EVA, HP wrote an excellent whitepaper you can get here for EVA administrators to help them understand 3PAR hardware and software. Even if you aren’t an EVA user, it’s an excellent tutorial on 3PAR and goes into a lot of technical details about the entire 3PAR series, from the legacy F and T series, to the new 7000s and 10000s. I also spotted a few details, which seem to foreshadow some upcoming 10000 enhancements.

For starters, I found this very interesting table below, showing supported disk types. For current 3.1.1 10000 owners, you know that the only choice today for disks are 3.5″ large form factor sporting either Fibre Channel or SATA (NL) interfaces. No SAS disk support, no 2.5″ disk support. I’ve highlighted in red new 10000 options. After finding that table I reviewed the latest 10000 Quickspecs (future dated to December 17th), and sure enough you will see 2.5″ SAS disks as an option!

Further reading the T-Series QuickSpecs, I stumbled on the fact that SAS drives will also be supported, which I’m surprised to see. However, it still requires 3.1.2. I didn’t see new drive cages or SAS disk cards for either the T-Series or 10000s, so I’m thinking the SFF SAS drives will be packaged in the usual four disk LFF magazines with built-in FC bridges. It appears the new SAS-based 2.5″ and 3.5″ drive shelves for the 7000 are limited to the 7000 platform, and the 10000 will continue to use FC loops for disk shelf connectivity.

The handwriting is on the wall…the EVA line is winding down, and customers should start looking at migrating to a new platform. HP is making the migration to 3PAR pretty darn easy, and totally non-disruptive for VMware, Red Hat, SUSE Linux and Solaris servers. Minor downtime is required for Windows hosts to reboot, though.

Enjoy the 27 page whitepaper…very worthwhile to read. Calvin Zito from HP also wrote a good blog article with more technical details and links on how the EVA to 3PAR migration actually works. You can find his write up here.

December HP ProLiant VMware Firmware and Software Recipe

A few days ago HP released their December 2012 “recipe” for ProLiant driver and firmware versions which have been tested and blessed for usage with VMware ESXi. Keeping your firmware up to date is very important, as updates often address bugs that you may run into. However, you can’t just randomly update firmware piece meal and hope that it is supported. You can use the HP Service Pack for ProLiant to help automate the update process, and install supported bundles. But sometimes HP releases interim firmware updates, so it’s good to check the support recipe to verify what HP has tested it with.

You can find the full December 2012 PDF with all the supported firmware here. The document covers the Service Pack for ProLiant (SPP) 2012.10.0. Hopefully you re running ESXi 5.0 U1, U2, or ESXi 5.1, as those are the only supported versions with this firmware. Still in the stone ages with 4.x? Upgrade! 🙂