Using the UIMp Service Adoption Utility 3.1.1


Recently included with UIMp is the Service Adoption Utility.

The Service Adoption Utility was originally a standalone tool to assist customers who wanted to import environments into UIMp that had not been provisioned with UIMp.

The problem with older versions of UIMp was that there was no Service Adoption Utility and therefore all provisioning needed to be made through UIMp. This caused a whole host of issues…

If you for example added a datastore natively in Unisphere and masked it to all your ESXi hosts, it would not be visible in UIMp as part of the existing service offering. If that service offering was ever expanded, by adding a blade to the service offering, that datastore that you had manually masked to your ESXi hosts would not be automatically masked to the new ESXi host that you had just added to the service offering. This inflexibility was infuriating and was not just an issue with datastores, but across all UIMp managed components. Want to add a new VLAN to your service offering in UCS Manager? Bad idea for the same reason and until recently you could not add new VLANs to existing service offerings. This put organisations into a real catch 22 – Because UIMp was incapable of detecting or importing changes made outside of UIMp, you could no longer use the native management tools but UIMp until recently didn’t have any elasticity functionality.  I spent the whole Christmas week in 2011 rebuilding our entire service offering with VCE because we wanted to add some new storage grades to our existing service offering. There was no elasticity or Service Adoption Utility at that time so we spent 5 days re-provisioning the cluster and getting it back into a production state.

Now with the Service Adoption Utility all those troubles are a distant past. You can now run a mixed environment. You can make changes outside UIMp with the knowledge that these changes can be imported back into your existing service offerings, if required.

Not only that but if you ever have any issues provisioning new datastores or VLANS, you can finish the configuration manually in Unisphere or UCS manager and run the SAU to import the changes. Not only will the SAU import the new config, but it will delete the partially provisioned objects from with UIMp. Frikkin awesome!

Before you run the service adoption utility you need to ensure the following:

  1. You’ve added your vBlock and all the credentials and the discovery must first be successful without any failures.
  2. You’ve run ‘Validate Setup’. Setup Validation must return a status of Warning or Ready. If status shows “Failed” then you will need to click this link and review the Compliance Rules that came back with a Compliance Status of “Error”.
  3. Ensure you have installed UIMp correctly, i.e. you’ve imported the certificate from UCS Manager, configured all your Identity Pools, Blade and Storage Grades, and added vCenter. (This is not a complete list!)

Once these are successful, you can then proceed with the Service Adoption Utility to import your existing hosts, LUNs, etc.

Note: This is best done with EMC (at least the first time), just to be on the safe side.

Connect to the UIMp SAU:

UIMp is accessed through the URL: https://uimserver/slm/sau

Select your vBlock and continue:

Begin Discovery:

The tool will do a discovery of your infrastructure to determine which components are not currently included in an existing service offering.

Select Services for Adoption:

UIMp will spit out a list of Blades, VLANS and datastores for you to import. You have to assign the grades for the blades (you can see the warning ‘grade not set’ below as this has not been done yet. Datastores will automatically be imported depending on the storage pool.

Adoption in Progress:

Once you hit OK the adoption will commence…

Adoption Finished:

And finally you should hopefully see a nice ‘Adoption Succeeded’ status as per the screenshot below. Job done!

Confirm imported Service Offerings in Administration:

Logging into UIMp you should now see the new service offering available under the Administration->Service Offering tab as per the screenshot below.

 

The service adoption utility has revolutionised UIMp. It single handedly takes away its major weakness – its inflexibility to co-exist with existing environments, and environments that change outside of UIMp.

Good job IONIX UIMp team!

 

EMC IONIX UIMp 3.1.1.2 Review


EMC Ionix Unified Infrastructure Manager/Provisioning or better known as UIMp is the vBlock provisioning tool.

I must say I have been a big UIMp sceptic. When I got my hands on a vBlock in December 2011 UIMp was around version 2 and it was crap!

UIMp was only fit for purpose during the vBlock deployment in Cork. It could provision multiple service offerings (ESXi Clusters) automatically, performing a number of manual tasks across UCS, VNX, Nexus and vSphere services, allowing VCE to meet their 30 day bare-metal to customer install lead times, but once the service offerings were provisioned that was pretty much it.

The only practical feature available to customers was to add datastores to your service offering. Woaw! Slow down tiger! And VCE had the cheek to charge you a fortune for the licenses… It was alot easier just to turn UIMp off and use the native management tools directly, which is what a lot of customers ended up doing.

Back in the day if you wanted to add a blade to an existing ESXi cluster… no problem, just decommission and recreate the service offering – that means blowing away the cluster, UCS profiles, storage LUNS, and ESXi hosts. No small feat and if you are a single company, you’re normally going to have one or two service offerings, say Production and Test&Dev. Not exactly usable.

Well things have improved dramatically since then. Flexible service offerings were introduced in v3.0, if I remember correctly, and they allowed customers to add blades to (expand) an existing service offering. It was a big improvement and a step in the right direction.

As more and more customers have bought vBlocks, the pressure on the IONIX team to deliver a robust, mature product has increased and they have risen to the challenge. UIMp keeps on getting better and better. Their stated aim is to negate the need to use the native management tools (i.e. UCS manager, MDS Fabric Manager, Unisphere) and automate the vBlock provisioning and management tasks…

No small feat and not easy to do without taking away some features found only in the native tools. So there has always been a big enough trade off to put me off UIMp…

But I must say having just installed UIMp 3.1.1.2, which is the latest version just released in the last few weeks with the newest vBlock Compatibility Matrix, I am slowly being converted.

One of the reasons I am slowly being converted is that while UIMp was out of action I tried to manually provision some blades and I could not get the zoning and masking configured correctly… I ended up putting it off until I had completed this install, which made me appreciate how simple UIMp makes even the most difficult provisioning tasks.

The GUI is very slick now, so much more responsive. It was painless to install and configure to.An hour’s webex was all it took and I had a new service offering configured. (That’s also due to VCE’s excellent support – reason enough to go ahead if you are thinking of getting a vBlock.)

As I deployed a fresh install, I ran the service adoption utility (more to come in another post), which is extremely slick and had our existing vBlock service offerings imported in a few minutes.

What’s missing? There are a couple of native features that are on the todo list I believe. I would really like to be able to choose the LUN ID when deploying datastores. It is extremely useful if you are replicating datastores between two different arrays, with for example, EMC RecoverPoint, to have the same LUN ID in both datacentres.

Other than that, if you have a vBlock and are thinking of upgrading, I highly recommend it.

My grade:

Shame on you VMware! Shame on you!


VMware, I am not impressed.

Guess the release date of SQL Server 2008 R2 SP1 for me, will ya?

I’ll give you a hint… Since it has only just been approved for use with vSphere 5.1, you’d hazard a guess recently, right?

Wrong!

SQL 2008 R2 SP1 was released in 11th July 2011. Date approved by VMware: 10th September 2012 (vSphere 5.1 release date).

Come on VMware… seriously? 14 months to approve a SQL service pack? That’s a joke.

I recently found out our administrators had applied SP1 to our SQL 2008 R2 servers earlier this year, when I tried to raise a support call and it was pointed out we were actually outside the VMware matrix.

I had to uninstall SP1 (thank you Microsoft for including this feature in SQL 2008 R2!) to get us back in line with the VMware compatibility matrix. The uninstall went quite smoothly (thank you again Microsoft) but that’s not really the point is it…

I’m running vSphere 5 Update 1 but I cannot apply SQL 2008 R2 SP1 or even SP2 because VMware are being slack!

Someone needs to up their game or loosen the compatibility matrix.

VMware Product Compatibility Matrix


This is the best website since sliced bread and I felt an irresistible urge to share it with y’all.

I am talking of course about the VMware Product Interoperabillity Matrix.

A bit of a mouthful but with this little beauty you can work out exactly what dependencies there are between VMware products.

Q. Planning to upgrade your ESXi hypervisor and worried about the impact this will have on your other VMware products like vCenter, vShield, VUM, SRM?

A. No problem, just check the product interoperability matrix!

Q. Want to install vCenter but not sure which versions of SQL are supported?

A. No problem, just check the product interoperability matrix!

You get the idea…

If you have never had a look before, I recommend you perform a quick review of your environment. You may be surprised to see you are out of the matrix (like I did!)

UIMp Control Station Discovery fails after VNX File Upgrade


EMC’s IONIX UIMp uses the ECOM and SMI-S provider services on the Celerra when performing a discovery of a vBlock registered in UIMp.

During a Celerra Control Station upgrade the ECOM and SMI-S provider services will be disabled and they are not normally re-enabled by EMC afterwards.

If your vBlock is being upgraded, don’t forget to remind EMC to re-enable the services, or you can do it yourself by following these instructions:

  1. ssh to primary control station
  2. make a backup of the /nas/sys/nas_mcd.cfg file
  3. edit the nas_mcd.cfg file
  4. scroll down to the end of the file
  5. uncomment all the SMIS and CIM daemon services:
    1. daemon “cim server”
    2. daemon “cim conf”
    3. daemon “SMISPlugin Log Trimmer”
    4. daemon “SMIS securitylog.txt Log Trimmer”
    5. daemon “SMIS HTTP_trace.log Log Trimmer”
    6. daemon “SMIS cimomlog.txt Log Trimmer”
  6. save your changes
  7. reboot your primary control station
  8. wait for primary to come back up and verify it is listening on port 5989 — netstat -an|grep “5989”
  9. reboot your secondary control station and verify it is listening on port 5989 — netstat -an|grep “5989”

Run a re-discovery of your vBlock and the control station discovery should pass now.

Trend Micro Deep Security 8 \ vShield Endpoint EPSEC and UNC\SMB Scanning


‘Another day another dollar’…. no no that’s not quite right…

‘Another day another Deep Security issue.’

Next up is Deep Security and UNC\SMB Scanning. This isn’t exactly Deep Security’s fault as this is another limitation of the vShield EPSEC driver.

Executables that are accessed via a SMB share will loop and need to be manually killed. This is a known limitation of the EPSEC driver as disccused in Trend Micro KB1059280.

In our case one of our applications was launching an executable from a UNC path which was crashing. We couldn’t figure out why but unmanaging the virtual machine fixed the problem.

It is relatively easy to fix this problem, but it does leave you exposed.

The EPSEC driver does not support exclusions of a particular server name, i.e. \\servername, nor can you exclude a directory on the server nor can you exclude a specific file even if you know the name. The only way to fix this problem is to exclude all UNC paths\SMB scanning, by updating your security policy and adding the exclusion ‘\\’ to your Directory exclusion list.

Even unticking ‘Scan Network Drives’ from within Trend has no effect. This has been raised as an incident and I am yet to hear back from Trend Micro.

I have been assured by VMware this will be resolved in vShield 5.1 released in Q4 2012.

vShield Endpoint Driver BSOD issue


The vShield Endpoint driver is back in the bad books this week.

Looks like it is now causing our virtual machines to blue screen. grrrrr

If its not an issue with Trend Micro Deep Security, its an issue with vShield Endpoint!

This affected our Citrix Xenapp Provisioned Services Servers quite severely. They were blue screening every day. This has only affected one of our standard virtual machines – a file server crashed during the day the other week.

This will affect anyone using the latest officially released vShield driver 5.0.0.1 build-652273 and older versions.

This issue is confirmed by VMware to be fixed in a new version of the vShield Endpoint driver 5.0.0.2 build-813867 — another reason to contact VMware  to get your hands on this driver as it has not been officially released yet.

 

Delegating read only access to Domain Controller Event Logs


Something AD administrators used to dread was the inevitable request for access to Domain Controller event logs for monitoring purposes.

The lazy admin (Rob Field) approach was to give the service account Domain Admins. More dedicated staff would fiddle around with the SDDL security descriptors until they got it right.

Well that’s not needed anymore… Delegating read only permission to the event logs cannot be easier with 2008.

There is an Active Directory built-in group called ‘Event Log Readers’. All you need to do is drop the service account that needs this privilege into the Event Log Readers group and your monitoring software should be happy.

Note this gives access to all event logs. However if you do not want to give them access to all event logs you still have to resort to using SDDL. There is a good post here.

This also works with Member Servers. Just drop the service accounts into the Event Log Readers group on each member server.

New vShield Endpoint Driver available to improve Deep Security 8 performance


Thanks to http://www.joulupukki.nl/wordpress/?p=523 for alerting me to this issue.

VMware made a pre release of the new vShield Endpoint Driver (5.0.0.2 build-813867) available last week to customers who are experiencing issues with their current vShield Driver. This will be released in Q4 but if you are using an anti malware product in your virtual environment that relies on vShield Endpoint Driver I would contact VMware to get the patch.

This hotfix needs to be applied on top of vShield Endpoint Driver build 652273 which is available with the VMware tools included with ESXi 5 Express Patch 3 (build 702118).

In the words of VMware this fixes two main issues: performance issues with network files and sharing violation issues.

1. Sharing violations – It was discovered that, while you had the thin agent installed and real-time AV scanning running, if you opened a file on a network share a few times in quick succession, the 3rd or 4th attempt could result in the file being locked. This was due to the lack of caching for network files, which is the recommend AV practice, but caused this locking

2. Performance issues – This was to due to the general overhead when our thin agent called some MS filter methods.

I also found that this version fixes a BSOD issue with vsepflt.sys. More about that in my next post.

Forefront UAG 2010 SP2 released


I just noticed Forefront UAG 2010 SP2 has been released as of last week 06/08/2012.

Looks to contain lots of fixes as well as improved support for Apple IOS 5.x and Android 4.x devices.

See release notes from UAG product blog here or you can just download it here.

Warning — This update requires all your clients to install  a new version of the ActiveX endpoint component plugin. If you don’t want your clients updating the ActiveX components or you push out the UAG components via msi then do not deploy this update!

Updated 21st August 2012:

My experience with the upgrade was not completely painless.

I installed the patch on my secondary UAG server in about 3 minutes and rebooted. No worries there.

I then installed the patch on my primary UAG server – the patch took a good 20 minutes to install and after the reboot (which isn’t necessary but I don’t trust Windows), when logging into to test, my trunk web pages were not being displayed correctly. I was getting the usual ‘Server Error in SecureTrunk application’ message.

What else to do except stop the World Wide Web Publishing service, rename the \von\Conf\WebSites folder and reactivate my trunk confiugration from within UAG Management Console to recreate the trunk web site folders to try fix.

Still didn’t work.

I suspected my old friend – the group policy security settings forcing FIPS compliance: ‘System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.’ I disabled this via GPO and rebooted. This seemed to resolve the issue.

Why had this setting changed? Not sure – my web.config file looked unaltered – it was still set to use 3DES encryption which is FIPS compliant.

Not sure but I’m going to find out!