Skip navigation

If anyone can recall, I wrote a post about vMA 4.0 before. With new vSphere 4.1 released, vMA has released a new version 4.1 to work with new vSphere 4.1.

During the installation and configuring vMA 4.1, I have encounter multiple errors. I would like to thank William Lam’s help from the forum. If you want to read more about vMA 4.1 scripting, please follow William’s blog in the reference.

What’s New about vMA 4.1?

Apart from vMA is using new OS (CentOS) and it’s using vSphere CLI 4.1, SDK for Perl 4.1 and upgrade version of VMware Tools, the new version if vMA brought us a different way of authentication.  AD Authentication. Also there are some new commands to replace the old one. I’m going to elaborate as follow.

Download vMA 4.1

Downloading vMA 4.1 is pretty easy. Anyone can go to here to download OVF file and related documents. vMA 4.1 is able to load on both vCenter 4.0 and vCenter 4.1. You can get pretty good idea about how to install from vma_guide. However, there are some mistakes in the docs I would like to point out later.

Configuration vMA 4.1

When you first time run vMA, it will give  you a wizard to let you configure vMA. If you miss the chance, you can run

sudo system-config-network-tui

to reactive the wizard.

Join vMA, and ESX(i) into Active Directory

Concept

First of all, let’s talk about the concept behind this topic. Why do we need to join vMA and ESX(i) into AD?

The reason we join the ESX(i) into AD is to easy our management and try to use less username and passwords to control ESX(i). As you all know, vCenter is in the AD already. In default, Domain admin has rights to log on vCenter and manage it. However, ESX(i) use local user database and you have to use root every time in terms of logging and execute command.

I believe the second reason for ESX(i) to join the domain is to help domain users for vCLI access. Let’s image you can log on vMA(or use vSphere CLI and your script files) with your own domain accounts and execute commands against the vCenter and Hosts directly. No need to remember another set of username and passwords anymore. Everything will be integrated with same service account or domain user account.

Join ESXi to Active Domain

Connect to your vCenter which has ESXi 4.1 as host.

If you type your domain in the filed then click “Join domain” button, you must use “username” instead of “domain\username”.

I followed the smooth blog to configure it, I got following error. So you must not user domain\username format.

After you join the ESX(i) 4.1 to AD, you can connect ESX directly with vSphere Client and go to permission and add your domain account into local user database. For the rest, you can follow with smooth blog in reference.

Join vMA 4.1 into Active Directory

This is also pretty straight forward operation.

You log on vMA 4.1 with vi-admin account (vi-user hasn’t enabled yet, you have to do it manually). then, you type

sudo domainjoin-cli join your_domain your_domain_admin_user

then, you type password as what vma_guide indicated. But you may see following warning after you join the domain.

Those pam module are part of CentOS module and they are designed to not only join vMA to Windows AD, so does Linux AD. So it’s normal for you to see those warning.

You can use sudo domainjoin-cli query to verify as what I did.

Connect to vCenter and ESX(i) Hosts

There are two different ways you can authenticate your vMA to vCenter and Hosts.

Active Directory Authentication

Like what I have mentioned above, the concept for this one is to let your admin to log on with vMA with their own domain account and able to run commands against vCenter and Host without typing multiple times username and password. Comparing with fastpass authentication, vMA doesn’t store username and password into local vMA box. More secure in certain way. You don’t need to have extra passwords to memorize.

PreSteps:

Your vMA must joined the domain.

Your vCenter must joined the domain.

If you want to directly operate on Host without using “–vihost”, your ESX needs to join domain.

DNS host file must be preconfigured so vMA will know what your vCenter/host IPs are.

customize server list

Modify DNS host files

Well, the reason we setup DNS hosts file is we want to just type server name or host name to make it work. No one wants to type 10.163.x.x all day.

The solution is using hosts file just like what we did on lmhosts for windows.

Steps:

Open console (or connect vMA with ssh tool , like putty) of vMA.

Login as vi-admin

The host file is located at /etc

You must use “sudo chmod a+w hosts” to make hosts file writeable.

Use “sudo vi hosts” to add your vcenter and host IP

Save and quit vi

One thing I must point out is all server name must be FQDN and no exception!

customize server list

vMA needs to know how many servers you may connect to (although it can only operate on one server a time). vMA needs to know which servers you are going to use AD authentication and which servers you are going to use fastpass authentication. That’s why you need to build a server list.

You must log on with vi-admin to build server list.

To view current server list.

vifp listserver -l

You must use “-l” parameter in terms of to see authentication method.

If server you want is not in the list, make sure DNS host file has configured and you can use following command to add.

vifp addserver yourhost –authpolicy adauth (this is for AD authentication)

or

vifp addserver yourhost (this is for fastpass authentication)

If you try to add vCenter, you must use domain admin account because vi-admin doesn’t exist in vCenter unless you manually added in. For Host, you need to type root password and vMA will automatically add vi-admin users into Host.

Notice: There is a big trick here. If system prompt and ask you username and password, you can type “domain\username”. But if you want to use domain\username in the command line, you have to use “domain\\username”.

Now, you are ready to connect your server.

Steps:

1. Log in vMA with your domain admin account (normal domain account will work too!! But they don’t have rights to operate on vCenter).

2. target your server (vCenter or Host).

You must target one object to send command with. If you don’t do that, you will get error message like

“Error connecting to server at ‘https://localhost/sdk/webService’: Connection refused”

3. Send command to object

If you target to a vCenter and your command is a HOST base command, you must “–vihost your_host_name” to tell vCenter which Host you want. Also, the name must be FQDN!.

Notice: I was told from Vmware Support, if you use “–vihost” , then you will be asked to type username and password again!

If you target to a Host, you can just use command and it should work.

Here is the tricky thing. It should work and you shouldn’t type any credentials anymore. But some of users like me do get asked to type username and password again! Maybe it’s a bug of vMA 4.1. I’m investigating this matter with Vmware as I’m typing.

——————————————————————————————————————–

New Updates about this issue.
I just got call from Vmware Support and they admited this is a bug in the vMA 4.1. They will

fix this issue in the next release.

——————————————————————————————————————–

Fastpass authentication

This is old authentication method as previous version. Basically, the vMA stored your credentials in the local and you don’t need to type multiple times when you operate on Hosts and vCenter. The reason for that is vMA actually create vi-admin accounts into Hosts.

PreSteps:

DNS host file must be preconfigured so vMA will know what your vCenter/host IPs are.

customize server list

Please check above post to look for details about how to do it.

This is reference for fastpass authentication.

Steps:

1. Log in vMA with vi-admin.

2. target your server (vCenter or Host).

You must target one object to send command with. If you don’t do that, you will get error message like

“Error connecting to server at ‘https://localhost/sdk/webService’: Connection refused”

3. Send command to object

If you target to a vCenter and your command is a HOST base command, you must “–vihost your_host_name” to tell vCenter which Host you want. Also, the name must be FQDN!.

Reference:

http://communities.vmware.com/community/vmtn/vsphere/automationtools/vima

http://www.virtuallyghetto.com/2010/07/vma-41-active-directory-intergration.html

http://www.smoothblog.co.uk/2010/07/15/esxi-4-1-active-directory-integration/

http://www.virtuallyghetto.com/2010/07/vma-41-authentication-policy-fpauth-vs.html

Advertisements

8 Comments

  1. Great post! 😀

    Nations

  2. What do you mean that you must target one object to send command with. This is a great article, although I am trying to fix this exact problem (ie Error connecting to server at ‘https://localhost/sdk/webService’: Connection refused) so an example of a command to target an object would be great.

    • hi, Todd:
      Thank you leaving comments.
      Like what I mentioned in my post, vMA needs build a server list first (use vifp addserver YourserverFQDN) first so vMA can know what kind of authentication method it should use when you try to access to those server.
      Then, you need to nail a target (use vifptarget -s yourserverFQDN) so vMA will know which server you are working on.

      However, vMA ain’t smart enough to know what happen if you change server list (not server target). In this case, you need to target your new server again.
      My suggestion for your error is:
      Restart your vMA, log on with vi-admin
      Check your server list (vifp listserver -l)
      target your server (vifptarget -s yourserverFQDN)
      run your command (vmware-cmd -l)

  3. it would be a great useful for some people who want to start their own resource. it is my pleasure to be one of those people who commented on your article . . thank you for give a opportunities… more power and god bless ..

  4. Very helpful article. I’ve just finished bare-metal migrating 3 of 12 ESX 3.5 boxes to ESXi 4.1 and just starting the vMA road. We also have several standalone ESXi boxes which the connection to AD will definitely help from a management standpoint. I’ve read the offical docs on vMA, vcli and it is nice to get a concise, step-by-step description. Thanks.

  5. This looks like exactly what I was looking for, I hope to read it in detail soon!

  6. you’re truly a good webmaster. The site loading speed is amazing.
    It seems that you’re doing any distinctive trick.

    Furthermore, The contents are masterpiece. you have performed a great process in this topic!

  7. Have you ever thought about creating an e-book or guest authoring on other
    websites? I have a blog based on the same subjects you discuss and would really like to have you share some stories/information. I know my readers would appreciate your work.
    If you’re even remotely interested, feel free to shoot me an e
    mail.


7 Trackbacks/Pingbacks

  1. […] This is old version of vMA. If you want to know the new version vMA 4.1, please go to https://geeksilver.wordpress.com/2010/07/22/how-to-use-vma-4-1-installation-configuration/ […]

  2. […] GeekSilver's Blog geeksilverblog.com About « How to use vMA 4.1 installation, configuration […]

  3. […] Restrictions Don’t add resource pools for fun, they’re dangerous – NTPRO.NL – Eric Sloof How to use vMA 4.1 installation, configuration « GeekSilver’s Blog Two new HA Advanced Settings » Yellow Bricks DRS 4.1 Adaptive MaxMovesPerHost | frankdenneman.nl […]

  4. […] Using AD authentication with vMA (Geeksilver’s blog) […]

  5. […] Don’t add resource pools for fun, they’re dangerous – NTPRO.NL – Eric Sloof How to use vMA 4.1 installation, configuration « GeekSilver’s Blog Two new HA Advanced Settings » Yellow Bricks DRS 4.1 Adaptive MaxMovesPerHost | frankdenneman.nl […]

  6. […] The busiest day of the year was December 14th with 656 views. The most popular post that day was How to use vMA 4.1 installation, configuration. […]

  7. […] is a pretty good guide on installing and configuring the VMware vMA 4.1. If you are running the vMA 4.1 in VMware Workstation 7 you will have to make this change to the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: