Skip navigation

Category Archives: Vmware Technology


Microsoft ATA is an awesome software which they freshly purchased it from Aorato last year. The current version of ATA is 1.5. If you try to install it in a large company, you will run into heaps issue. Some issues will be fixed by next version of release some are not.

Here are some tricks and what you need to aware.

Certificates

When you install ATA console, you have choice to choose use self-sign or other certificate. When I choose other certificate which is generated by our Windows 2012 CA certificate, I found I wasn’t able to start service.

The service of Microsoft Advanced Threat Analytics Center with following error in the error log.

2016-03-30 23:22:07.0450 3392 5   00000000-0000-0000-0000-000000000000 Error [Utils] System.Security.Cryptography.CryptographicException: Invalid provider type specified.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()   at Microsoft.Tri.Infrastructure.Utils.SecurityProvider.DecryptPrivateAsymmetric(Byte[] encryptedData, X509Certificate2 certificate)

   at Microsoft.Tri.Infrastructure.Framework.SecretManager.OnStart(

  at Microsoft.Tri.Infrastructure.Framework.Module.Start()

   at Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnStart()

   at Microsoft.Tri.Infrastructure.Framework.Module.Start()

   at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

After consulting with Microsoft, it turns out there are two issues with my certificate.

ATA doesn’t support new version of CA Root (KSP win2008) and only support CSP(from Win2003) due to DotNet dependency issue.

ATA (version 1.5) only support certificate issued by Root CA (Yes, you read it right). so if you are using issuing CA to generate certificate, then the only choice you have is to use self-gen certificate. This issue should be fixed in the next version.

Update 01:

The way this ATA deploys is very different from traditional software.

The best sequence for installing software is:

Install ATA Center first. Once installed, configure domain connectivity settings (just a read only domain account will do).

Once that is done, DO NOT configure anything else.

Jump on ATA Gateway server and open browser to connect to ATA center, login with domain admin account-> go to configuration page->download gateway software.

The gateway software will be downloaded with zip format which contains JSON(configuration file) and exe file. JSON is composed with current configuration you setup in ATA Center. There is a chance it may screwed up with JSON and best way is to NOT configure gateway and download and use.

Once you run installation of gateway, you will have initial configuration of ATA and it will open ATA center via browser. You can configure it now.

Service on Gateway server make takes 5 minutes to finish start and enter into running state.

Update 02:

After 2 months long and through tests with ATA 1.6, we have decided not using ATA in our Production. The ATA is a fantastic software which has 3 months develop cycle and Microsoft has invested lots of resources. However, with our 50 Pen tests, only 50% of them were caught by ATA. 25% of uncaught was by design(like PTH on box and launch more  RDP session with stolen ticket on the same box) and not able to be detected. The last 25% Pen tests will be monitored in the future version(I’m talking about v2.0 or something similar.

On top of that, current version 1.6 still can’t run in production as PKI (win2012) won’t be supported.

so let’s wait for a year or two till ATA is matured enough. I will run another round test and will post here.

 


Today, we are talking about some tricks about how to promote Windows Server 2016 server core to Domain controller.

Windows Server 2016 (currently on TP4) has default install with server core mode which lacks of GUI and normal configuration doesn’t work. This post will walk through an example about how to setup second domain controller in the domain and errors I encounter and also how to fix.

First of all, let me introduce my environment.

It’s a simple environment with one domain and two domain controllers. The domain name is Marvel. Server names are MarvelDC01 and MarvelDC02.

They are both windows 2016 server but DC01 is with GUI while DC02 is Server Core. You would need a GUI windows 2016 as remote management server. Both servers are running on Hyper-v with Surface 2.0 Windows 10.

 

Build first Domain and Domain Controller

After I deploy first DC01 with GUI interface, I add Directory Service and promote it to first Domain controller without any issues.

server_core001

I have setup FFL and DFL as 2016 preview level. server_core002

The schema version is 85. (will this be different after GA? ;))

Configure Server Core

Now, here comes the server core

as you know, we need to change Computer name, IP, setup DNS and personally, enable ICMP for ping test as well.

We can use Powershell, command line, but I prefer to use sconfig.vbs which is the fast way to configure all these above.

server_core003

sconfig was introduced from Windows 2008 R2 with vb script. Now, it is a CMD file. current version is 5.812 and in Windows 2012, the version is 5.8. so not too much change.

sconfig.cmd can easily configure firewall and basic tasks you would to do on server core. But it is not faultproof which I will mention later.

Tip:

How to reboot server core server?

CMD:

Shutdown -r -t 1

Powershell:

Restart-computer

Tip:

How to check whether system is domain joined or not

CMDE:

Systeminfo

Join to Domain

Once that is done, you would need to join the Server Core(MarvelDC02) into Marvel.com domain. That can be done via sconfig as well.

Prepare for Promoting to Domain controller

If you think you are ready, then you are wrong. In terms of promoting a member server to domain controller, we would need domain admin rights to have full control on member server. That should be done via GPO (Default Domain Policy). When the server just joined the domain, it’s in the computer container which doesn’t accept any policies.

Hence, I create a Servers OU and move member server object in to this new folder.

Then, you would need to use gpupdate /force and gpresult /r to check whether the default domain policy GPO is applied on this member server.

In terms of promoting member server to domain controller, we would need to use dcpromo.exe which was deprecated in the GUI version. You DO NOT need to install Directory service components like GUI version, as this will be automatically installed during the process. However, we would need to create an answer file instead of typing all parameters all the time.

Same of of answer file is following:

[DCInstall]

createOrjoin= join

replicaDomainDNSName = domain.tld

ReplicaOrNewDomain = Replica

UserDomain = DOMAIN

Username = administrator

Password = “P@ssw0rd1”

InstallDNS = Yes

ConfirmGc = Yes

CreateDNSDelegation = No

SafeModeAdminPassword = “P@ssw0rd”

We can call it dcpromoanswer.txt. The reason I use Red on actually password is once the file been used once, those password (mark in the red) will disappear. so if you need to run the dcpromo again, you need to open the text file and retype the password.

Promote to Domain controller

After reboot member server, you would need to login into server as Marvel\administrator. You need to hit “ESC” key to get this screen

First screen which remembers last user login, you hit “ESC”

server_core004

strange enough to see this screen, not quite sure what’s meaning behind it, but you would need to hit “ESC” key again

server_core005

This is what we want, you can select “other user” to login differently

server_core006

Tip:

Believe it or not, I struggled on hitting “ESC” key quite bit. It just doesn’t work!!It turns out that you MUST high light the Windows (not your virtual machine) before you hit “ESC” key.

Now, you can run dcpromo.exe /unattend c:\dcpromoanswer.txt

server_core007

If you are lucky, then you will see following screen and it’s all good.server_core008

If you are not lucky..

Well, not everyone and everyday is a lucky one. You may run into following errors just like I did.

server_core009

That above error tells you your password in the answer file has been wiped out. You need to retype the password.

server_core011

This above error tells you you didn’t move our computer object(MarvelDC02) away from computer container.

server_core012

Believe it or not, after multiple trying with failure, your member server somehow made half way through. so it’s not domain controller yet, but it is registered in the NTDS database. Hence, we need to use ntdsutil to do metadata cleanup as following.

server_core013

Unfortunately, after cleaning up NTDS, your server object doesn’t exist in AD anymore. so you would need to quit domain and rejoin. However, sconfig failed when your object is not in AD so it is not able to quit domain and join workgroup.

What I did was run a sysprep to regenerate ID. That resolves the issue.

Group Policy not applied

This is another issue with my MARVELDC01. It flaps on time every couple of hours. MARVELDC02 is not able to sync GPO due to time difference.

After investigation, you need to turn off time sync service in Hyper-v Layer for that domain controller.

server_core012

That’s all for now, As usual, please leave feed back

Reference:

https://4sysops.com/archives/server-roles-in-server-core-part-2-domain-controllers/


hi, guys:

Thank you for reviewing this blog. Sorry for not updating this site for a very long time as myself going through few changes.

Recently, I have got a new job which allows me to dig deep on technology again but this time, I will mainly focus on Microsoft product and Windows server 2016.

 

Thank you for reading this site again.

 

Silver


hi, folks:

I didn’t realize that would be case for Vmware. But when I check and open the file, I noticed this file contains user and password(in plain txt) regarding my RSA database on SQL server!

Is this by design?

To be honest, I’m very disappointed that such big security breach exists on vCenter server.

I would recommend everyone runs vCenter 5.x to check your server and see whether you can see it as well.

7-08-2014 2-29-44 PM

 

7-08-2014 2-30-34 PM

 

Updates:

It seems like it only exists in vCenter 5.1x. File doesn’t exist in vCenter 5.5.

 


After poor marketing design vRAM past, Vmware has made another mistake on restricting of free license of ESXi. The free version of ESXi makes you only run VMs on host which has no more than 32GB memory.

This change (in my opinion, it’s also a wrong decision again!) pushes all customers from Vmware side to Microsoft side and also with no free licensing on Test and DR environment (which means you have to buy Essential Kits to cover Test and DR Hosts), we are facing no options but start to use Hyper-v in all tests environment.

One of most important elements of using Hyper-V is to convert existing VMWARE VMs to Hyper-V server.

MVMC (Microsoft Virtual Machine Converter) is one of tools you will use during the process of converting from Vmware vSphere to Microsoft HYPER-V.

Now, you will face some common issues and I hope this post will help you save some time.

My test environment:

1 Hyper-v Windows 2012 server

1 Vmware ESXi 4.1 with Windows 2008 R2 VMs

The goal is to convert VM from vmdk to VHD and up running in the Hyper-V

MVMC components:

MVMC actually has two parts.

1. MVMC to move VM with both CLI and GUI.

2. MVDC (virtual Disk Converter) to only convert disks from vmdk to VHD.

clip_image002

Start MVMC

Now, if you run the MVMC Gui, you will get this interface,

clip_image002[5]

You are required to type ESXi or vCenter information here to get access to VM list. Behind the scene, What it does is to access ESXi web API to check VM lists on that ESXi.

image

As you can see, here is where you select your VM to be converted. The BLUE exclamation mark indicates that VM can’t be converted. There are quite few reasons why a VM can’t be converted, but on this picture, State is “OFF” and another VM without Vmware Tools can’t be converted.

image

Now, here is the interesting part. A login user can be used here directly, and notice it says Final State of VM is ON or OFF?

Again, it’s Final State of VM. It’s not all time states. so the original VM will be shutdown no matter what and it’s up to you to make it start again at the end.

If you want to convert VM on the fly without shutdown a VM, this is not the tool you should use.

Behind the scene, MVMC talks to ESXi to get snapshot of original VM while it’s running, the snapshot should include memory status as well. so estimate free size of VM storage.

Once snapshot is done, it removes Vmware tools and shutdown the VM. Then, it will export VM as OVF template which essentially isolate VM from hypervisor hardware layer. If your VM is a Microsoft TMG, then you probably don’t want to do that since TMG remembers the MAC of it’s nic and stored it in it’s own database. Now, there is a way to “hack” TMG, but this post doesn’t include it.

SNAGHTML503e02d2

But I strongly suggest to use a UNC with share to store VMs.

clip_image002[7]

This is where VM will sit. Now, according to Microsoft, it requires at least double the size of VM. As matter of fact, it requires triple size space rather than double.

Behind the scene, Like what I mentioned above, a OVF template has been generated. Now, OVF template is a compress format, so a 50GB vm can be compressed around 13GB. so this 13GB is downloaded to \\testhyp02\vmdk folder and MVMC will start convert it to 50GB vhd. After that, 50GB vhd will be copy (or upload) to Hyper-V VM location so that’s another 50GB, compressed if you use Dynamic disk. finally occupied Size is 13+50+50=113GB.

image

image

Now, when you see this page, you are pretty happy that VM has been converted and insert into HYPER-V and up running.

Now, remember this is VM from OVF, so some clean up must be done.

install new version of Integrated Service.

clip_image002[13]

If you don’t install this integrated service, those hardware can’t be identified.

SNAGHTML5048e542

It does warn you the OLD IP exists, but after overwritten IP, it seems working. If you want to show hidden device of that old NIC, you won’t be able to find it.

Now, What’s Wrong?

MVMC has used multiple Microsoft technology in terms of converting.

The most common error you will get is this.

image

You can find log file here.

image

image

Now, for Windows 2008 R2, I recommend you to do following steps.

1. Enable Winrm

SNAGHTML50565756

Winrm allows Windows server (2012 in this case) to remotely manage VM in terms of removing Vmware Tools.

2. Enable Server manager Remote management which will create FW fules

image

3. Make sure FW rules exception is ticked

image

3. You need to enable WMI and File and Print rules on FW no matter FW is on or OFF.

Now, after you have enable all three tricks, you can run some simple test.

For WINRM, you can run “winrs /r:yourTestServer ipconfig” from your MVMC server. If it shows result, then WINRM is working.

for WMI, you can download WMI administrator Tools and remote access root folder of VM, if you can see content, then it means it’s working.

Restart MVMC wizard and try again.

What about convert VM on the fly without shutdown ?

I’m not quite sure whether any software can do that at this stage. But You DO can clone a VM to an isolated network. run VM and import it to Hyper-V with MVMC.

For large size disk VM, you may want to use MVDC to convert disk and build a VM in Hyper-V and insert disk.

please let me know any thoughts.

 

Add-on:

following is answer from Microsoft for converting V2V on the fly.

Answer back from some of our Hyper-V guys…

 

==============================

It’s “possible” to perform a P2V conversion on a VMware virtual machine using Virtual Machine Manager, which leverages VSS to take the required snapshots while keeping the target machine online. However, it’s required to remove the VMware client tools first, which will probably require a reboot anyhow.

 

References:

 

VMM P2V
http://technet.microsoft.com/en-us/library/cc764232.aspx
Troubleshooting P2V

http://social.technet.microsoft.com/wiki/contents/articles/439.vmm-troubleshooting-p2v-conversion-issues.aspx

 

Reference:

http://technet.microsoft.com/en-us/library/hh967435.aspx

Download:

http://www.microsoft.com/en-us/download/details.aspx?id=34591


First of all, Happy New Year of 2013!! I am happy the whole world didn’t blow up and my guess those Mayan dudes just running out of space on that piece of stone  so they think, why the hell I need to care about world in thousands years later? Winking smile

Now, back to Vmware. With vSphere 5.1.0b released, I start to wonder whether it’s time to consider to use vDS (Virtual distribution switch) to replace VSS.

vDS has been around for years, only Enterprise plus license would actually use it. The concept of vDS is great, but the real world is not practical from my point of View to use vDS to complete replace VSS.

My suggestion is to have hybrid environment with vSS and vDS. As matter of fact, that , I’m afraid, is your only option. There will be time for you to failover VMs from broken vDS to something else, so between another vDS and vSS, which one you would go?

I did a little bit research regarding vDS and I would like to share some tricks and “how to” to everyone. Feel free to pop up question and correct my mistakes as usual.

vSphere Client or vSphere Web Client?

Now, with vSphere Web Client getting more and more popular, should we use Web Client and dump old one? The answer is No. The new Web Client is incompleted, slow but it does provide more functions than C++ version. I will stick with Web client in this post as much as possible.

What’s is vDS?

You can always find this answer from my old post here. Comparing with vSS, vDS provide more virtual gateways (not like vSS, vDS also virtualize Uplink). More control and monitoring on the traffic going through virtual switch and also profile base deploying from vCenter to Hosts so vDS is aware all hosts network rather than working alone like vSS.

However, it does bring lots of other issue if you want to put vDS into production. One of few issues is to rename Uplink.

Why do we need to rename Uplink?

Uplink exists on vDS only. It’s a virtual port group which you connects your physical  nics to. Assuming you have 10 hosts, it’s hard to guarantee all vmnic01 will connect to Uplink01 since vmnic01 may connect to different network in the real world. After a while, you may get confused about what each Uplink for.

Tricks:

Always rename your Uplink before you start to connect anything to vDS.

You need to rename your Uplink ASAP after you create your vDS. Once vDS is hook up something, it simply won’t let you touch Uplink because it may connect to something. Even if you remove the connection to another link, the vDS will still hold same configuration till refresh time. (for me details and solution, please check my old post).

Steps to rename Uplink

Login to Web Client,

image

After you rename your Uplink, you can start to create vMotion group for vDS.

Create vMotion for vDS

The funny thing for this step is you have to create a vDS port group first before you can do anything lese.

clip_image002

clip_image002[5]

clip_image002[7]

Now, you can create a new Uplink for vMotion

image

image

image

image

I skip the rest of parts.

Tricks:

I don’t think you can vMotion between vss and vDS. You can only vmotion between same type of vSwitch. Although you can migrate vms from VSS to vDS with few ping drops.

Assign specific vmnic to Uplink

One thing you would like to do is to assign vmnic01 (for example) to a specific Uplink. Please follow these steps.

Add Physical adapters into vDS via web client

image

change Auto-assign to a specific Uplink

vds-01

Delete a Uplink (not physical nic connection)

The simple thing I want to do is to remove one of Uplinks. It’s virtual Uplink on vSwitch, it is NOT the physical nic which I connect to Uplink. but this very simple thing almost can’t be done via either vSphere Client or Web client.

To give you a better understanding, a new vDS coming with 4 Uplinks connecting with nothing. What happen if I add more uplinks now and want to remove some Uplinks latter?

The way you add more Uplink is here

image

Unfortunately, the only way to remove Uplink is either rebuild a new vDS or migrate all your VMs to other switch and remove all physical host nic connection to Uplink and go back to here and to set a LOWER number!

If you set this number to 3, 2 uplinks will disappear but it won’t let you choose which 2 uplinks. Therefore, you better move all VMs and connections between physical host nics to Uplink before you remove Uplink.

This is not just my conclusion, a Vmware Support Engineer was on the phone 1 hour with me and come up with this solution. Maybe there is another way to do it, but we are not able to find out. If you know how to do it, please let me know or leave it in comment.

Conclusion:

There are still lots testing we can do with vDS, but at this stage, I definitely wouldn’t recommend to ditch vSS and use vDS solely. A hybrid environment is what I would recommend.


It’s shame that it took me 2 hours to find out why my Syslog Collector is not working. But I would like to share my experience with everyone including how to debug it.

Syslog collector has two parts.

Part running on vCenter

 

Syslog Collector must be installed first.

clip_image002

clip_image002[6]

It is very important to configure your firewall so your syslog can go through.

the Syslog collector can use 3 different protocol. TCP,UDP,SSL. You can enable all of them.

clip_image002[8]

make sure you have space for this log collector

clip_image002[10]

that’s will install plug-in directly into your vCenter.

image

Feel free to use your DOMAIN/SERVICE_ACCOUNT to replace local administrator. But you need to make sure that service_account has local admin rights first.

By using different account will make better view in the TASK Manager to see how much memory it consumes.

 

clip_image002[14]

You can replace SSL certificate with local CA certificate if you really want.

clip_image002[16]

image

Then you can finish installation.

You will see it in your service.

image

You will see it in your task manager.

image

Parts you need to configure on ESXi host

 

As ESXi host, you need to configure it little bit more than just PDF file tells you.

You need to configure ESXi Firewall to open the port (which I didn’t. –_-b)

image

After that, the easiest way to configure is to use vSphere client (not web client).

image

You can use either tcp://servername:514 or tcp://serverIP:514 or other protocols

Once it’s done, you should have a new folder under your Syslog collector folder immediately without any other actions.

Debug Procedure:

 

Debug from vCenter

You need to check out whether syslog collector service is up

You need to check out whether Syslog appears in Task Manager

Use telnet to check tcp port to see whether port is open / listening

image

If you want to test UDP port, you can use Microsoft tools PortQryUI to do it. You can find it at this link.

http://www.microsoft.com/en-us/download/details.aspx?id=24009

Debug from ESXi host

Check the firewall and make sure port is open

Use this command on console to check the setting in esxi

image

Use this command to reload esxi syslog

esxcli system syslog reload

Use this command to test esxi syslog

esxcli system coredump network check

If it is successful, you should see something like this

Verified the configured netdump server is running

You can also use esxi console to configure rather use vCenter

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003322

The IP is the syslog collector IP address.

The VMA command is little bit different since you normally need to authenticate yourself, hence I won’t list here.

I think that’s everything about Syslog. Please let me know if you have questions.


Symptom:

 

Well, essentially, this issue exists in both vSphere 5.1 and vSphere 5.1a. No matter what I did to install either vsphere 5.1 or 5.1a, I always not able to use web client to connect to vCenter.

All what you got is this error.

Could not connect to one or more vCenter Server Systems:

https://domain.com.au:443/sdk

image

 

This is really driving me crazy. The vSphere Web Client should connect to vcenterServer.domain.com.au rather than just domain.com.au.

I have tried many things via vSphere Web Client and none of them actually fixed issue.

Now, Let’s see the root of this issue:

 

Cause:

The root cause is when you install your vCenter Server, the wizard gives you misguide and you input wrong value.

image

When you install vCenter server, you are required to input a service account in terms of running vCenter Service. Here is what I went wrong.

If you see the account name, it only indicates a simple user name. Clearly, I wanted to use a domain service account to run this service. With this picture, I thought the system is providing a local user on the vCenter server which I don’t want.

so I modified that FQDN by using domain.com.au so I thought I could use domain account rather than local account.

But I was wrong since that FQDN is actually vCenter server and has nothing to do with account name and account password.

 

Solution:

You should reinstall vCenter Server if you do have this issue. You can’t change FQDN of vCenter in look up service easily (at least, I didn’t see any public docs). A reinstall vCenter should fix the issue, but if that doesn’t work, you have to reinstall SSO, inventory service and vCenter server.

 

The interesting thing about that error is once you leave that account, and type password and FQDN, then you click Next and Click Previous to go back and check settings, the simple username becomes domain\username!!

 

image

 

Other information:

Do not login Web client with admin@system-domain because that SSO admin and it has no rights on vCenter server to see the content.

 

Please let me know if you have more questions.


What is UCS VIC failover.

Put it into a simple way, each blade can have a VIC card. Each VIC card has 2 10gbit/s ports like the one we are using, CISCO UCS M81KR.

This VIC card will handle all network/SAN traffic from this blade to both IOMs. When there is outage on one path of uplevel, VIC can automatically redirect traffic to another working interface without outage.

For more details, please refer to reference document.

image

Why we need to disable UCS VIC failover.

According to UCS design document,

All Connectivity May Be Lost During Upgrades if vNIC Failover and NIC Teaming Are Both Enabled All connectivity may be lost during firmware upgrades if you have configured both Enable Failover on one or more vNICs and you have also configured NIC teaming/bonding at the host operating system level. Please design for vailability by using one or the other method, but never both.
To determine whether you have enabled failover for one or more vNICs in a Cisco UCS domain, verify the configuration of the vNICs within each service profile associated with a server. For more information, see the Cisco UCS Manager configuration guide for the release that you are running.

 

UCS VIC failover will have MAC conflict with Host level Nic teaming including Vmware vNic Teaming.

Comparing two solutions of nic teaming failover, Vmware nic Teaming is also providing network load balance and much more controlling over Cisco VIC failover. Hence, we need to disable VIC failover.

How to disable VIC failover

If really depends how you setup your system. In my UCS, I have deployed NIC template and therefore, I will need to modify nic template first.

image

image

Notice the nic template type is Updating Template even when service profile template is Initial template, it means the change I will make (untick the Enable Failover) will be push to blade immediately.

The good thing is we have setup our reboot policy ask “User Ask”, so UCS will reboot blade immediately. Instead, it will put request into pending Activity list for approve.

image 

Change failover procedure

image

image

image

image

Now, you will be able to schedule to reboot your blade.

 

 

 

 

 

 

Reference:

http://www.cisco.com/en/US/prod/collateral/ps10265/ps10276/solution_overview_c22-555987_ps10280_Product_Solution_Overview.html


Cisco UCS B series firmware upgrade from 2.0(2q) to 2.0(4a)

 

Why do we upgrade UCS firmware

This is a post which describes upgrade Cisco UCS B series firmware upgrade from 2.0(2q) to 2.0(4a). The reason for this upgrade is simple. A bug.

There is a Cisco Bug in the system which prevent show tech to be generated. Without show tech file, I’m not able to diagnosis any issues. So it has been more and more critical for us.

According to Cisco, 2.0(4a) has fixed this issue. I have attached the pdf in the reference, so you will be able to download and take a look. Basically, the real upgrade is pretty close to this document with minor twist.

 

Download firmware

There is no drama here. Just log in Cisco.com with your cisco account, and follow instruction on document so you will be able to download the bundle file.

In my case, I only have UCS B series, so I only downloaded two files.

image

 

Preparation

There ain’t much to do with preparation. My personal suggestion is:

make sure you have enough space on bootflash

image

Then, you can upload those two files into system easily from local Server.

Backup your current configuration.

image

You need to make sure you have filename written in the field otherwise it may not able to backup configuration.

 

image

Create Host Firmware Package

This package will delivery quite few firmware updates and will only be deployed to service Profile. In another word, your server must associate with service profile in terms of getting those firmware.

image

Now, with different environment, firmware package can contains different components.

Adapter:

In our system, UCS blade has one DCE which is M81KR. However, I didn’t include adapter firmware in the package according to PDF doc. But Cisco tech support said I should include it in the firmware.

image

BIOS:

BIOS is a must.

image

Storage Controller:

Because we use RAID-1 local disk for OS. so we need to upgrade that as well.

Board Controller:

Comparing with package version, there is no new version. so we don’t need to upgrade this one.

 

Disable Call Home Service

 

image

 

Update Firmware for Adapters, CIMCs,IOMs

Update firmware is just to load new version to backup Version slot. The new version will kick in as start up version once you restart components.

image

For just Update firmware, you can select ALL, it will not cause any harm.

image

 

image

 

Activating firmware on adapters and CIMCs

You need to do these steps in order. You can’t select adapters and select CIMCs settings and hope to click ok to apply both components at once. It will cause issue. If you somehow did select both, click Cancel.

DO NOT select ALL in the filter to activate everything in once!!

Activate firmware for Adapter.

image

Notice Active status is Pending Next boot

image

 

Activate CIMCs

CIMCs is separate component from data. so It will restart itself but no disruption for production data.

image

CIMCs will become 2.0(4a)

image

Activating UCS Manager Software

This will cause console,KVM to restart. No data disruption as well.

image

Activating IOM

IOM is important module and will cause data disruption. so this module will reboot when you reboot FI. If you have 2  FI as redundant, you can reboot one FI at a time. When you reboot FI-A, IOM-A will reboot as well. Therefore, we will only load new version to Startup version and wait for reboot.

image

image

 

Activate Fabric Interconnector Firmware

With fabric Interconnector, we need to identify which one is subordinator. We will update subordinate first, then switch role to new FI with primary and update another FI. You need to make sure your redundant system is working otherwise, you will experience downtime on blades.

In my personal experience, you can actually give FI (subordinator) a reboot before you update firmware so it will clean up lots of stuck issue and processes.

image

image

 

image

 

If FI come up with status like that, it means it’s all good for update another FI.

image

check all connections including network and VIFs

image

essentially, if you see connections on both FI-A and FI-B, then it means it is right. Just be aware that some command line has changed once you upgrade your version of UCS Manager.

You will do the same step for the other FI but remember to switch other FI to become subordinator first.

Update blade BIOS, SLI logic controller, and others

This is the last step. Before you do anything, you need to make sure you have management policy setup correctly like this.

image

 

image

then you need to make sure your host firmware packages is attached with template or service profile.

image

Once you made change, it should pop up to reboot or not.

image

 

Choose No to reboot at your own time.

 

Thank you for reading. Hope it helps

 

Reference:

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/upgrading/from2.0/to2.0MR/b_UpgradingCiscoUCSFrom2.0To2.0MR.pdf