PowerCLI Script - Create a report of Virtual Machines and ESXi hosts in your infra

This needs PowerCli installed
https://code.vmware.com/web/tool/11.5.0/vmware-powercli


1) Download the script

https://github.com/msexpertzone/VMware-PowerCLI/tree/master/vSphereInfraReport

2) Copy it to a folder and create a "Report" folder in it.

3) Update your vCenter FQDNs in vCenterList.txt file. If there are more than one vCenter, add the second one in a new line
4) Open PowerShell as administrator
5) Run the script and wait for the inventory to complete.

> AllVMReport.ps1 = Will get you report of All VMs
> ESXIReport.ps1 = Fetched ESXi details

6) Report is saved individually in "Report" folder

Both scripts can run parallel.


Note Permissions

The account that's used to run the script needs Read Only permissions in vCenter.
Apart from that the user also needs CIM permission to read hardware details that's collected part of ESXIReport Script. 

vSphere Infra - Disable TLSv1 and TLSv1.1

vSphere Infra - Disable TLSv1 and TLSv1.1

below are the methods used in vSphere 6.5 and 6.7

Disable TLSv1 and TLSv1.1 on vCenter Server Appliance

1) Scan to check current status

/usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan

Above scan result shows us there are TLSv1.0 and TLSv1.1 enabled. 

2) Now to enable only TLS1.2 use below command

Note-: This is not a live change. Proceeding this step will restart vCenter services. 

/usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator/reconfigureVc update -p TLSv1.2

Once complete you can see

Disable TLSv1 and TLSv1.1 on ESXi servers

1) On VCSA appliance CD to ESXTLSReconfigu

cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator

You have three options.

a) Run it against ESXi host / ESXi hosts

b) Run it against vCenter Cluster / vCenter Clusters

To run it against a vCenter cluster / vCenter clustes 

./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_vCenter_User -p TLSv1.2

Command support providing multiple cluster names in comma separated format. 

To run it against ESXi host / ESXi hosts

./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_vCenter_User -p TLSv1.2

Command support providing multiple ESXi names / IP address in comma separated format. 

Also take a look at William's script here. There are two functions here, which makes it much easier and can also scan ESXi hosts, which is missing in reconfigureEsx natively.

https://www.virtuallyghetto.com/2017/05/auditing-automating-disabled-protocols-tlssslv3-for-esxi-6-0u3-using-powercli.html

vCenter SSO User password Expired

We had a vCenter SSO user created for SRM and it's password expired. Here is how you can check it and fix it.

User name is srm@vsphere.local

1) Login to VCSA with SSH and below are commands

root@vcenterserver [ ] cd /usr/lib/vmware-vmafd/bin/

root@vcenterserver [ /usr/lib/vmware-vmafd/bin ]# ./dir-cli user find-by-name --account srm --level 2
Enter password for administrator@vsphere.local:
Account: srm
UPN: srm@VSPHERE.LOCAL
Account disabled: FALSE
Account locked: FALSE
Password never expires: FALSE
Password expired: TRUE

root@vcenterserver [ /usr/lib/vmware-vmafd/bin ]#./dir-cli user modify --account srm  --password-never-expires
Enter password for administrator@vsphere.local:
Password set to never expire for [srm].

root@vcenterserver [ /usr/lib/vmware-vmafd/bin ]#./dir-cli password reset --account srm --password XXXXXXXX 

applmgmt service wont start on PSC Appliace post converge operation

Scenario

We had a vCenter with External PSC. We converged them and converge job was successful execpt a cert warning.
After a week we tried to decommission the old PSC appliance and found that the status is shown in WebClient as "Unknown"

Up on checking we found applmgmt in stopped state. Tried to start it but it failed with below error

[ ~ ]# service-control --status
Running:
 lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-certificatemanagement vmware-cis-license vmware-cm vmware-rhttpproxy vmware-sca vmware-sts-idmd vmware-stsd vmware-vapi-endpoint vmware-vmon
Stopped:
 applmgmt vmware-statsmonitor

[ ~ ]# service-control --start applmgmt
Operation not cancellable. Please wait for it to finish...
Performing start operation on service applmgmt...
Error executing start on service applmgmt. Details {
    "detail": [
        {
            "translatable": "An error occurred while starting service '%(0)s'",
            "id": "install.ciscommon.service.failstart",
            "args": [
                "applmgmt"
            ],
            "localized": "An error occurred while starting service 'applmgmt'"
        }
    ],
    "componentKey": null,
    "resolution": null,
    "problemId": null
}
Service-control failed. Error: {
    "detail": [
        {
            "translatable": "An error occurred while starting service '%(0)s'",
            "id": "install.ciscommon.service.failstart",
            "args": [
                "applmgmt"
            ],
            "localized": "An error occurred while starting service 'applmgmt'"
        }
    ],
    "componentKey": null,
    "resolution": null,
    "problemId": null
}


We has this issue on two infrastructures and we could fix it one

FIX that worked on first PSC

# List all disabled services for removal.  
find /etc/systemd/system/ -lname '/dev/null' -exec ls {} \;   
 
# Automatically remove them (or rm each file) 
find /etc/systemd/system/ -lname '/dev/null' -exec rm {} \;  
 
# Relaod systemctl daemon 
systemctl daemon-reload  
 
# Start services or Reboot 
service-control --start --all  

However second PSC was not happy still. So we had to manfully remove the replication manually

Manual Removal of the replication

1) Shutdown both PSC and vCenters and take an offline snap
2) Power on only vCenter. Do not start PSC
3) SSH to vCenter and run below commands

a) List all PSCs connected
]# ./vdcrepadmin -f showservers -h localhost -u administrator -w XXXX
cn=oldpscappliance.mydomain.com,cn=Servers,cn=Sites,cn=Configuration,dc=vsphere,dc=local
cn=vcenter.mydomain.com,cn=Servers,cn=Sites,cn=Configuration,dc=vsphere,dc=local

Note -- XXXX is the SSO password for administrator@vsphere.local 

I can now see two, old PSC appliance and also the vCenter with PSC converged in to it.
Ran below command to make sure vCenter is pointing to converged PSC and not the old appliance

]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost
https://vcenter.mydomain.com:443/lookupservice/sdk

Output confirmed that the PSC appliance is not in use. So decided to manually remove the association.

# /bin/cmsso-util unregister --node-pnid oldpscappliance.mydomain.com --username administrator --passwd XXXX

Watch theoutput basically ends like this

2019-11-12T08:29:24.939Z  Running command: ['/usr/lib/vmware-vmafd/bin/dir-cli', 'service', 'list', '--login', 'administrator']
2019-11-12T08:29:25.059Z  Done running command
Stopping all the services ...
All services stopped.
Starting all the services ...
Started all the services.
Success
2019-11-12T08:33:13.071Z  Running command: ['/usr/bin/sed', '-i', '-e', 's/cmsso-util.*/cmsso-util/g', '/var/log/vmware/procstate']

2019-11-12T08:33:13.829Z  Done running command

Login to the vCenter via WebClient and under Administration ->  System Configuration makesure that the old PSC is listed anymore.

You may keep the old PSC appliance for a few days and delete it once it's all good. 

Email alerts stopped after vCenter 6 to 6.5 upgrade

Upgraded out vCenter from 6.0 Appliance to 6.5 Appliance last week.
It was one of my smoothest experience with vCenters all these time. Having said that, after two days I realised that the email alerts stopped working. We had same issues when we upgraded 5.5 Windows to 6.0 Appliance and same thing happened. We had to go though a bunch of manual config changes to get it working below is the KB and worth checking
https://kb.vmware.com/s/article/2073849
I was afraid that it's the same case again, but to my surprise it was not the case here.

If you are experiencing slimier issues, follow below steps

1) Open vSphere Web Client
2) Click on vCenter and Click on Configure at the right side
3) Under Settings -> General Click Edit
4) Click on Mail
5) Cut the Mail Server (same in a notepad if required) and type something else there (may be check@email.com) and click OK to same
6) Edit again and replace the Mail server with the actual SMTP FQDN that you cut earlier.

Boom!!

All the emails started flowing to my inbox again and there were a lot of them. Looks like they were queued.

Give it a try... All the best....