Category: VMware

VMware & Azure Site Recovery – Part 2: Infrastructure Configuration

Following on from my previous post about VMware and Microsoft ASR, I’m going to run through some more of the technical configuration which is required to get your VMware VM’s protected in the Microsoft Cloud. This section will mainly deal with setting up the on-site configuration server and the connectivity to the Azure Site Recovery Subscription.

Preparing Infrastructure

To create the link between cloud components and on-site you need to cover a Recovery Services Vault.

1. From your azure portal, under Monitoring + Management, select Backup & Site Recovery (OMS)

2. Create a Recovery Services Vault similar to above. I heavily recommend pinning this to your Dashboard to make it easily accessible later!

3. Once created, head to Site Recovery and Prepare Infrastructure. Select your goals (in this case, replicate to Azure from VMware).

4. The on-site configuration server and pre-req’s are required here (as mentioned in part 1). Download the installer and registration key to your server.

5. On your 2012 R2 server, run the installer.

6. Accept the EULA

7. Import the reg key as downloaded in step 4.

8. Select Proxy Server options.

9. Run the Prequisite checks (I had a warning of 500Gb secondary disk, not an issue as this is purely testing).

10. Enter the details of your MySQL passwords (interesting MySQL is used).

11. Agree to VMware virtual machine protection and validation of PowerCLI 6.0 takes place. It must be 6.0! I tried with the latest 6.5 and validation fails

12. Select your ASR install directory

13. Select the NIC on your box you want for replication traffic.

14. Hit Install!

15. Hopefully all goes well and you have some nice green ticks!

16. You will be given a passphrase for your configuration server. This is needed when you connect agents on protected VM’s to this server to be replicated. (It can be obtained later).

17. The Config Server admin opens for you automatically. Shortcut is also placed on Desktop. Enter in an account that has sufficient Administrator Privilege over your vCenter account.

18. Back in the portal you can add in the new source configuration server and AD account, select OK.


Note:- Sometimes changes on the config server are not available on the portal straight away. To fix this, you can find your Server from the pinned shortcut and perform a manual refresh!

19. Select your subscription, deployment model, storage account and network as a Target.

20. Create a default replication policy. I left mine as the defaults and came back and tweaked policies later.

21. Complete the infrastructure preparation by running the capacity planner and confirming. I have not done this as I’m only testing a few VM’s in the first instance.

This is a good place to stop here. The next post will detail adding some machines to be replicated, but in order to do that you need to either: install manually, push centrally or have the configuration server do it. Obviously the deployment method needs to be considered for your organisation (via GPO, DSC, Puppet, etc).

VMware & Azure Site Recovery – Part 1: Pre-Requisites

I’ve had the opportunity of investigating Disaster Recovery in my role recently. I have been looking at costs and methods of bringing our critical systems online in the event of a primary data center outage.

Without going into too much detail on my existing employer, there are many things to review and architecting DR into the existing infrastructure isn’t the easiest thing to do. Given our relationship with Microsoft, I was asked to investigate Azure Site Recovery to see if it was a viable option to provide us with a DR site in the cloud.

I’m going to be blogging in a small series on the technical implementation required to achieve VMware VM’s failing over from an on-site VMware cluster to an Azure Site Recovery instance. Hopefully if all goes well I’ll add to the series as I go, but for now I’m going to keep it simple with basic deployment.


The entire process that I am following has been documented by Microsoft and gives some good detail on how to achieve VM replication into the cloud.

It is important to read through the checklist of required items before starting the setup. This can be done beforehand or during the actual implementation. I surmised it down to the following:


1) An Azure account, free trial possible (I have MSDN sub)
2) Azure Storage, somewhere to put your data.
3) Azure Network, VM’s location after fail over.


1) Build a new 2012 R2 Process/Management Server with necessary specification (Ready for installing ASR components)
2) External network connectivity to cloud services.
3) VMware vCenter + ESXi 5.5 or greater.
4) Guest machines that do not exceed certain limitations of the service (e.g. – No disks larger than 1TB)

Once the pre-steps are complete, it was on to configuring the magic….

1) Signed in to my MSDN subscription and setup the Azure Free trial ($150 a month)

2) Login to

3) Navigate to the market place, Networking, Virtual Network.

4) If this is all new, it’s best to stick with the Resource Manager deployment model as that is the latest and greatest. Click Create.

5) Create your virtual network by filling in your requirements. I went for the large default address space, naming it and then a small subnet within that for testing. In this instance I also created a new Resource Group for


NB:- A handy tip is to pin certain objects to the dashboard so you can see them on your main screen. I found this useful for the on-site Process/Management server.

6) Navigate to the market place, Storage, Storage account.

7) Create a storage account as instructed. I opted for standard performance and keeping the data geographically local as I’m only performing a PoC. Maintaining the resource in the previously created group.

8) Navigate to the market place, Monitoring + management, Backup and Site Recovery. Create a recovery vault to group resources together.


The next thing worth doing is creating an account in your Directory Services that VMware and ASR can use.

1) Create AD Service account
2) Add to vCenter/Datacenter object where VM’s will be replicated from.
3) Create a role for “Azure Site Recovery” and give it the following permissions:


Here is a good place to stop with this part of the guide. The hard part of this post was making sure all the pre-configuration bits are done and that you are ready to proceed.

In the next post I’ll run through configuring the actual Site Recovery and making the components communicate. The most notable comment I’d have for all of this is that Microsoft have gone quite a distance in making this process as easy as possible. That doesn’t mean, however, that it goes completely without technical caveats which I’ll cover later on in the series.
Until next time!

vCSA 6.5 Upgrade Fail – Migration Assistant & VUM

I, like many have recently tried to update my vCSA 6.0 to 6.5. Part of this work involves running the migration assistant on the existing Windows Server running VMware Update Manager.

I had a failure recently and there was nothing noting how to fix it. The issue was trying to run the Migration assistant, entering in the administrator@vsphere.local password and getting a big fail message.

Error message:


Error: A problem occurred during authentication to the legacy vCenter Server using the provided credentials. Resolution make sure the vCenter Server is up and running. Verify you have entered the correct credentials.

Now, before I started my upgrade (blogs to follow) I checked I had all my passwords and that they were correct. I went as far as logging in to everything to test this, so I know the password was correct.

VUM was working through console and services were there, so what was the issue?

Then I remembered that a while ago I applied SSL Certificates to the vCSA for some automation testing!

The fix:

1) Login to the VUM server

2) Navigate to C:\Program Files (x86)\VMware\Infrastructure\Update Manager (or install path of your environment)

3) Load the VMwareUpdateManagerUtility.exe and login with SSO Admin (it worked!)

4) Navigate to “re-register vCenter Server” and enter in the details again.

5) Restart the VMware Update Server Service when prompted.

6) Retry the Migration Assistant

7) Success!

I couldn’t find any articles detailing the fix when I encountered this issue, so hopefully this will help someone in need of a quick fix! ๐Ÿ™‚


Recent training and certification

It’s been a while since my last post but thought I would write about my most recent technology related experiences. I’ve been quite lucky in that I’ve been sent on multiple training courses with work recently which have really enabled me to learn some new skills and build on ones that I already had…


VMware vSphere 6: Design and Deploy

I had the pleasure of attending the most recent version of the advanced vSphere course in London a few weeks ago. The actual course information can be found here:

VMware vSphere: Design and Deploy Fast Track [V6]

I was very lucky to be staying in the QA Training building overlooking Tower Bridge which was an excellent place to study, if anyone is ever training in the UK I’d recommend it!

The course was lead by Gareth Baguley (no relation to Joe) who has been a VMware trainer for quite some time. It was evident by his knowledge on all things vSphere, clearly a passion of his. When a guy remotes in to their home labs to demonstrate technology and concepts then you know you are in the right room!

The technical level was just right for VCAP study. The actual content is split around 50:50 between the VCAP-DCA/DCD material. Having passed the VCAP DCA in 5.5 I was very much more interested in VMware’s design methodologies and concepts. On a personal note I wish the design was a larger part of the course but it was still invaluable to progress to the DCD (soon!).

Overall I’d highly recommend this for anyone who is either looking to progress from VCP to VCAP or for those who might be very into VMware but wants course to attend. Once you have attended this course you are able to sit all certifications. This might be good for veterans who have expired VCP’s but don’t want to sit through VCP level study. I’m definitely aiming to do the V6 DCD in the next year .

Red Hat Training


Also in the past month or so I’ve been lucky enought to attend 2 weeks of Red Hat Linux 7 training:


The first course was more of an introduction into basic RHEL administration. This is a great course as an absolute back to basics style where if you have no previous knowledge you will be in good hands. I found parts of it a little slow but also at the same time it filled in quite a few gaps in my knowledge; not being from a Linux background, having only dabbled in the past.

The second course was a bit more in depth and started to go a bit more advanced into things like storage, security, networking and other concepts which are vital to any system administrator. At the end of the weeks course I had a 2.5 hr exam which reminded me very much of the VCAP-DCA I did for VMware 5.5. Fully practical exam which followed the course material very well and was true to the blueprint that Red Hat publish.

I sat the exam and there were some tricky parts that I had not quite fully prepared for. I managed to take my time and work through the problems, ultimately coming out thinking I’d done well enough for a pass. The following day I received a notification stating that I obtained a score of 283/300 which I was very happy with!

I’m going to start study for the VCAP-DCD and possibly RHCE in the future so will post my experience in order to hopefully help anyone who stumbles across my ramblings!

Dude! Where’s my vCSA SSL Cert chain?

Well, it certainly has been a while since my last post. The justification for my absence in recent months is due to the birth of my son! He is our first and so work/career life has taken a bit of back burner so I can enjoy family time being a new Dad. It’s a great experience and I’m loving it!

Right, to the issue at hand. Recently, a few of my colleagues were working on applying SSL certificates to a vCSA which drives our test environment. We were applying a trusted third party SSL certificate (from Quo Vadis) to our appliance and used the following KB:

Replacing vSphere 6.0 SSL Certificate with a custom CA Signed Cert

However, we needed to modify the .CSR but were having difficulty so this KB cleared things up for us:

Certificate Manager Utility not utilizing certool.cfg for CSR generation

Finally, we had what we needed but kept seeing roll back. This was because we had to download the certificate chain and present it to vCenter using this KB:

Replacing certificates using VMware vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback

This appeared to work. Browsing to the web console of the vCSA showed a valid certificate from a variety of browsers on Windows machines but something wasn’t quite right our bespoke provisioning system stopped working..

Upon a little investigation when connecting via openssl to the vCSA address, we received the errors:

“Unable to get local issuer certificate”
“certificate not trusted”
“unable to verify the first certificate”

This was a problem for us as our bespoke provisioning system was not able to establish a connection to the vCSA.

The full error output is here (I appreciate it’s not code but its much easier to read on my blog):

My colleague resolved the issue by noting that the proxy configurations for service endpoints were not updated with the intermediate certificate. This can be fixed by doing the following:

1) Navigate to /etc/vmware-rhttpproxy/ssl on the vCSA.

2) Note the trustedCerts.pem file which upon initial investigation has no content! Copy and paste in the content of your Intermediate certificate (from your issuing CA) into trustedCerts.pem.


3) Open config.xml file an an editor and find the line:


4) Uncomment the line to ensure it is read in the config:



5) Save the file and run a service restart:

Once complete, with another test to openssl the following should be observed – error free:

That is it really, nothing too special. We couldn’t find this fix in any of the VMware KB articles detailing SSL certificates. For most people, I doubt that would even notice due to browsers understanding the chain already with their built-in trusts. When you are programatically accessing the vCSA to make API calls, that is when the fun started.

100% of the credit and hardwork goes to my colleagues @claytonpeters and @dfgrain.