Husband, Dad, Geek & Senior Technical Marketing Architect for vSphere Security
Mike Foley
Author's posts
Aug 20
VMworld Security Sessions
Howdy!
Its that time of year again, VMworld is upon us and the pilgrimage to the Moscone Center is about to begin! I leave for Bostons Logan Airport in about 3 hours but before I go, I wanted to share with you some of the vSphere Security sessions.
First up is INF2336 – Separating Fact from Fiction – ESXi Hypervisor Security
In this session I and Yuecel Karabulut, the vSphere Security Product Manager, will address some of the security concerns we hear from customers and leave you with, hopefully, a better understanding of whats Fact and whats Fiction when it comes to vSphere Security. Twitter hashtag will be #INF2336
This session is on Wednesday, Aug 27, 9:30 AM – 10:30 AM Moscone West, Room 2020
Second is a Group Discussion INF3470-GD – vSphere Security with Mike Foley
Group discussions are a great way to get the creative juices flowing, share how things should and shouldnt be done and meet like-minded folks who are all interested in the same topic. Be prepared to participate! I cant put on a dance routine this year due to an injury so well have to actually >gasp!< TALK!
If you want to see a security feature in vSphere V.sometimeinthefuture, this would be a great place to get it out there and discuss it with us. We are DEFINITELY listening! Twitter hashtag will be #INF3470
I’ll also be in the VMware booth during the following times:
Sunday: 4-7pm
Monday: 2-6pm
Tuesday: 11-2pm
Wednesday: 1-5pm
In addition to those times, I will be at the VMunderground Opening Acts on Sunday at 1pm-3pm and various events and parties.
mike
Aug 04
Zero to Windows Domain Controller in 4 reboots!
Hey there,
Yes, it’s time to wow and amaze you with my coding skills! Prepare to be amazed! Or, more appropriately, roll your eyes with my lame ability to hack other peoples code into what I need to get done, quickly. Writing code for me is painful. Oh, like high school physics I can follow what’s going on pretty well, but sitting down and writing? Yea, that’s a challenge.
I needed a Windows Domain Controller for what I’m working on in my work lab. Figuring that I’ll probably need more Domain Controllers for future labs, I thought it would be a good time to automate it. I looked online for a simple PowerShell script that would do what I want and to my amazement, I couldn’t find anything other than pointers to a lot of commands. And, in many cases, those commands were either wrong or broken.
Lots of Steps
Because I work at VMware and this Domain Controller will be running as a VM, I’ll be using VMware VM Templates to create the virtual machines. I built a Windows 2012 template using some simple best practices steps documented here. I wanted to be able to right-click on a template and simply deploy a Domain Controller using GuestOS customization.
Simple, right? Actually, not that difficult. It’s mainly about getting all the steps done in the right order and meeting the requirements of each step.
- First, you have deploy the VM with the guest OS customization.
- Reboot
- Then add the AD bits to your Windows 2012 system so that you can enable the appropriate roles going forward.
- You’ll probably want to rename the system.
- Reboot
- Then install the AD Forest
- Reboot
- Then add the roles and configure networking/AD/DNS/etc..
- Reboot
How do you automate all that?
RunOnce to the Rescue
RunOnce is a Windows registry setting that automatically sets up Windows to run certain tasks when a system starts up or a user logs in. vSphere Guest OS Customization uses this so that when you deploy from a template, you can set the Windows system to run further setup scripts to modify the OS. In this example, you see how I’ve set up my DC-Builder.PS1 script to run via RunOnce.
The command I’m running is:
%SystemRoot%\system32\WindowsPowershell\v.10\Powershell.exe -executionpolicy bypass -file “C:\dc-builder.ps1”
Let’s run that down so everyone gets what’s happening. After deploying from Template and choosing this Guest OS Customization Specification, Windows 2012 will do a sysprep. After that is completed, Windows will reboot and run the RunOnce command above. That sets the ball in motion.
In the command, we’re running the DC-Builder.PS1 script using PowerShell.exe and specifying that it be run with the execution policy of bypass. That’s because the DC-Builder.PS1 script is not signed. Otherwise, it wouldn’t run.
You’ll notice that I’m running DC-Builder.PS1 from C:\. That’s because I built my template with the file copied to that location. Why? Because I didn’t want to have to deal with floppy images or network locations. Oh, sure, you can and then you can just change the location, but for me, I found this was easier. You want to do it differently? By all means, knock yourself out. :)
Now you’re probably asking “Ok, how do you automate all the other reboots?” Well, I iteratively use RunOnce! I just nest the hell out of it!
DC-Builder creates a couple of scripts and sets up the first one to run after it reboots the system the first time. Then that script calls the next one to run. DC-Builder creates the files using the PowerShell “@” operator.
Here’s an abbreviated example. Don’t just cut and paste this.
$InstallForestbat = @" REM -----------------------------InstallForest.BAT------------------------------ REM Creating a .BAT file to change to bypass, run the commands, then change REM back to remote Powershell.exe set-executionpolicy bypass -force SET FileToDelete="c:\InstallForest-transcript.txt" IF EXIST %FileToDelete% del /F %FileToDelete% powershell -noprofile -file c:\InstallForest.ps1 > c:\InstallForest-transcript.txt REM Powershell.exe set-executionpolicy RemoteSigned "@ $InstallForestBat |Out-File -FilePath c:\InstallForest.bat -Force -encoding ASCII $AdminKey = "HKLM:" $RunOnceKey = $AdminKey + "\Software\Microsoft\Windows\CurrentVersion\RunOnce" Set-ItemProperty -Path $RunOncekey -Name Foo -Value "C:\InstallForest.bat"
See how I’m using the “-encoding” qualifier? PS1 files don’t need it but .BAT files most definitely do.
DC-Builder creates four files to be run.
- InstallForest.BAT – This is set up to run via RunOnce after DC-Builder completes and the system reboots. It runs InstallForest.PS1.
- InstallForest.PS1 – This installs the AD Forest, sets up the running of Post-DCCleanup.Bat via RunOnce and reboots the system.
- Post-DCCleanup.BAT – It runs Post-DCCleanup.PS1.
- Post-DCCleanup.PS1 – This finishes off the rest of the steps that need to be run after installing the AD Forest and reboots the system.
DC-Builder.PS1, InstallForest.PS1 and Post-DCCleanupPS1 also create transaction files in C:\ so that you can check for errors.
Note: You’ll notice that DC-Builder.PS1 sets up the Administrator account to log in automatically. You need this, at least initially, to get all the scripts to run. They need to run under a user context. Because this is primarily for lab environments, I set up my VM’s to log in automatically just to save steps. Yea, the “security guy” said that. Whatever. :)
How do I get started?
- Edit DC-Builder.PS1 to set up your IP address, system name and any other custom setting you’d like.
- Create your Windows 2012 Template VM.
- Copy DC-Builder.PS1 to C:\
- Shutdown the Windows 2012 Template VM.
- Attach the Windows 2012 ISO image to the VM <This is key!
- Select “Convert to Template”
- Create a Windows Customization Specification as called out above (or Import the XML)
- Deploy a new VM from template using the Customization Specification
- The VM will reboot 4 times and you’ll be left with a Windows Domain Controller, ready to roll.
Download the script and guest OS customization XML
GuestOS XML: https://dl.dropboxusercontent.com/u/10618705/DC%20Windows%202012.xml
DC-Builder.ps1 https://dl.dropboxusercontent.com/u/10618705/DC-Builder.ps1
These files have now been moved to GitHub. You can get them here:
https://github.com/mikefoley/DC-Builder
Give it a try and let me know what you think and what it’s missing. It could use some more documenting but if you’ve played around with PowerShell before, it should be all pretty straightforward. I’ve also credited where appropriate where I got some of the inspiration for the script and where I’ve blatantly copied code. Many thanks to some helpful hints from Brian @vTagion Graf, especially when dealing with variables embedded when using the “@” operator.
mike
Oct 28
Why do I have work email on my personal Mac? iCloud Keychain
I have recently updated my personal MacBook Air and my work MacBook Pro to Apple’s new OSX Mavericks. All in all, the upgrade has been pretty good. In other words, easy upgrade, things continue to work and it’s mostly working fine. (Though, Mail seems a little wonky, but…)
One of the new features of OSX Mavericks is something called iCloud Keychain. With this, all your passwords and “Internet Accounts” (email, messaging, CalDav, etc) are duplicated on all the Mac’s you enable iCloud Keychain on. It works well. But maybe a little TOO well?
Why do I say this? Well, I try to keep a respectful distance between work and play. I’ll have my personal email account syncing on my work laptop but I don’t like to have work stuff on my personal laptop. I know, it’s kind of weird, but it’s just the way I am. (don’t hate) That said, I was a little annoyed that work email started showing up on my personal MacBook Air. I wanted to get rid of it. Did it mean turning off iCloud Keychain? Well, no. It was actually simpler than I thought. Just delete the account in Internet Accounts and you’ll be prompted with a dialog box similar to this.
Click on the image to see full-size
As you can see, you now have the option to delete the account from all synchronized Mac’s (and iDevices) or just from the system you are on. In my case, I removed my VMware email account from my MacBook Air. Now, if I choose to take my Air on a business trip because it’s more convenient, I need only re-enable the account and I’m good to go.
I hope this helps.
mike
You must be logged in to post a comment.