Now that we have IIS installed on our CA Server, it’s time to setup a certificate for HTTPS connections
Login, click the Start Menu and type certlm.msc. You can also right-click start and select Run to do the same.
Expand Personal and then click on Certificates. Notice there is only the Root-CA’s Cert here, we don’t want that as the cert for our certsrv page cert.
Right-click either the Certificates folder, or in the white area on the right, hover over All Tasks, then select Request New Certificates
Select Next
Select Next
Now I want the Web Server template which is not shown here. That is because I’m using an account with privileges that isn’t authorized for that template. Were going to go fix that. So go ahead and select Cancel.
Select Start, type cert, then click Certification Authority
Expand Root-CA01 then select Certificate Templates, you can see Web Server is here. Next is to change the permissions.
Right-click Certificate Templates and select Manage
Scroll down the middle section and right-click Web Server, then select properties
Go to the Security tab and notice the permissions. Since this is a lab I’m just going to give authenticated users enroll permissions.
Now that enroll has been granted, select OK
Go back to your certlm window, and right-click the open area, hover over All Tasks and select Request New Certificate
Select Next
Select Next
And now we have the Web Server template as an option, click the blue line to enter your information
Change the Subject name drop down from Full DN to Common Name and Type from Directory name to DNS
For Common name, I prefer to enter the Fully Qualified Domain Name (FQDN), and for DNS I prefer to do both the FQDN and the short name. Once you enter them in the lines on the left, click the corresponding Add button to add them. Then change Type from DNS to IP Address (v4) (or v6 if needed) and enter the IP address.
Once it looks like this, go to the general tab
I generally will use the FQDN for the Friendly name as well. Select the Private Key tab
As a note, under Key Options you can mark the private key as exportable, if this cert is for another server, or perhaps is for a VIP or multiple servers, you would select this so that the cert can be exported\imported to those other servers. Once complete, select OK
Now that the blue line is gone, you can select the Web Server template and click Enroll
Once complete you should receive this window
Adding Certificate to IIS
Click start, type IIS and select IIS Manager
Expand Sites and click Default Web Site, then select Bindings on the right side
Select https and click Edit
Change SSL certificate from Root-CA01 to ca01.lab.scottbell.me. There are more options that can be selected from a security standpoint like specifying the IP, hostname, and Disabling Legacy TLS. Select options as appropriate for your environment. Then select OK
Select Close
Select Restart on the right side pane
Go to a browser and enter the address of your website with /CertSrv at the end. You should not get a untrusted website alert (assuming the client accessing the site trusts the Root CA) and a username\password prompt.
Once you enter account information that has access to the website, you should see the above and are now able to request certificates as you need. Congrats and have a good day.
Today we are going to be setting up a Certificate Server for the new domain in my home lab. This is part of the systematic rebuild of the lab so that I can write these articles to document the process to potentially help others and for a record of my own on the next rebuild.
The new lab so far has just two domain controllers. I need certificate services to continue with other functions such as the offline depot for VCF, the new jump box I will end up building, and VCF itself with its components.
This will be based on the assumption that you have already deployed a Windows Server, have named it, given it an IP, and domain joined it.
Installing Certificate Services
Select Add roles and features
Select Next
Select Next
Select Next
Select Active Directory Certificate Services
Select Add Features
Select Next
Please read this page before selecting Next, the note does matter
Select Certification Authority Web Enrollment, and Certificate Enrollment Web Service
Once you select Certificate Enrollment Web Service, this window will pop up, select Add Features
Once the selection matches the above, select Next
Read and select Next
Scroll down to Security section and select Basic Authentication, this is to support VCF functions later. Select Next
Review the selections and then select Install
Once the install is finished, select Configure Active Directory Certificate Services
Use your intended account if different than what’s pre-populated based on the logged in account. Then select Next
You can only setup the first two at the same time. We will have to come back after for the Certificate Enrollment Web Service after the Certificate Authority is setup. Select Next
In my case with it being a lab, I will do Enterprise CA where it stays online. If your doing a proper CA in the real world, I would suggested a Standalone Root CA that stays offline when not in use and an Domain-Joined Subordinate CA. Select Next
Again, since this is a lab environment, this will just be a Root CA. Select Next
Since this is a new server and not a transfer\upgrade\recovery, I will Create a new private key and select Next
I am going to stick with the defaults here, I am not using anything that needs the admin interaction for extra security so I will leave it unchecked.
I have changed the Common name to be more what I want, but I am leaving the rest the default format. Select Next
Use whatever timeframe is suitable for you. As this is a lab, it wont survive 5 years so I will leave it at that.
Security needs may require these locations to be moved to a different location\drive. I’m not operating under those requirements so I will be leaving them default. Select Next
Review the summary and select Configure
Once complete, select Close
Select Yes
Same thing, change account if needed then select Next
Select Certificate Enrollment Web Services and select Next
Select Next
This I will leave as default for Windows integrated authentication. Select Next
I’m not going to bother with a service account in this case and select the Use the built-in application pool identity.
I will indeed use the Root-CA01 as the default selection here. You will need to actually select (click) on the certificate and then select Next
Review the options and if everything is as expected, select Configure
Now we are completed for this configuration. Select Close
Select Close again
Click start and type IIS, then select IIS Manager
In IIS, expand CA01, then Sites, Then Default Web Site, click CertSrv, and double-click Authentication
Select Basic authentication, then click Enable
Please go to part 2 for setting up an Certificate in IIS for the CA Server. Have a good day.
Deploy Windows Server 2022 and Build Active Directory Part 2
Greetings, today in part 2 we will be building the Active Directory Domain using the new name for my lab which will be lab.scottbell.me.
Lets get to it
Snapshot
First, login and take a snapshot of the VM just in case.
Now that we have our short term safety net, lets continue. Please remember though, snapshots are not backups.
Login to the system, for now I’m using the VMware web console to do so
Add Role
Select Add roles and features
Select Next
Keep the default selection of Role-based or feature-based installation and select Next
Select Next
Select Active Directory Domain Services
Select Add Features
Select Next
Select Next
Select Next
Select Install
Select Close
Select the flag with the Yellow Triangle and select Promote this server to a domain controller
Configure Active Directory
Select Add a new forest and enter the name you’re planning to use
Unless you have a reason, you should stick with the default Windows Server 2016 Forest and Domain functional levels, Enter a password for Directory Services Restore Mode and make sure its not lost. Ideally using a password vault\manager.
I will leave the default NetBIOS name as is and select Next
If you have security requirements mandating it, relocated the files to a suitable place. I will be leaving the defaults in this case and select Next.
Review your choices and go back to make changes if needed
Once the Pre-checks have been passed, read the warnings as shown and then select Install
Once complete you will get the following warning for the system rebooting after a successful install of the Active Directory role.
Validate Install
After the reboot, login
Congrats. Active Directory has been installed. Now we will run through adding the second Domain Controller to the Domain.
Add Second Domain Controller
Login to the second Domain Controller
Repoint DNS
Right-click the start menu and select Network Connections
Select Network and Sharing Center
Select Ethernet0 on the right side of the window
Select Properties
Click on Internet Protocol Version 4 (TCP/IPv4) and select Properties
Change DNS to point to the new Domain Controller and select OK
Add Role
Select Add roles and features
Select Next
Select Role-based or feature-based installation
Were not doing a remote server so leave it selected for itself and select Next
Select Active Directory Domain Services
Select Add Features
Select Next
Select Next
Select Next
Select Install
Now that the install is done, select Promote this server to a domain controller.
Join Existing Domain
Enter the information for the new domain, the click select
Provide an account from the domain.
Select your domain and click OK
Select Next
We have not created any sites and this is not a Read Only Domain Controller, so I will leave this at default settings and enter the Directory Services Restore Mode (DSRM) password and select Next.
Select Next
Theres only one DC in this domain so I will leave it with Any domain controller selected. Select Next.
Again, since this isn’t an hardened type install and I have no requirements to move the directories, I will leave the default locations and Select Next.
Review the details and go back to change if needed. Then Select Next.
Once the prechecks are done, review the warnings and Select Install.
Once the install is completed, the system will reboot.
Validate Joining Active Directory
Login
Congrats. You now have a domain with two Domain controllers. Now you can customize as needed for your environment. Have a good one.
This will be the start of a series of articles for the rebuild of my lab to properly document the build process.
This will start here with Active Directory on Windows Server 2022, building a new Certificate Server on 2022, then continue into VCF oriented steps such as the offline depot, deploying the VCF installer, linking the two, and then deployment of VCF and its components.
To start I will be installing Windows Server 2022 with 2x Cores, 4GB RAM, and 50gb HDD. All storage used is NVME so it will be more than fast enough for our needs.
Deployment
I’m going to start with building the shell by right clicking my ESX host and selecting New Virtual Machine
We will select Create a new virtual machine and then Next
Enter the virtual Machine name and its location then select Next
Select the compute resource for where the VM will run
Select the storage location then select Next
Select the appropriate compatibility level for your environment. For me, that will be ESXi 8.0U2 and later then select Next
Now we get to set the OS version we will be running in this VM. I’m using Windows Server 2022 so that’s what I choose, then select Next.
Note: This matters as the wrong setting can lead to performance\stability issues if there’s enough of an instruction set difference.
Now we get to see everything together and verify the choices.
In this case I will need to change networking to the proper Port Group for my environment, change the HDD from 90GB to 50GB, and also add the ISO to the CD/DVD Drive.
Once finished, select Next.
Review the settings on Ready to complete and change if needed on the previous page. If no changes are needed, select Next.
Once its finished, make sure to go edit the settings and enable the Connect At Power On option for the CD/DVD Drive so that it actually uses the ISO when you power the VM up for the first time
Select Power on and then select Launch Remote Console
Operating System Install
Change the default Language/Time/Keyboard options if desired
Select Install Now
Select the desired edition. I will be using Standard Evaluation (Desktop Experience) in this case as I still like my GUI. Select Next
Read, and if you agree to the terms, accept the license terms, and select Next
I selected Custom to make sure it shows the correct hard drive info. Select Next
It will now run through the installation
Either wait or select the Restart Now to restart the system
Windows will then reboot and start getting ready for use
Configure Operating System
After configuration you will provide the initial Administrator password
Once you have set the password you will be brought to the login screen, login
Install VMware Tools
Once you have logged in, go back to your ESX host and select Install VMware Tools
Select Mount
Go back to your console for the VM and open File Explorer and Select the DVD Drive (D:)
Run setup
Select Next
Select Typical unless you have specific parts you want to install or deselect
Select Install
When complete, select restart
Login after reboot
Configure IP Information
Right click the Internet icon (the wire globe in this case) and select Network & Internet settings
I prefer the old control panel so I will select Network and Sharing Center
Select Ethernet0 on the right side of the window
Select Properties
Select Internet Protocol Version 4 (TCP/IPv4) and select Properties
Enter your information for the IP and DNS, for now use an actual DNS. This will change later when this is promoted to being a Domain Controller, but that is not yet.
Select OK
You will be asked if you want the PC to be discoverable by other devices, make the appropriate choice for your environment
Windows Updates
Select the start menu in the lower left and then settings
Scroll down and select Update & Security
It should have automatically started checking and downloading updates, if not, select the Check for Updates option
These downloads can take a while depending on your internet.
Once everything is at Status: Pending install, select Install now
Now you get to wait for Updates.
Go to system and select Rename this PC
Enter the desired name
select Restart now
Provide the reason for the restart, I went with Other (Planned)
Once complete, run through these steps again to build a second server that will become the secondary Domain Controller for redundancy.
Make sure to go back into ESX, edit settings on the VM and set CD/DVD Drive back to Client Device so the ISO doesn’t cause problems later.
This will be the end of Part 1 of deploying Active Directory, building the Servers.
So this will evolve over time as I add more to it and organize it
Brownfield Import of multiple vCenters\Clusters
To do a brownfield import of an existing set of vCenters. The vCenters need to be colocated with the hosts it manages.
So having 2 vCenters with both in one cluster will work for the first vCenter, but will fail for the second.
Reverse DNS Error during deployment validation
If you receive the following error when there is a child domain involved, please verify conditional forwarders are working in both directions.
“Reverse DNS Lookup failed for IP ___. Unknown IP or record mismatch.
Remediation: Provide valid FQDN {1} for IP ___”
DNS/FQDN Mismatch
DNS and hostnames names should be in lowercase whenever possible. From what I’ve learned with Linux systems, they tend to care much more about the case of letters in names, paths and such.
VMware software runs on Linux and the same principle applies.
Windows Admins (I’m guilty of this as well) will commonly use all caps for names and records.
Please try to use all lowercase for both names and DNS to minimize issues.
Fresh ESX 9 install must use a certificate that includes its name
When freshly installed. ESX will use a cert with the name localhost. This will fail the validation check with the VCF installer. Please use the following KB to generate a self-signed cert that meets requirements. While a proper cert can be provided, the installation for VCF will replace the cert as it builds the environment.
When doing the deployment validation pre-checks. NTP configuration and drift from the installer will be checked. In the ESXi Host Client, please configure at least 1 NTP server and set the service to start\stop with host, go to Manage -> Services, select ntpd and start the service
Greetings, I was recently asked about what equipment is in my lab and its capabilities. In talking with Aaron about it, he was willing to host this on his website (thanks!), so here is a breakdown of the equipment in my newly acquired lab and its intended uses.
Overall, this environment will be used to gain experience with VMware Virtualization technologies. Specifically VMware Cloud Foundation (VCF) and the Modern Private Cloud (MPC).
Servers
My general logic was to have a structure generally similar to customer environments I might encounter. Enterprise level equipment, but not latest and greatest. So, for me that meant recently out of support but not too out of support servers at a reasonable price. Enter the Dell R640.
Note: using an Intel 61xx series processor is deprecated in ESXi 8 and not supported in ESX 9. This can be overridden.
Having decided that, I then had to decide where to buy them, eBay and Amazon being the immediate likely candidates. eBay won this as they allow sellers to provide drop downs for customization of the specifications to let you have more flexibility in capability and pricing.
All four nodes are also using full NVME drives to allow for vSAN ESA capability, this also allowed the option to test memory tiering in vSphere 8 or VCF 9 if I reserve a drive per host for this purpose.
Note: these drives are not on the Hardware Compatibility List (HCL) so you will need to override the deployment for these to work
Initially I went with 3 servers so that I didn’t need to do nested virtualization. But then went to 4 servers since one of my goals is to do apples-to-apples which for VMware VCF 5.x means 4 hosts. This can of course be overridden to use less hosts. Same with the 3-node NSX Manager requirement. I did not want the complications and additional variables of a nested lab.
Add-In Card
These servers as I bought them came with 2x 1GbE and 2x 10GbE nics. I wanted 25GbE for my backbone, so I also bought one expansion card per server, the Dell Broadcom 57414 Dual 25GbE SFP PCIe cards from eBay.
Networking
So here I wanted to meet the MPC requirement which is 25GbE networking for the backbone. I wanted Cisco, but that gets pricey at this range. Second was Arista as a near-Cisco CLI. In my case that led to a 2-switch setup of a 1GbE switch with 10GbE uplinks by Arista, and then a Dell 25GbE SFP switch for the backbone. Overkill for a home lab, but in line with intended architectures today for those running MPC. Both purchased from eBay.
Arista Switch for 1GB network elements
Dell 25GbE switch for backbone data
Router\Firewall
You need to protect your environment and this made a good excuse to go beyond the standard ISP routers firewall.
In this case I did not want to go too far down the rabbit hole so I went simple, possibly a bit too simple. So, I went with a Firewalla Gold Pro from Firewalla’s website.
This acts as both the lab’s router and firewall behind the ISP’s modem. This does limit to 10GbE for anything transiting the FW.
Overall intent with this environment is to provide flexibility of running workloads from a basic vSphere 7/8 environment, all the way up to a full VCF 9 with VCF Automation deployment and anything in between.
Persistent Node
Now since building out various configurations of the environment is destructive, I have a single persistent ESXi 8 node.
This is for servers\services that I want to survive tear down and rebuild of the lab environment, such as Active Directory\LDAP, Certificate Services, Jump Box, etc.
For this I am using an Minisforum MS-A2 node with 96GB of RAM, a 2Tb NVME SSD and a 4Tb NVME SSD.
Cabling
Now to connect all of the 25GbE links, I opted for FS.com for DAC cables. They provide options to customize the connectors for better compatibility.
For 10GbE, I went to Amazon and got some generic DAC cables.
For the 1GbE connections I also opted for generic Cat 8 ethernet cables from Amazon.
Power
Power matters, and with this being an expensive investment I opted to use one UPS per server, with it being (at least currently) one plug in the battery backed and one plug in the surge protected plugs. This was bought off Amazon.
Console Cable
You will need a console cable to connect, most systems don’t use the old style connectors so I went with a USB interface which all laptops have, make sure you have a USB-A plug or an adapter for it. This was bought off Amazon.
Rack
Lastly, I needed something to store the equipment in. Back to eBay I went.
Misc
Not to interface with it I use a pre-existing laptop and a monitor\mouse\keyboard. Nothing fancy is needed. And remember to be mindful of what type of video cable is needed for your server. In the case of the R640, that is still VGA.
Result
Overall, not the prettiest setup, but here is what the “finished” product looks like.
Conclusion
Hope this helps anyone considering a HomeLab setup. Beyond just the ability to demo\test VCF, this can also run additional capabilities such as photo and movie servers or home automation like Home Assistant. The skies the limit.
