Prechecks fail during upgrade to vCenter Server 7.0 with the following message “The source appliance FQDN must be the same as the source appliance primary network identifier”

When upgrading vCenter 6.5x to version 7u3x we encountered the following problem

Text

Description automatically generated

Following this KB

Upgrading to vCenter Server 7.0 fails when case differs between FQDN and PNID (84355) (vmware.com)

We identify the problem in the fact that we have the hostname that differs from the PNID because one is all uppercase and the other lowercase.

From the following KB we find that we can not on vCenter 6.5 updatethe hostname

Cannot change the vCenter Server or Platform Service Controller 6.x hostname on versions prior to vCenter Server 6.7 Update 3 (2130599) (vmware.com)

To solve we proceed first with the update to the version of vcenter 6.7u3 that fixes the part of FQDN

Graphical user interface, text

Description automatically generated

Once updated to 6.7 relaunch the commands indicated by KB and see that the PNID and hostname coincide

Then we update to the vCenter version 7u3

Prechecks fail during upgrade to vCenter Server 7.0 with the following message “The source appliance FQDN must be the same as the source appliance primary network identifier”

Enabling Break-Glass URL Endpoint in Workspace ONE Access

A customer during the integration of Workspace One Access with Azure AD for MFA activation “locked out” the admin interface.

Prior to version 21.08, a URL was enabled by default on each Workspace One Access VSA for Break-glass URL Endpoint access.

https://< TENANT URL>/SAAS/login/0

from 21.08 onwards it was disabled because it was not security complaint for customer environments

To enable it, you must SSH or WEB GUI access one of the Workspace One Access VSA and run the following command:

hznAdminTool configureBreakGlassLogin enable -loginZero

and restart the horizon-workspace service with the following command.

Service Horizon-workspace restart

Text

Description automatically generated

At this point the “Emergency” URL is enabled again

Graphical user interface, application, website

Description automatically generated

And you can access it to fix the necessary policies.

To turn it off:

hznAdminTool configureBreakGlassLogin disable -loginZero

Service Horizon-workspace restart

Enabling Break-Glass URL Endpoint in Workspace ONE Access

Authenticator APP and Workspace One Access

It is very important to activate MFA (Multi-factor authentication) using applications such as Google Authenticator on corporate services exposed on the internet that require access using credentials.

If we talk about VMware Workspace One Access, a solution that allows us to publish applications and business services on the internet, it is mandatory to activate the MFA.

Since Workspace One Access version 22.09, you can use Authentication Applications such as Microsoft or Google.

Enabling MFA requires a few steps:

  • Enable the “Authenticator APP” authentication method on Workspace One Access
  • Ask the end user to install the APP on their phone or the company one (possibly we can use services that allow us to enrol automatically)
  • At the first access, the user will have to scan the QRcode that appears on the login page of Workspace One Access (in my case we try the access via WEB to workspace one access)

Enable the “Authenticator APP” authentication method on Workspace One Access

Access the Integration menu, select Authentication Methods, enable Authenticator App and select Configure.

Graphical user interface, text, application, email

Description automatically generated

We enable and possibly can change any classic account lock parameters etc …

Graphical user interface, text, application, email

Description automatically generated

At this point, we go to integrations, select identity provider and select our IDP related to the integration with AD

Graphical user interface, text, application, email

Description automatically generated

In the Authentication Methods menu select Authenticator APP

Graphical user interface, text, email

Description automatically generated

At this point, we just need to go and modify the policy used by our users by adding MFA for authentication

We go to the Resources, policies menu, select our policy and modify it

Graphical user interface, text, application, email

Description automatically generated

Graphical user interface, text, application, email

Description automatically generated

We select the rule of our interest (normally we select the one relating to access from public networks because we could reason that those who access from the company network have already done other methods of secure authentication …)

Graphical user interface, text, application, email

Description automatically generated

In the authentication methods used, we add the authenticator app

Graphical user interface, text

Description automatically generated with medium confidence

Graphical user interface, text, application, email

Description automatically generated

From now on, all users who log in to workspace one access and run with the rule we have modified we have the following user experience at the first login:

User experience at login

Go to WorkSpace One Access public URL.

If prompted, they will have to select the domain.

Graphical user interface, application

Description automatically generated

Then they will have to enter username and password

Graphical user interface, application

Description automatically generated

Finally, they will have a QRcode that they will have to use to configure their Authenticator APP (Microsoft or Google). So, in the selected phone app they will have to add an account by reading the QRCODE

Qr code

Description automatically generated

We access our smartphone and launch the authentication application that we will use (in my case I launch Google Authenticator)

Icon

Description automatically generated

We add the new account

Graphical user interface, text, application

Description automatically generated

We select the option to scan a QRCODE and scan it

Enter the passcode generated after scanning the QRCODE in the space provided under the QRcode code on the page WEB

Qr code

Description automatically generated

We will now have an account named WSA (Woekspace One:WSA) linked to our authenticator app

Graphical user interface, text, application

Description automatically generated

From the next login after entering your username and password you will be asked for the access code generated by the user application

Authenticator APP and Workspace One Access

Remove an instant clone desktop pool in a deleting state

If we are removing a desktop pool from a Horizon infrastructure and we find ourselves in a situation that remains in a deleting state:

Graphical user interface, text, application

Description automatically generated

We can force the removal as follows:

  • Remove any VDI VMs still in your vSphere infrastructure.
  • Remove VM template, replication and parent.

In my example, we have the following situation

Graphical user interface, text, application

Description automatically generated

To remove them we use the tool iccleanup.cmd, we find te command on the connection servers by launching the following command to access:

iccleanup.cmd -vc <ome of vcenter> -uid < admin user of vcenter>

We enter the account password

Run with the list command the list of service VMs to be deleted

Text

Description automatically generated

In my case, they are the VMs indicated with ID 2 and 3

We start from 2 and first launch the unprotect indicating with -I the number 2 (unprotect -I 2) and confirm by writing unprotect

Text

Description automatically generated

Then we delete with the question delete -I 2 and confirm by writing  delete

Graphical user interface, text

Description automatically generated

Let’s go back by writing Back

Relaunch the List command and verify that Index has taken the other chain of system VMs to be deleted

Text

Description automatically generated with medium confidence

Ha was taken as index 2

We review the operations of unprotect and delete once again for index 2

At the end of the vCenter  (they are service VM from other pools that should not be deleted)

Text

Description automatically generated

Already in this case, we may have deleted the DesktopPool that was in a deleting state.

If the Pool in question is still present and in a deleting state, we proceed to access the ADSI Edit console and modify the ADAM DB by deleting the references left to the pool in deleting state (in my case ICTPM)

  • Remove Desktop Pool from ADAM Database

To connect follow this KB:

Connecting to the Horizon View Local ADAM Database (vmware.com)

remove the pool from Adam as follows.

Graphical user interface, text, application

Description automatically generated

Graphical user interface, text

Description automatically generated

Remove an instant clone desktop pool in a deleting state

VMware Horizon 8 2303

At the end of March 2023, new versions of the products that make up the Horizon suite were released. (Connection Server, Volume App, DEM, and Unified Access Gateway)

There are several interesting features, below I report the link to each release note.

I bring to your attention the presence of AppVolume in a preview solution related to the use of AppVolume in the Azure environment. (This deployment option is intended for applications packages and not Writable Volumes)

Horizon

VMware Horizon 8 2303 Release Notes

App Volume on Azure

VMware App Volumes Manager Deployment Guide for Azure –

App Volume 

VMware App Volumes 4, version 2303 Release Notes

DEM

VMware Dynamic Environment Manager 2303 Release Notes

Unified Access Gateway

Unified Access Gateway 2303 Release Notes (vmware.com)

VMware Horizon 8 2303

Dynamic Environment Manager and printer management without Microsoft Print Server

Among the many features of DEM (Dynamic Environment Manager) to manage the roaming of user profiles (especially when we talk about Horizon Pool Instant Clone), there is the possibility to manage the mapping of printers.

Using this feature is tied to using a Printer Server (at least you must specify the path to the printer with a UNC)

Graphical user interface, application, Word

Description automatically generated

So if we need to map printers that are not managed by print server we can do as follows:

Mapping scripts

We create a mapping script and place it in a network share, reachable by all the Instant Clone VDI that must use it.

A screenshot of a computer

Description automatically generated
The script uses two Windows commands, located in the folder: %WINdir%\System32\printing_Admin_Scripts\en-US\

(en-IT depends on the language used on the Windows 10 environment)

cscript %WINdir%\System32\printing_Admin_Scripts\en-US\prnport.vbs -a -r <name of the thing> -h <IP address> -o -raw -n 9100
cscript %WINdir%\System32\printing_Admin_Scripts\en-us\prnmngr.vbs -a -p “<printer name>” -m “< driver to use>” -r “<thing name>”

The share must have the following permissions:

  • At the share level Everyone FullControl
  • At the file system level, the group that needs to install the printer must have:
Graphical user interface, text, application, email

Description automatically generated

Now we access DEM and configure the part of logon Task

Graphical user interface, application, Word

Description automatically generated
Graphical user interface, application

Description automatically generated
Graphical user interface, text, application, email

Description automatically generated

In my case I also impose a condition that only the user fstorni can perform this task

Graphical user interface, text, application, Word

Description automatically generated

We save everything

Graphical user interface, application

Description automatically generated

At the next logon the user fstorni will map the printer, and we can check from the DEM logs:

While all other users will not be able to map the printer

Dynamic Environment Manager and printer management without Microsoft Print Server

vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service

If you see such an error on the Cluster object of a vSAN (in my case it appeared on two vSAN clusters managed by the same vCenter)

vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service …….

an unhealthy state of the Service cluster

Graphical user interface, text, application, email

Description automatically generated

Errors such as the following in the EAM log. vCenter LOG

EAM.log:

2023-01-26T13:16:39.996Z |  INFO | vim-monitor | VcListener.java | 131 | Retrying in 10 sec.
2023-01-26T13:16:41.432Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.
        at com.vmware.eam.vmomi.EAMInitRequestFilter.handleBody(EAMInitRequestFilter.java:57) ~[eam-server.jar:?]
        at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.handleBody(DispatcherImpl.java:373) [vlsi-server.jar:?]
        at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.dispatch(DispatcherImpl.java:290) [vlsi-server.jar:?]
        at com.vmware.vim.vmomi.server.impl.DispatcherImpl.dispatch(DispatcherImpl.java:246) [vlsi-server.jar:?]
        at com.vmware.vim.vmomi.server.http.impl.CorrelationDispatcherTask.run(CorrelationDispatcherTask.java:58) [vlsi-server.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_345]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_345]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_345]
2023-01-26T13:16:50.007Z |  INFO | vim-monitor | ExtensionSessionRenewer.java | 190 | [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e] Re-login to vCenter because method: currentTime of managed object: null::ServiceInstance:ServiceInstance failed due to expired client session: null
2023-01-26T13:16:50.007Z |  INFO | vim-monitor | OpId.java | 37 | [vim:loginExtensionByCertificate:913aec585658e328] created from [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e]
2023-01-26T13:16:51.440Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.


And you see the lack of vCLS VMs in the two vSANs

To resolve the anomaly you must proceed as follows:

  • vCenter Snapshots and Backup
  • Log in to the vCenter Server Appliance using SSH.
  • Run this command to enable access the Bash shell:

shell.set --enabled true

  • Type shell and press Enter.
  • Run this command to retrieve the vpxd-extension solution user certificate and key:

mkdir /certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key

  • Run this command to update the extension’s certificate with vCenter Server.

python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s localhost -u "Administrator@domain.local"

Note: If this produces the error “Hostname mismatch, certificate is not valid for ‘localhost'”, change ‘localhost’ to the FQDN or IP of the vCenter. The process is checking this value against the SAN entries of the certificate.

Note: The default user and domain is Administrator@vsphere.local. If this was changed during configuration, change the domain to match your environment. When prompted, type in the Administrator@domain.local password.

  • Restart EAM and start the rest of the services with these commands:

service-control --stop vmware-eam

service-control --start --all

vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service

VMware Horizon 8 2212

VMware has just released a new version of Horizon 2212. These are some of the features/support introduced:

  • Horizon 8 version 2212 in conjunction with App Volumes 4 version 2212 introduces Horizon Published Apps on Demand.  With this new feature, administrators can use App Volumes applications directly in their instant-clone RDS farms.  Now applications can be delivered dynamically to a generic Windows OS as users launch them. This greatly simplifies static image management and gives administrators the ability to reduce their application specific farms. This also brings the Horizon and App Volumes administration consoles closer together, allowing Horizon administrators to add App Volumes Manager servers and entitle applications to users without the need for duplicate entitlements in App Volumes. This feature creates an opportunity to reduce the time-consuming management of application installations on RDS Farms, and enables scenarios such as multiple users being able to use different versions of the same application while logged in to the same RDS Server.
  • Microsoft MAK licenses are now supported with Instant Clones.
  • When you create an automated pool of full clone desktops, you can now specify an active directory OU in which computer accounts can be created. Previously, computer accounts would get created in the default OU and administrators would manually move them after pool creation. This feature, which already exists for Instant Clone desktop pools, addresses this pain point for administrators.
  • Cloud Pod Architecture is supported with IPv6 environments for more security and added address spaces.
  • Administrators can now generate a CSR configuration file, import a CA-signed certificate to Connection Server, and monitor health of the certificate from Horizon Console.

More details here:

VMware Horizon 8 2212 Release Notes

VMware Horizon 8 2212

AppVolume Application in Pending Delete

In some situations, removing an Application of AppVolume may not result correctly, and as a result, the state of applications from the UI may result in deleting and stalling:

In my case, I also have the advantage that they have not remained in cancellation even if the Packages

To perform the cleanup, you must work on the AppVolume Database.

To proceed we must:

  • Locate the server that hosts the DB.
    • On an AppVolume server, in 64-bit ODBC, there is an SRVMANAGER entry edit the entry and identify the server’s name and its DB name.
  • Shut down each server with the App Volume Manager role of the App Volume Manager service.

  • Connect with SQL Management Studio to AppVolume DB.
  • Back up your DB.
    • Using the native SQL tool or third-party backup tools.
  • Remove the rows corresponding to the application in the dbo.app_products table.
    • In some situations, it may not be enough the name and then in the removal query we indicate the status that is deleting.

Image containing text, device, gauge, screenshot

Auto-generated description

If there are also packages in a state of deleting also proceed with the removal of the corresponding rows that we can find in the dbo table .app_packages.

AppVolume Application in Pending Delete