I think most people have had issues with replacing/updating certificates on the various virtual appliances that will be floating around their infrastructure, thankfully (and finally someone has done it!), there’s a fling created to help with this! Much kudos to the creators!
Replacing SSL certificates across VMware products is a manual and time-consuming process. The SDDC Certificate Tool automates this workflow and makes it easy to keep certificates across your SDDC up to date. It will replace all certificates in the supported products and reestablish trust between the components.
- VMware Platform Services Controller (PSC)
- VMware vCenter Server (VC)
- VMware NSX for vSphere (NSX)
- vRealize Log Insight (vRLI)
- vRealize Operations Manager (vROps)
- vRealize Automation (vRA)
- vRealize Business for Cloud (vRB)
SDDC Certificate Tool
DFSR is actually relatively easy to setup.
There’s no need for me to re-invent the wheel or explain in tiny detail, as most of it has all been done before.
So, to start
MS blog about how it can work for you.
DFS Replication in Windows Server 2012 R2
How to set it up
DFSR Setup with screenshots
Another MS blog about how if you have a huge estate, you better use DFSRADMIN command line! (Yeah you’d better!)
DFS Replication and command line
New server built. Need access to vSphere or any other web based, server or appliance web front.
Are you sure?
Do you trust this site?
Do you really trust this site?
Are you sure you trust this site?
Are you really sure you really trust this site?
Just turn it off via GPO
Disable IE Enhanced mode
In all fairness, some people have security concerns about using any browser on a server. I get that. If you’re using server 2012 R2, relatively recently updated and well… You aren’t an idiot, you’re probably OK using it to get media from a trusted site, or use your web based admin pages. Final decision lies with you!
There are situations and environments, where you may have apprentices, or non IT literate staff who are the IT staff; I’ve been involved with a lot of places where they don’t have anyone in an official IT capacity and the highest qualified person is the one who can change the lockscreen on their phone – where you shouldn’t do this and in fact, should lock it all down as much as you can.
Ah, good old DFSR, with it’s highly complex management algorithm that is at times, a Law Unto Itself. What do you mean that file is newer? I’m going to overwrite it with THIS one!
DFSR is also full of false truths and true lies. Event ID’s that don’t tell you what’s wrong. Logs that make out that everything is broken when it isn’t… Weeks of over written data that no one knew was happening… But sadly if you don’t have hardware replication, you probably use this. Don’t get me wrong, when it works properly, it’s great, but there’s sometimes quite a management overhead, plus a lot of time and experience involved when it needs to get fixed.
This link has an amazing script that was similar to part of my checks in a previous role, whereby I had a few scripts running as part of Daily Checks for the team, that reported on DFSR, Exchange and AD. It emailed pretty pictures and everything (you know how people love pretty pictures!) So as my first post towards Checks and DFSR management – the following link is fantastic.
DFSR Monitoring Script
I will say though, as part of any infrastructure related checks or notifications, it’s what works for you and your team. I had a great Project Manager once who said that if you get the process right, then everything works. If the process fails and a person followed the process, then the process needs changing. Which stands to reason – you need the process that people need to follow, that takes into consideration everything that needs to happen and there’s no point having a barrage of alerts sent to email, if the person involved doesn’t read them, understand them and put down somewhere he’s done all of the above.